Sip with local clients, proxy on internet, The service object for ip rules – Amer Networks E5Web GUI User Manual

Action

Src Interface

Src Network

Dest Interface

Dest Network

Allow
(or NAT)

lan

lan_net

wan

ip_proxy

Allow

wan

ip_proxy

lan
(or core)

lan_net
(or wan_ip)

Without the Record-Route option enabled the IP rules would be as shown below, the changes
that apply when NAT is used are again shown in parentheses "(..)".

Action

Src Interface

Src Network

Dest Interface

Dest Network

Allow
(or NAT)

lan

lan_net

wan

Allow

wan

lan
(or core)

lan_net
(or ipwan)

The advantage of using Record-Route is clear since now the destination network for outgoing
traffic and the source network for incoming traffic have to include all IP addresses that are
possible.

The Service object for IP rules

In this section, tables which list IP rules like those above, will omit the Service object
associated with the rule. The same, custom Service object is used for all SIP scenarios.

Example 6.4. SIP with Local Clients, Proxy on Internet

This example shows the exact steps to implement Scenario 1 which is described above. The local
network topology is hidden using NAT. The proxy server lies on the external, unprotected side of
the Clavister Security Gateway.

The client is assumed to be on the network if1_net connected to the interface if1. The SIP proxy is
assumed to be on the IP address proxy_ip on the interface ext.

InControl

Follow the same steps used for the Web Interface below.

Web Interface

A. Define the following IP objects:

•

if1_net: 192.168.1.0/24
(the internal network)

•

proxy_ip: 81.100.55.2
(the SIP proxy)

•

ip_wan: 81.100.55.1
(the Clavister Security Gateway's public IPv4 address)

B. Define an SIP ALG object

1.

Go to: Objects > ALG > Add > SIP ALG

Chapter 6: Security Mechanisms

416