beautypg.com

Amer Networks E5Web GUI User Manual

Page 419

background image

Type set to TCP/UDP

3.

Define three rules in the IP rule set:

A NAT rule for outbound traffic from the local proxy and the clients on the internal
network to the remote clients on, for example, the Internet. The SIP ALG will take care of
all address translation needed by the NAT rule. This translation will occur both on the IP
level and the application level. Neither the clients or the proxies need to be aware that
the local clients are being NATed.

If Record-Route is enabled on the SIP proxy, the source network of the NAT rule can
include only the SIP proxy, and not the local clients.

A SAT rule for redirecting inbound SIP traffic to the private IPv4 address of the NATed
local proxy. This rule will have core as the destination interface (in other words cOS Core
itself ) since inbound traffic will be sent to the private IPv4 address of the SIP proxy.

An Allow rule which matches the same type of traffic as the SAT rule defined in the
previous step.

Action

Src Interface

Src Network

Dest Interface

Dest Network

OutboundFrom
ProxyUsers

NAT

lan

lan_net
(ip_proxy)

wan

all-nets

InboundTo
ProxyAndClients

SAT
SETDEST
ip_proxy

wan

all-nets

core

wan_ip

InboundTo
ProxyAndClients

Allow

wan

all-nets

core

wan_ip

If Record-Route is enabled then the Source Network for outbound traffic from proxy users can be
further restricted in the above rules by using "ip_proxy" as indicated.

When an incoming call is received, the SIP ALG will follow the SAT rule and forward the SIP
request to the proxy server. The proxy will in turn, forward the request to its final destination
which is the client.

If Record-Route is disabled at the proxy server, and depending on the state of the SIP session, the
SIP ALG may forward inbound SIP messages directly to the client, bypassing the SIP proxy. This
will happen automatically without further configuration.

Solution B - Without NAT

Without NAT, the outbound NAT rule is replaced by an Allow rule. The inbound SAT and Allow
rules are replaced by a single Allow rule.

Action

Src Interface

Src Network

Dest Interface

Dest Network

OutboundFrom
Proxy&Clients

Allow

lan

lan_net
(ip_proxy)

wan

all-nets

InboundTo
Proxy&Clients

Allow

wan

all-nets

lan

lan_net
(ip_proxy)

If Record-Route is enabled then the networks in the above rules can be further restricted by using
"(ip_proxy)" as indicated.

Scenario 3
Protecting proxy and local clients - Proxy on the DMZ interface

Chapter 6: Security Mechanisms

419

This manual is related to the following products:
See also other documents in the category Amer Networks Computer Accessories: