beautypg.com

Amer Networks E5Web GUI User Manual

Page 421

background image

well as a setup without NAT (Solution B below).

Solution A - Using NAT

The following should be noted about this setup:

The IP address of the SIP proxy must be a globally routable IP address. The Clavister Security
Gateway does not support hiding of the proxy on the DMZ.

The IP address of the DMZ interface must be a globally routable IP address. This address can
be the same address as the one used on the external interface.

The setup steps are as follows:

1.

Define a single SIP ALG object using the options described above.

2.

Define a Service object which is associated with the SIP ALG object. The service should have:

Destination Port set to 5060 (the default SIP signalling port)

Type set to TCP/UDP

3.

Define four rules in the IP rule set:

A NAT rule for outbound traffic from the clients on the internal network to the proxy
located on the DMZ interface. The SIP ALG will take care of all address translation
needed by the NAT rule. This translation will occur both at the IP level and at the
application level.

Note

Clients registering with the proxy on the DMZ will have the IP address of the
DMZ interface as the contact address.

An Allow rule for outbound traffic from the proxy behind the DMZ interface to the
remote clients on the Internet.

An Allow rule for inbound SIP traffic from the SIP proxy behind the DMZ interface to the
IP address of the Clavister Security Gateway. This rule will have core (in other words, cOS
Core itself ) as the destination interface.

The reason for this is because of the NAT rule above. When an incoming call is received,
cOS Core automatically locates the local receiver, performs address translation and
forwards SIP messages to the receiver. This is done based on the SIP ALG's internal state.

An Allow rule for inbound traffic from, for example the Internet, to the proxy behind the
DMZ.

4.

If Record-Route is not enabled at the proxy, direct exchange of SIP messages must also be
allowed between clients, bypassing the proxy. The following additional rules are therefore
needed when Record-Route is disabled:

A NAT rule for outbound traffic from the clients on the internal network to the external
clients and proxies on, for example, the Internet. The SIP ALG will take care of all address
translation needed by the NAT rule. The translation will occur both at the IP level and the
application level.

An Allow rule for inbound SIP traffic from, for example the Internet, to the IP address of
the DMZ interface. The reason for this is because local clients will be NATed using the IP
address of the DMZ interface when they register with the proxy located on the DMZ.

Chapter 6: Security Mechanisms

421

This manual is related to the following products:
See also other documents in the category Amer Networks Computer Accessories: