Configuring alg, Alg process – H3C Technologies H3C WX3000E Series Wireless Switches User Manual

282

Configuring ALG

Application Level Gateway (ALG) processes the payload information of application layer packets to

make sure data connections can be established.
Usually, NAT translates only IP address and port information in packet headers and does not analyze
fields in application layer payloads. However, the packet payloads of some protocols might contain IP

address or port information, which might cause problems if not translated. For example, an FTP

application involves both data connection and control connection, and data connection establishment

dynamically depends on the payload information of the control connection.
ALG can work with NAT and ASPF to implement the following functions:

•

Address translation—Resolves the source IP address, port, protocol type (TCP or UDP), and remote
IP address information in packet payloads.

•

Data connection detection—Extracts information required for data connection establishment and
establishing data connections for data exchange.

•

Application layer status checking—Inspects the status of the application layer protocol in packets.
Packets with correct states have their status updated and are sent for further processing, whereas

packets with incorrect states are dropped.

Support for these functions depends on the application layer protocol.
ALG can process the following protocol packets:

•

DNS

•

FTP

•

ILS

•

MSN/QQ

•

NBT

•

PPTP

•

RTSP

•

SCCP

•

SIP

•

SQLNET, a language in Oracle

•

TFTP

NOTE:

Support for ALG depends on the device model. For more information, see "

About the H3C Access

Controllers Web-Based Configuration Guide

."

ALG process

The following example describes the FTP operation of an ALG-enabled device.
As shown in

Figure 260

, the host on the external network accesses the FTP server on the internal network

in passive mode through the ALG-enabled device.