R3303-HP HSR6800 Routers Security Configuration Guide
353
Configuring ALG
Application Level Gateway (ALG) processes the payload information of application layer packets to
make sure data connections can be established.
Usually NAT translates only IP address and port information in packet headers and does not analyze
fields in application layer payloads. However, the packet payloads of some protocols may contain IP
address or port information, which may cause problems if not translated. For example, an FTP
application involves both data connection and control connection, and data connection establishment
dynamically depends on the payload information of the control connection.
ALG can work with NAT and ASPF to implement the following functions:
• Address translation—Resolves the source IP address, port, protocol type (TCP or UDP), and remote
IP address information in packet payloads.
• Data connection detection—Extracts information required for data connection establishment and
establishing data connections for data exchange.
• Application layer status checking—Inspects the status of the application layer protocol in packets.
Packets with correct states have their status updated and are sent for further processing, whereas
packets with incorrect states are dropped.
Support for these functions depends on the application layer protocol.
ALG can process the following protocol packets:
• DNS
• FTP
• GTP
• H.323, including RAS, H.225, and H.245
• ILS
• MSN
• NBT
• PPTP
• QQ
• RTSP
• SCCP
• SIP
• SQLNET, a language in Oracle
• TFTP
ALG process
The following example describes the FTP operation of an ALG-enabled router.
As shown in Figure 117, the h
ost on the external network accesses the FTP server on the internal network
in passive mode through the ALG-enabled router.