F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices NAT and ALG Configuration Guide-6PW100
Table Of Contents
- Title Page
- Table of Contents
- Configuring NAT
- Overview
- Configuration guidelines
- Configuring NAT in the Web interface
- Recommended configuration procedure
- Creating an address pool
- Configuring dynamic NAT on an interface
- Creating a static address mapping
- Enabling static NAT on an interface
- Configuring an internal server
- Configuring ACL-based NAT on the internal server
- Configuring DNS mapping
- NAT configuration example
- Internal server configuration example
- Configuring NAT at the CLI
- NAT configuration task list
- Configuring static NAT
- Configuring dynamic NAT
- Configuring an internal server
- Configuring ACL-based NAT on an internal server
- Configuring DNS mapping
- Displaying and maintaining NAT
- One-to-one static NAT configuration example
- Dynamic NAT configuration example
- Common internal server configuration example
- NAT DNS mapping configuration example
- Troubleshooting NAT
- Configuring NAT-PT
- Feature and hardware compatibility
- Overview
- NAT-PT configuration task list
- Configuration prerequisites
- Enabling NAT-PT
- Configuring a NAT-PT prefix
- Configuring IPv4/IPv6 address mappings on the IPv6 side
- Configuring IPv4/IPv6 address mappings on the IPv4 side
- Setting the ToS field after NAT-PT translation
- Setting the traffic class field after NAT-PT translation
- Configuring static NAPT-PT mappings of IPv6 servers
- Displaying and maintaining NAT-PT
- NAT-PT configuration examples
- Troubleshooting NAT-PT
- NAT444
- Configuring ALG
- Support and other resources
- Index
55
4BConfiguring ALG
Application Level Gateway (ALG) processes the payload information of application layer packets to
make sure data connections can be established.
Usually NAT translates only IP address and port information in packet headers and does not analyze
fields in application layer payloads. However, the packet payloads of some protocols may contain IP
address or port information, which may cause problems if not translated. For example, an FTP
application involves both data connection and control connection, and data connection establishment
dynamically depends on the payload information of the control connection.
ALG can work with NAT and ASPF to implement the following functions:
• Address translation—Resolves the source IP address, port, protocol type (TCP or UDP), and remote
IP address information in packet payloads.
• Data connection detection—Extracts information required for data connection establishment and
establishing data connections for data exchange.
• Application layer status checking—Inspects the status of the application layer protocol in packets.
Packets with correct states have their status updated and are sent for further processing, whereas
packets with incorrect states are dropped.
Support for these functions depends on the application layer protocol.
ALG can process the following protocol packets:
• DNS
• FTP
• GTP
• H.323, including RAS, H.225, and H.245
• ICMP
• ILS
• MSN
• NBT
• PPTP
• QQ
• RTSP
• RSH
• SCCP
• SIP
• SQLNET, a language in Oracle
• TFTP
When using ALG to process protocol packets, follow these guidelines:
• H.323 protocol packets cannot be forwarded at Layer 2 because the Layer 2 header is removed
from the H.323 fragmented packets in the cache.
• ALG can process RSH protocol packets only on enhanced firewall modules.