Manualshelf

HP VPN Firewall Appliances NAT and ALG Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
61626364656667686970
57
Configuring ALG
Application Level Gateway (ALG) processes the payload information of application layer packets to
make sure data connections can be established.
Usually NAT translates only IP address and port information in packet headers and does not analyze
fields in application layer payloads. However, the packet payloads of some protocols might contain IP
address or port information, which can cause problems if not translated. For example, an FTP application
involves both data connection and control connection, and data connection establishment dynamically
depends on the payload information of the control connection.
ALG can work with NAT and ASPF to implement the following functions:
Address translation—Resolves the source IP address, port, protocol type (TCP or UDP), and remote
IP address information in packet payloads.
Data connection detection—Extracts information required for data connection establishment and
establishing data connections for data exchange.
Application layer status checking—Inspects the status of the application layer protocol in packets.
Packets with correct states have their status updated and are sent for further processing, whereas
packets with incorrect states are dropped.
Support for these functions depends on the application layer protocol.
ALG can process the following protocol packets:
DNS
FTP
GTP
H.323, including RAS, H.225, and H.245
ICMP
ILS
MSN
NBT
PPTP
QQ
RTSP
RSH
SCCP
SIP
SQLNET, a language in Oracle
TFTP
When using ALG to process protocol packets, follow these guidelines:
H.323 protocol packets cannot be forwarded at Layer 2 because the Layer 2 header is removed
from the H.323 fragmented packets in the cache.
ALG can process RSH protocol packets only on enhanced firewall modules.