TMS zl Management and Configuration Guide ST.1.2.100916
4-94
Firewall
Application-Level Gateways (ALGs)
Scenario 1. The L2TP ALG creates a new association when it receives a
Start-Control-Connection-Request (SCCRQ) message from the L2TP Access
Concentrator (LAC), which results in two associations in the firewall:
■ the association that is originally created by the firewall, which handles
data that arrives on the port where the client initiated the connection. If
NAT is used, this association permits data that arrives on the NAT port.
■ the association that is created by the ALG, which allows data packets that
come from the LNS with source port UDP 1701.
Scenario 2. The L2TP ALG creates a new association with “destination port
unknown” once an SCCRQ message is sent, which results in two associations
in the firewall:
■ the association that is created by the firewall, which permits packets from
UDP 1701
■ an association that is created by the ALG that has no specified destination
port, which handles any reply packets that arrive on a port other than
UDP 1701
In both of the cases above, one of the associations is eventually deleted,
depending upon which association is being used for further communication.
Limitations. The following are not supported:
■ Multiple tunnels between the same systems
■ Multiple tunnels with the same tunnel ID and the same tunnel recipient
netbios
Network Basic Input/Output System (NetBIOS) is a service that is available
in the Windows network environment that allows multiple devices on a LAN
to share resources with each other. The NetBIOS service permits a device to
view all of the other devices on the network, map network drives, share printer
resources, and so on.
The NetBIOS ALG
■ provides name resolution across zones
■ processes and forwards redirects
Caution The NetBIOS ALG requires TCP port 139 to be open, which can leave your
system vulnerable to an attack vector.