10-Security Configuration Guide

HomeSupportResource CenterRoutersH3C SR8800 Series RoutersH3C SR8800Technical DocumentsConfigureConfiguration GuideH3C SR8800 Configuration Guide-Release3347-6W10310-Security Configuration Guide
10-ALG Configuration
Title Size Download
10-ALG Configuration 162.50 KB

ALG overview

The Application Level Gateway (ALG) feature is used to process application layer packets.

Usually, Network Address Translation (NAT) translates only IP address and port information in packet headers; it does not analyze fields in application layer payloads. However, the packet payloads of some protocols may contain IP address or port information, which, if not translated, may cause problems. For example, a File Transfer Protocol (FTP) application involves both data connection and control connection, and data connection establishment dynamically depends on the payload information of the control connection. ALG can process the payload information to make sure that the data connections can be established.

ALG can work with NAT to implement the following functions:

·     Address translation

Resolves the source IP address, port, protocol type (TCP or UDP), and remote IP address information in packet payloads.

·     Data connection detection

Extracts information required for data connection establishment and establishing data connections for data exchange.

·     Application layer status checking

Inspects the status of the application layer protocol in packets. If the status is right, updating the packet state machine and performing further processing; otherwise, dropping packets with incorrect states.

Support for the above functions depends on the application layer protocol. ALG can process packets of the following protocols:

·     Domain Name System (DNS)

·     FTP

·     GPRS Tunneling Protocol (GTP)

·     H.323, including Registration, Admission, Status (RAS), H.225, and H.245

·     Internet Control Message Protocol (ICMP)

·     Internet Locator Service (ILS)

·     MSN/QQ

·     Network Basic Input/Output System (NBT)

·     Point-to-Point Tunneling Protocol (PPTP)

·     Real Time Streaming Protocol (RTSP)

·     Skinny Client Control Protocol (SCCP)

·     Session Initiation Protocol (SIP)

·     SQLNET (a language in Oracle)

·     Trivial File Transfer Protocol (TFTP)

The following describes the operation of an ALG-enabled router, taking FTP as an example. As shown in Figure 1, the host on the external network accesses the FTP server on the internal network in passive mode through the ALG-enabled router.

Figure 1 Network diagram for ALG-enabled FTP application in passive mode

 

The communication process includes the following stages:

1.     Establishing a control connection

The host sends a TCP connection request to the server. If a TCP connection is established, the server and the host enter the user authentication stage. 

2.     Authenticating the user

The host sends the server an authentication request, which contains the FTP commands (user and password) and the contents.

When the request passes through the ALG-enabled router, the commands in the payload of the packet will be resolved and used to check whether the state machine transition is going on correctly. If not, the request will be dropped. In this way, ALG protects the server against clients that send packets with state machine errors or log into the server with illegal user accounts.

An authentication request with a correct state is forwarded by the ALG-enabled router to the server, which authenticates the host according to the information in the packet. 

3.     Establishing a data connection

If the host passes the authentication, a data connection is established between it and the server. If the host is accessing the server in passive mode, the data connection process is different. In passive mode, the server sends the host a PASV response that uses its private network address and port number (IP1, Port1). When the response arrives at the ALG-enabled router, the router resolves the packet and translates the server’s private network address and port number into the server’s public network address and port number (IP2, Port2) respectively. Then, the router uses the public network address and port number to establish a data connection with the host.

4.     Exchanging data

The host and the FTP server exchange data through the established data connection.

Enabling ALG

To enable ALG:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Enable ALG.

alg { all | dns | ftp | h323 | ils | msn | nbt | qq | rtsp | sccp | sip | sqlnet | tftp }

Optional.

Enabled for all protocols by default

The tftp keyword is not supported.

 

Configuring a port mapping

To configure a port mapping:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Configure a mapping between a port and an application protocol.

port-mapping application-name port port-number [ acl acl-number ]

Optional.

The source field of the ACL rule must be the public address of the internal server, that is, the address for external users to use to access the internal server.

 

Displaying ALG

 

Task

Command

Remarks

Display port mapping information.

display port-mapping [ application-name | port port-number ] [ | { begin | exclude | include } regular-expression ]

Available in any view

 

ALG configuration examples

 

 

NOTE:

The following examples describe only ALG-related configurations, assuming that other required configurations on the server and client have been done.

 

FTP ALG configuration example

Network requirements

As shown in Figure 2, a company uses the private network segment 192.168.1.0/24, and has four public network addresses: 5.5.5.1, 5.5.5.9, 5.5.5.10, and 5.5.5.11. The company wants to provide FTP services to the outside.

Configure NAT and ALG on the router so that hosts on the external network can access the FTP server on the internal network.

Figure 2 Network diagram

 

Configuration procedure

# Configure the address pool and ACL.

<Router> system-view

[Router] nat address-group 1 5.5.5.9 5.5.5.11

[Router] acl number 2001

[Router-acl-basic-2001] rule permit

[Router-acl-basic-2001] quit

# Enable ALG for FTP.

[Router] alg ftp

# Configure NAT.

[Router] interface GigabitEthernet 3/1/1

[Router-GigabitEthernet3/1/1] nat outbound 2001 address-group 1

# Configure a NAT service interface binding.

[Router] interface nat 5/0/1

[Router-NAT5/0/1] nat binding interface GigabitEthernet 3/1/1

[Router-NAT5/0/1] quit

# Configure the internal FTP server.

[Router] interface GigabitEthernet 3/1/1

[Router-GigabitEthernet3/1/1] nat server protocol tcp global 5.5.5.10 ftp inside 192.168.1.2 ftp

SIP/H.323 ALG configuration example

 

 

NOTE:

H.323 ALG configuration is similar to SIP ALG configuration. The following takes SIP ALG configuration as an example.

 

Network requirements

As shown in Figure 3, a company uses the private network segment 192.168.1.0/24, and has four public network addresses: 5.5.5.1, 5.5.5.9, 5.5.5.10, and 5.5.5.11. SIP UA 1 is on the internal network and SIP UA 2 is on the outside network.

Configure NAT and ALG on the router so that SIP UA 1 and SIP UA 2 can communicate by using their aliases, and SIP UA 1 selects an IP address from the range 5.5.5.9 to 5.5.5.11 when registering with the SIP server on the external network.

Figure 3 Network diagram

 

Configuration procedure

# Configure the address pool and ACL.

<Router> system-view

[Router] nat address-group 1 5.5.5.9 5.5.5.11

[Router] acl number 2001

[Router-acl-basic-2001] rule permit source 192.168.1.0 0.0.0.255

[Router-acl-basic-2001] rule deny

[Router-acl-basic-2001] quit

# Configure NAT.

[Router] interface GigabitEthernet 3/1/2

[Router-GigabitEthernet3/1/2] nat outbound 2001 address-group 1

[Router-GigabitEthernet3/1/2] quit

# Configure a NAT service interface binding.

[Router] interface nat 5/0/1

[Router-NAT5/0/1] nat binding interface GigabitEthernet 3/1/2

[Router-NAT5/0/1] quit

NBT ALG configuration example

Network requirements

As shown in Figure 4, a company using the private network segment 192.168.1.0/24 wants to provide NBT services to the outside.

Configure NAT and ALG on the router so that Host A uses 5.5.5.9 as its external IP address, the WINS server uses 5.5.5.10 as its external IP address, and Host B can access the WINS server and Host A by using host names.

Figure 4 Network diagram

 

Configuration procedure

# Configure a static NAT entry.

<Router> system-view

[Router] interface nat 5/0/1

[Router-NAT5/0/1] nat static 192.168.1.3 5.5.5.9

[Router-NAT5/0/1] quit

# Enable ALG for NBT.

[Router] alg nbt

# Configure NAT.

[Router] interface GigabitEthernet 3/1/2

[Router-GigabitEthernet3/1/2] nat outbound static

[Router-GigabitEthernet3/1/2] quit

# Configure the internal WINS server.

[Router-GigabitEthernet3/1/2] nat server protocol udp global 5.5.5.10 137 inside 192.168.1.2 137

[Router-GigabitEthernet3/1/2] nat server protocol udp global 5.5.5.10 138 inside 192.168.1.2 138

[Router-GigabitEthernet3/1/2] nat server protocol tcp global 5.5.5.10 139 inside 192.168.1.2 139

[Router-GigabitEthernet3/1/2] quit

# Configure a NAT service interface binding.

[Router] interface nat 5/0/1

[Router-NAT5/0/1] nat binding interface GigabitEthernet 3/1/2

[Router-NAT5/0/1] quit