H3C SecPath Series High-End Firewalls WEB Manual(F3169 F3207)-5PW106

DownLoad Chapters Download(402.98 KB)

40-Application Level Gateway Configuration


Application Level Gateway Configuration

ALG Overview

The application level gateway (ALG) feature is used to process application layer packets.

Usually, Network Address Translation (NAT) translates only IP address and port information in packet headers and does not analyze fields in application layer payloads. However, the packet payloads of some protocols may contain IP address or port information, which, if not translated, may cause problems. For example, a File Transfer Protocol (FTP) application involves both data connection and control connection, and data connection establishment dynamically depends on the payload information of the control connection. ALG can process the payload information to ensure that the corresponding data connections can be established.

Currently, ALG can work with NAT and Application Specific Packet Filter (ASPF) to implement the following functions:

·           Address translation

Resolving the source IP address, port, protocol type (TCP or UDP), and remote IP address information in packet payloads.

·           Data connection detection

Extracting information required for data connection establishment and establishing data connections for data exchange.

·           Application layer status checking

Inspecting the status of the application layer protocol in packets. If the status is right, updating the packet state machine and performing further processing; otherwise, dropping packets with incorrect states.

Support for the above functions depends on the application layer protocol. Currently, ALG can be used to process packets of the following protocols:

·           Hyper Text Transport Protocol (HTTP)

·           Internet Control Message Protocol (ICMP)

·           File Transfer Protocol (FTP)

·           GPRS Tunneling Protocol (GTP)

·           Domain Name System (DNS)

·           Real-Time Streaming Protocol (RTSP)

·           H.323, including Registration, Admission, Status (RAS), H.225, and H.245

·           Session Initiation Protocol (SIP)

·           SQLNET (a language in Oracle)

·           Point-to-Point Tunneling Protocol (PPTP)

·           Internet Locator Server (ILS)

·           Network Basic Input/Output System (NBT)

·           MSN/QQ

·           Trivial File Transfer Protocol (TFTP)

·           Skinny Client Control Protocol (SCCP)

·           X Display Manager Control Protocol (XDMCP)

The following describes the operation of an ALG-enabled device, taking FTP as an example. As shown in Figure 1, the host in the outside network accesses the FTP server in the inside network in passive mode through the ALG-enabled device.

Figure 1 Network diagram for ALG-enabled FTP application in PASV mode

 

The communication process includes the following stages:

1.          Establishing a control connection

The host sends a TCP connection request to the server. If a TCP connection is established, the server and the host enter the user authentication stage. 

2.          Authenticating the user

The host sends to the server an authentication request, which contains the FTP commands (user and password) and the contents.

When the request passes through the ALG-enabled device, the commands in the payload of the packet will be resolved and used to check whether the state machine transition is going on correctly. If not, the request will be dropped. In this way, ALG protects the server against clients that send packets with state machine errors or log into the server with illegal user accounts.

An authentication request with a correct state is forwarded by the ALG-enabled device to the server, which authenticates the host according to the information in the packet. 

3.          Establishing a data connection

If the host passes the authentication, a data connection is established between it and the server. Note that if the host is accessing the server in passive mode, the data connection process is different. In passive mode, the server sends to the host a PASV response using its private network address and port number (IP1, Port1). When the response arrives at the ALG-enabled device, the device resolves the packet and translates the server’s private network address and port number into the server’s public network address and port number (IP2, Port2) respectively. Then, the device uses the public network address and port number to establish a data connection with the host.

4.          Exchanging data

The host and the FTP server exchange data through the established data connection.

Configuring ALG

 

 

NOTE:

Type NOTE text here. By default, the ALG function is enabled for all protocols.

 

In the navigation tree, select Firewall > ALG to enter the page as shown in Figure 2.

Figure 2 ALG configuration page

 

·           To add selected application protocols, select them in the Optional Application Protocols list and click the << button. Then the protocols will be added to the Selected Application Protocols list.

·           To remove selected application protocols, select them in the Selected Application Protocols list and click the >> button. Then the protocols will be removed to the Optional Application Protocols list.

ALG Configuration Examples

 

 

NOTE:

The following examples describe only ALG-related configurations, assuming that other required configurations on the server and client have been done.

 

FTP ALG Configuration Example

Network requirements

As shown in Figure 3, a company accesses the Internet through a device with NAT and ALG enabled. The company provides FTP services to the outside. The inside network segment of the company is 192.168.1.0/24, and the IP address of the FTP server is 192.168.1.2. You need to configure NAT and ALG to meet the following requirements:

·           The host in the outside network can access the FTP server in the inside network.

·           The company has four public network addresses: 5.5.5.1, 5.5.5.9, 5.5.5.10, and 5.5.5.11, and the FTP server uses the public network address of 5.5.5.10 to provide services to the outside.

Figure 3 Network diagram for configuring FTP ALG

 

Configuration procedure

Step1      Configure ALG.

# Configure FTP ALG. (By default, the FTP ALG function is enabled, and thus this step can be omitted.)

·           Select Firewall > ALG from the navigation tree. Add the FTP protocol to the selected protocol list as shown in Figure 4.

Figure 4 Configure FTP ALG

 

·           Select ftp in the Optional Application Protocols list and click the << button to add it to the Selected Application Protocols list.

·           Click OK.

Step2      Configure an ACL.

# Create a basic ACL.

·           Select Firewall > ACL from the navigation tree and then on the page that appears, click Add. Create ACL 2001 as shown in Figure 5.

Figure 5 Add ACL 2001

 

·           Type 2001 in the ACL Number text box.

·           Select Config as the match order.

·           Click Apply.

# Configure an ACL rule.

·           Click the icon  of ACL 2001 to enter the ACL rule configuration page. Then click Add. Create an ACL rule as shown in Figure 6.

Figure 6 Add an ACL rule

 

·           Select Permit as the operation.

·           Click Apply.

Step3      Configure dynamic NAT and the internal server.

# Configure the address pool.

·           Select Firewall > NAT Policy > Dynamic NAT from the navigation tree. In the Address Pool area, click Add. Add a NAT address pool as shown in Figure 7.

Figure 7 Add a NAT address pool

 

·           Type 1 in the Index text box.

·           Type 5.5.5.9 as the start IP address.

·           Type 5.5.5.11 as the end IP address.

·           Click Apply.

# Configure dynamic NAT.

·           In the Dynamic NAT area, click Add. Configure dynamic NAT as shown in Figure 8.

Figure 8 Configure dynamic NAT

 

·           Select GigabitEthernet0/1.

·           Type 2001 for the ACL field.

·           Select PAT as the address translation.

·           Type 1 as the address pool index.

·           Click Apply.

# Configure the internal FTP server.

·           Select Firewall > NAT > Internal Server from the navigation tree. Then in the Internal Server area, click Add. Configure an internal FTP server as shown in Figure 9.

Figure 9 Configure an internal FTP server

 

·           Select GigabitEthernet0/1.

·           Select 6(TCP) as the protocol type,

·           Type 5.5.5.10 as the external IP address.

·           Type 21 as the global port.

·           Type 192.168.1.2 as the internal IP address.

·           Type 21 as the internal port.

·           Click Apply.

SIP/H.323 ALG Configuration Example

 

 

NOTE:

H.323 ALG configuration is similar to SIP ALG configuration. The following takes SIP ALG configuration as an example.

 

Network requirements

As shown in Figure 10, a company accesses the Internet through a device with NAT and ALG enabled. The inside network segment of the company is 192.168.1.0/24. You need to configure NAT and ALG to meet the following requirements:

·           SIP UA 1 in the inside network and SIP UA 2 in the outside network can communicate with their aliases.

·           The company has four public network addresses: 5.5.5.1, 5.5.5.9, 5.5.5.10, and 5.5.5.11. SIP UA 1 selects one from the range 5.5.5.9 to 5.5.5.11 as its public network address when registering with the SIP server in the outside network.

Figure 10 Network diagram for SIP ALG configuration

 

Configuration procedure

Step1      Configure ALG.

# Configure SIP ALG. (By default, the SIP ALG function is enabled, and thus this step can be omitted.)

·           Select Firewall > ALG from the navigation tree. Add the SIP protocol to the selected protocol list as shown in Figure 11.

Figure 11 Configure SIP ALG

 

·           Select sip in the Optional Application Protocols list and click the << button to add it to the Selected Application Protocols list.

·           Click OK.

Step2      Configure an ACL.

# Create a basic ACL.

·           Select Firewall > ACL from the navigation tree and then on the page that appears, click Add. Create ACL 2001 as shown in Figure 12.

Figure 12 Add ACL 2001

 

·           Type 2001 in the ACL Number text box.

·           Click Apply.

# Create an ACL rule.

·           Click the icon  of ACL 2001 to enter the ACL rule configuration page. Then click Add. Crate an ACL rule as shown in Figure 13.

Figure 13 Configure an ACL rule to permit packets sourced from 192.168.1.0/24

 

·           Select Permit as the operation.

·           Select the Source IP Address check box, type192.168.1.0 as the source IP address, and type 0.0.0.255 as the source wildcard.

·           Click Apply.

·           Click Add. Create an ACL rule as shown in Figure 14.

Figure 14 Configure an ACL rule to deny packets

 

·           Select Deny as the operation.

·           Click Apply.

Step3      Configure dynamic NAT.

# Configure the address pool.

·           Select Firewall > NAT Policy > Dynamic NAT from the navigation tree. In the Address Pool area, click Add. Add a NAT address pool as shown in Figure 15.

Figure 15 Configure a NAT address pool

 

·           Type 1 in the Index text box.

·           Type 5.5.5.9 as the start IP address.

·           Type 5.5.5.11 as the end IP address.

·           Click Apply.

# Configure dynamic NAT.

·           In the Dynamic NAT area, click Add. Configure dynamic NAT as shown in Figure 16.

Figure 16 Configure dynamic NAT

 

·           Select GigabitEthernet0/1.

·           Type 2001 for the ACL field.

·           Select PAT as the address translation.

·           Type 1 as the address pool index.

·           Click Apply.

NBT ALG Configuration Example

Network requirements

As shown in Figure 17, a company accesses the Internet through a device with NAT and ALG enabled. The company provides NBT services to the outside. The inside network segment of the company is 192.168.1.0/24. You need to configure NAT and ALG to meet the following requirements:

·           Host B can access the WINS server and Host A with host names.

·           Host A uses 5.5.5.9 as its external IP address, and the WINS server uses 5.5.5.10 as its external IP address.

Figure 17 Network diagram for NBT ALG configuration

 

Configuration procedure

Step1      Configure ALG.

# Configure NBT ALG. (By default, the NBT ALG function is enabled, and thus this step can be omitted.)

·           Select Firewall > ALG from the navigation tree. Configure the NBT protocol as the selected protocol as shown in Figure 18.

Figure 18 Configure NBT ALG

 

·           Select nbt in the Optional Application Protocols list and click the << button to add it to the Selected Application Protocols list.

·           Click OK.

Step2      Configure static NAT and the internal server.

# Configure a static address mapping.

·           Select Firewall > NAT > Static NAT from the navigation tree. In the Static Address Mapping area, click Add. Configure static address mapping as shown in Figure 19.

Figure 19 Configure static address mapping

 

·           Type 192.168.1.3 as the internal IP address.

·           Type 5.5.5.9 as the global IP address.

·           Click Apply.

# Configure static NAT for interface GigabitEthernet 0/1.

·           In the Interface Static Translation area, click Add. Configure interface static translation as shown in Figure 20.

Figure 20 Configure interface static translation

 

·           Select GigabitEthernet0/1.

·           Click Apply.

# Configure the internal WINS server.

·           Select Firewall > NAT > Internal Server from the navigation tree. Then in the Internal Server area, click Add. Configure an interval WINS server as shown in Figure 21.

Figure 21 Configure an internal WINS server

 

·           Select GigabitEthernet0/1.

·           Select 17(UDP) as the protocol type,

·           Type 5.5.5.10 as the external IP address.

·           Type 137 as the global port.

·           Type 192.168.1.2 as the internal IP address.

·           Type 137 as the internal port.

·           Click Apply.

·           In the Internal Server area, click Add. Configure an interval WINS server, which is similar to the configuration shown in Figure 21.

·           Select GigabitEthernet0/1.

·           Select 17(UDP) as the protocol type,

·           Type 5.5.5.10 as the external IP address.

·           Type 138 as the global port.

·           Type 192.168.1.2 as the internal IP address.

·           Type 138 as the internal port.

·           Click Apply.

·           In the Internal Server area, click Add. Configure an interval WINS server, which is similar to the configuration shown in Figure 21.

·           Select GigabitEthernet0/1.

·           Select 6(TCP) as the protocol type.

·           Type 5.5.5.10 as the external IP address.

·           Type 139 as the global port.

·           Type 192.168.1.2 as the internal IP address.

·           Type 139 as the internal port.

·           Click Apply.

 

H3C reserves the right to modify its collaterals without any prior notice. For the latest information of the collaterals, please consult H3C sales or call 400 hotline.