ALG
ALG Overview
Application Layer Gateway (ALG) allows the following applications to operate properly through the ZyWALL’s NAT.
SIP - Session Initiation Protocol (SIP) - An application-layer protocol that can be used to create voice and multimedia sessions over Internet.
H.323 - A teleconferencing protocol suite that provides audio, data and video conferencing.
FTP - File Transfer Protocol - an Internet file transfer service.
The ALG feature is only needed for traffic that goes through the ZyWALL’s NAT.
What You Need to Know
Application Layer Gateway (ALG), NAT and Firewall
The ZyWALL can function as an Application Layer Gateway (ALG) to allow certain NAT un-friendly applications (such as SIP) to operate properly through the ZyWALL’s NAT and firewall. The ZyWALL dynamically creates an implicit NAT session and firewall session for the application’s traffic from the WAN to the LAN. The ALG on the ZyWALL supports all of the ZyWALL’s NAT mapping types.
FTP ALG
The FTP ALG allows TCP packets with a specified port destination to pass through. If the FTP server is located on the LAN, you must also configure NAT (port forwarding) and firewall rules if you want to allow access to the server from the WAN.
H.323 ALG
The H.323 ALG supports peer-to-peer H.323 calls.
The H.323 ALG handles H.323 calls that go through NAT or that the ZyWALL routes. You can also make other H.323 calls that do not go through NAT or routing. Examples would be calls between LAN IP addresses that are on the same subnet.
The H.323 ALG allows calls to go out through NAT. For example, you could make a call from a private IP address on the LAN to a peer device on the WAN.
The H.323 ALG operates on TCP packets with a specified port destination.
The ZyWALL allows H.323 audio connections.
The ZyWALL can also apply bandwidth management to traffic that goes through the H.323 ALG.
SIP ALG
SIP phones can be in any zone (including LAN, DMZ, WAN), and the SIP server and SIP clients can be in the same network or different networks.
There should be only one SIP server (total) on the ZyWALL’s private networks. Any other SIP servers must be on the WAN. So for example you could have a Back-to-Back User Agent such as the IPPBX x6004 or an asterisk PBX on the DMZ or on the LAN but not on both.
Using the SIP ALG allows you to use bandwidth management on SIP traffic.
The SIP ALG handles SIP calls that go through NAT or that the ZyWALL routes. You can also make other SIP calls that do not go through NAT or routing. Examples would be calls between LAN IP addresses that are on the same subnet.
The SIP ALG supports peer-to-peer SIP calls. The firewall (by default) allows peer to peer calls from the LAN zone to go to the WAN zone and blocks peer to peer calls from the WAN zone to the LAN zone.
The SIP ALG allows UDP packets with a specified port destination to pass through.
The ZyWALL allows SIP audio connections.
You do not need to use TURN (Traversal Using Relay NAT) for VoIP devices behind the ZyWALL when you enable the SIP ALG.
Configuring the SIP ALG to use custom port numbers for SIP traffic also configures the application patrol (see Application Patrol) to use the same port numbers for SIP traffic. Likewise, configuring the application patrol to use custom port numbers for SIP traffic also configures SIP ALG to use the same port numbers for SIP traffic.
Peer-to-Peer Calls and the ZyWALL
The ZyWALL ALG can allow peer-to-peer VoIP calls for both H.323 and SIP. You must configure the firewall and NAT (port forwarding) to allow incoming (peer-to-peer) calls from the WAN to a private IP address on the LAN (or DMZ).
VoIP Calls from the WAN with Multiple Outgoing Calls
When you configure the firewall and NAT (port forwarding) to allow calls from the WAN to a specific IP address on the LAN, you can also use policy routing to have H.323 (or SIP) calls from other LAN or DMZ IP addresses go out through a different WAN IP address. The policy routing lets the ZyWALL correctly forward the return traffic for the calls initiated from the LAN IP addresses.
For example, you configure the firewall and NAT to allow LAN IP address A to receive calls from the Internet through WAN IP address 1. You also use a policy route to have LAN IP address A make calls out through WAN IP address 1. Configure another policy route to have H.323 (or SIP) calls from LAN IP addresses B and C go out through WAN IP address 2. Even though only LAN IP address A can receive incoming calls from the Internet, LAN IP addresses B and C can still make calls out to the Internet.
VoIP with Multiple WAN IP Addresses
With multiple WAN IP addresses on the ZyWALL, you can configure different firewall and NAT (port forwarding) rules to allow incoming calls from each WAN IP address to go to a specific IP address on the LAN (or DMZ). Use policy routing to have the H.323 (or SIP) calls from each of those LAN or DMZ IP addresses go out through the same WAN IP address that calls come in on. The policy routing lets the ZyWALL correctly forward the return traffic for the calls initiated from the LAN IP addresses.
For example, you configure firewall and NAT rules to allow LAN IP address A to receive calls through public WAN IP address 1. You configure different firewall and port forwarding rules to allow LAN IP address B to receive calls through public WAN IP address 2. You configure corresponding policy routes to have calls from LAN IP address A go out through WAN IP address 1 and calls from LAN IP address B go out through WAN IP address 2.
Finding Out More
See How to Allow Incoming H.323 Peer-to-peer Calls for a tutorial showing how to use the ALG for peer-to-peer H.323 traffic.
See How to Use an IPPBX on the DMZ for an example of making an IPPBX using SIP or a SIP server in the DMZ zone accessible from the Internet (the WAN zone).
Before You Begin
You must also configure the firewall and enable NAT in the ZyWALL to allow sessions initiated from the WAN.
ALG
Use this screen to turn ALGs off or on, configure the port numbers to which they apply, and configure SIP ALG time outs.
Note:
If the ZyWALL provides an ALG for a service, you must enable the ALG in order to use the application patrol on that service’s traffic.
Configuration > Network > ALG 
Label
Description
Enable SIP ALG
Turn on the SIP ALG to detect SIP traffic and help build SIP sessions through the ZyWALL’s NAT. Enabling the SIP ALG also allows you to use the application patrol to detect SIP traffic and manage the SIP traffic’s bandwidth (see Application Patrol).
Enable SIP Transformations
Select this to have the ZyWALL modify IP addresses and port numbers embedded in the SIP data payload.
You do not need to use this if you have a SIP device or server that will modify IP addresses and port numbers embedded in the SIP data payload.
Enable Configure SIP Inactivity Timeout
Select this option to have the ZyWALL apply SIP media and signaling inactivity time out limits.
SIP Media Inactivity Timeout
Use this field to set how many seconds (1~86400) the ZyWALL will allow a SIP session to remain idle (without voice traffic) before dropping it.
If no voice packets go through the SIP ALG before the timeout period expires, the ZyWALL deletes the audio session. You cannot hear anything and you will need to make a new call to continue your conversation.
SIP Signaling Inactivity Timeout
Most SIP clients have an “expire” mechanism indicating the lifetime of signaling sessions. The SIP user agent sends registration packets to the SIP server periodically and keeps the session alive in the ZyWALL.
If the SIP client does not have this mechanism and makes no calls during the ZyWALL SIP timeout, the ZyWALL deletes the signaling session after the timeout period. Enter the SIP signaling session timeout value (1~86400).
SIP Signaling Port
If you are using a custom UDP port number (not 5060) for SIP traffic, enter it here. Use the Add icon to add fields if you are also using SIP on additional UDP port numbers.
Additional SIP Signaling Port (UDP) for Transformations
If you are also using SIP on an additional UDP port number, enter it here.
Enable H.323 ALG
Turn on the H.323 ALG to detect H.323 traffic (used for audio communications) and help build H.323 sessions through the ZyWALL’s NAT. Enabling the H.323 ALG also allows you to use the application patrol to detect H.323 traffic and manage the H.323 traffic’s bandwidth (see Application Patrol).
Enable H.323 Transformations
Select this to have the ZyWALL modify IP addresses and port numbers embedded in the H.323 data payload.
You do not need to use this if you have a H.323 device or server that will modify IP addresses and port numbers embedded in the H.323 data payload.
H.323 Signaling Port
If you are using a custom TCP port number (not 1720) for H.323 traffic, enter it here.
Additional H.323 Signaling Port for Transformations
If you are also using H.323 on an additional TCP port number, enter it here.
Enable FTP ALG
Turn on the FTP ALG to detect FTP (File Transfer Program) traffic and help build FTP sessions through the ZyWALL’s NAT. Enabling the FTP ALG also allows you to use the application patrol to detect FTP traffic and manage the FTP traffic’s bandwidth (see Application Patrol).
Enable FTP Transformations
Select this option to have the ZyWALL modify IP addresses and port numbers embedded in the FTP data payload to match the ZyWALL’s NAT environment.
Clear this option if you have an FTP device or server that will modify IP addresses and port numbers embedded in the FTP data payload to match the ZyWALL’s NAT environment.
FTP Signaling Port
If you are using a custom TCP port number (not 21) for FTP traffic, enter it here.
Additional FTP Signaling Port for Transformations
If you are also using FTP on an additional TCP port number, enter it here.
Apply
Click Apply to save your changes back to the ZyWALL.
Reset
Click Reset to return the screen to its last-saved settings.