ALG
ALG Overview
Application Layer Gateway (ALG) allows File Transfer Protocol (FTP) to operate properly through the Zyxel Device’s NAT.
The ALG feature is only needed for traffic that goes through the Zyxel Device’s NAT.
What You Need to Know
Application Layer Gateway (ALG), NAT and Security Policy
The Zyxel Device can function as an Application Layer Gateway (ALG) to allow certain NAT un-friendly applications (such as FTP) to operate properly through the Zyxel Device’s NAT and security policy. The Zyxel Device dynamically creates an implicit NAT session and security policy session for the application’s traffic from the WAN to the LAN. The ALG on the Zyxel Device supports all of the Zyxel Device’s NAT mapping types.
ALG
Some applications cannot operate through NAT (are NAT unfriendly) because they embed IP addresses and port numbers in their packets’ data payload. The Zyxel Device examines and uses IP address and port number information embedded in the FTP traffic’s data stream. When a device behind the Zyxel Device uses an application for which the Zyxel Device has FTP pass through enabled, the Zyxel Device translates the device’s private IP address inside the data stream to a public IP address. It also records session port numbers and allows the related sessions to go through the security policy so the application’s traffic can come in from the WAN to the LAN.
ALG and Trunks
If you send your ALG-managed traffic through an interface trunk and all of the interfaces are set to active, you can configure routing policies to specify which interface the ALG-managed traffic uses.
You could also have a trunk with one interface set to active and a second interface set to passive. The Zyxel Device does not automatically change ALG-managed connections to the second (passive) interface when the active interface’s connection goes down. When the active interface’s connection fails, the client needs to re-initialize the connection through the second interface (that was set to passive) in order to have the connection go through the second interface.
FTP ALG
File Transfer Protocol (FTP) is an Internet file transfer service that operates on the Internet and over TCP/IP networks. A system running the FTP server accepts commands from a system running an FTP client. The service allows users to send commands to the server for uploading and downloading files.
The FTP ALG allows TCP packets with a specified port destination to pass through. If the FTP server is located on the LAN, you must also configure NAT (port forwarding) and security policies if you want to allow access to the server from the WAN.
SIP ALG
• SIP phones can be in any zone (including LAN, DMZ, WAN), and the SIP server and SIP clients can be in the same network or different networks. The SIP server cannot be on the LAN. It must be on the WAN or the DMZ.
• There should be only one SIP server (total) on the Zyxel Device’s private networks. Any other SIP servers must be on the WAN. So for example you could have a Back-to-Back User Agent such as the IPPBX x6004 or an asterisk PBX on the DMZ or on the LAN but not on both.
• The SIP ALG handles SIP calls that go through NAT or that the Zyxel Device routes. You can also make other SIP calls that do not go through NAT or routing. Examples would be calls between LAN IP addresses that are on the same subnet.
• The SIP ALG supports peer-to-peer SIP calls. The security policy (by default) allows peer to peer calls from the LAN zone to go to the WAN zone and blocks peer to peer calls from the WAN zone to the LAN zone.
• The SIP ALG allows UDP packets with a specified port destination to pass through.
• The Zyxel Device allows SIP audio connections.
• Configuring the SIP ALG to use custom port numbers for SIP traffic also configures the application patrol to use the same port numbers for SIP traffic. Likewise, configuring the application patrol to use custom port numbers for SIP traffic also configures SIP ALG to use the same port numbers for SIP traffic.
Before You Begin
You must also configure the security policy and enable NAT in the Zyxel Device to allow sessions initiated from the WAN.
The ALG Screen
Use this screen to:
• Turn ALGs off or on.
• Configure the port numbers to which they apply.
If the Zyxel Device provides an ALG for a service, you must enable the ALG in order to use the application patrol on that service’s traffic. The following table describes the labels in this screen.
Label | Description |
|---|---|
FTP ALG | |
Enable | Turn on the FTP ALG to detect FTP (File Transfer Program) traffic and help build FTP sessions through the Zyxel Device’s NAT. Enabling the FTP ALG also allows you to use the application patrol to detect FTP traffic. |
Enable FTP Transformations | Select this option to have the Zyxel Device modify IP addresses and port numbers embedded in the FTP data payload to match the Zyxel Device’s NAT environment. Clear this option if you have an FTP device or server that will modify IP addresses and port numbers embedded in the FTP data payload to match the Zyxel Device’s NAT environment. |
FTP Signaling Port | If you are using a custom TCP port number (not 21) for FTP traffic, enter it here. |
SIP ALG | |
Enable | Turn on the SIP ALG to detect SIP traffic and help build SIP sessions through the Zyxel Device’s NAT. Enabling the SIP ALG also allows you to use the application patrol to detect SIP traffic and manage the SIP traffic’s bandwidth |
SIP Signaling Port | If you are using a custom UDP port number (not 5060) for SIP traffic, enter it here. Use the Add icon to add fields if you are also using SIP on additional UDP port numbers. |
SIP Inactivity Timeout | Select this option to have the Zyxel Device apply SIP media and signaling inactivity time out limits. These timeouts will take priority over the SIP session time out “Expires” value in a SIP registration response packet. |
Media Inactivity Timeout | Use this field to set how many seconds (1-86400) the Zyxel Device will allow a SIP session to remain idle (without voice traffic) before dropping it. If no voice packets go through the SIP ALG before the timeout period expires, the Zyxel Device deletes the audio session. You cannot hear anything and you will need to make a new call to continue your conversation. |
Signaling Inactivity Timeout | Most SIP clients have an “expire” mechanism indicating the lifetime of signaling sessions. The SIP user agent sends registration packets to the SIP server periodically and keeps the session alive in the Zyxel Device. If the SIP client does not have this mechanism and makes no calls during the Zyxel Device SIP timeout, the Zyxel Device deletes the signaling session after the timeout period. Enter the SIP signaling session timeout value (1-86400). |
Restrict Peer to Peer Media Connection | A media connection is the audio transfer in a SIP connection. Enable this if you want media connections to only arrive from the IP address(es) you registered with. Media connections from other IP addresses will be dropped. You should disable this if have registered for cloud VoIP services. |
Restrict Peer to Peer Signaling Connection | A signaling connection is used to set up the SIP connection. Enable this if you want signaling connections to only arrive from the IP address(es) you registered with. Signaling connections from other IP addresses will be dropped. |