DMZ interface as the contact address.
• An Allow rule for outbound traffic from the proxy behind the DMZ interface to the remote
clients on the Internet.
• An Allow rule for inbound SIP traffic from the SIP proxy behind the DMZ interface to the
IP address of the NetDefend Firewall. This rule will have core (in other words,
NetDefendOS itself) as the destination interface.
The reason for this is because of the NAT rule above. When an incoming call is received,
NetDefendOS automatically locates the local receiver, performs address translation and
forwards SIP messages to the receiver. This is done based on the SIP ALG's internal state.
• An Allow rule for inbound traffic from, for example the Internet, to the proxy behind the
DMZ.
4. If Record-Route is not enabled at the proxy, direct exchange of SIP messages must also be
allowed between clients, bypassing the proxy. The following additional rules are therefore
needed when Record-Route is disabled:
• A NAT rule for outbound traffic from the clients on the internal network to the external
clients and proxies on, for example, the Internet. The SIP ALG will take care of all address
translation needed by the NAT rule. The translation will occur both at the IP level and the
application level.
• An Allow rule for inbound SIP traffic from, for example the Internet, to the IP address of
the DMZ interface. The reason for this is because local clients will be NATed using the IP
address of the DMZ interface when they register with the proxy located on the DMZ.
This rule has core as the destination interface (in other words, NetDefendOS itself). When
an incoming call is received, NetDefendOS uses the registration information of the local
receiver to automatically locate this receiver, perform address translation and forward SIP
messages to the receiver. This will be done based on the internal state of the SIP ALG.
The IP rules needed with Record-Route enabled are:
Action Src Interface Src Network Dest Interface Dest Network
OutboundToProxy NAT lan lannet dmz ip_proxy
OutboundFromProxy Allow dmz ip_proxy wan all-nets
InboundFromProxy Allow dmz ip_proxy core dmz_ip
InboundToProxy Allow wan all-nets dmz ip_proxy
With Record-Route disabled, the following IP rules must be added to those above:
Action Src Interface Src Network Dest Interface Dest Network
OutboundBypassProxy NAT lan lannet wan all-nets
InboundBypassProxy Allow wan all-nets core ipdmz
Solution B - Without NAT
The setup steps are as follows:
1. Define a single SIP ALG object using the options described above.
2. Define a Service object which is associated with the SIP ALG object. The service should have:
6.2.8. The SIP ALG Chapter 6. Security Mechanisms
274
