Use of full cone nat, 8 use of full cone nat – Kerio Tech Firewall6 User Manual

Chapter 7

Traffic Policy

98

Figure 7.37

Service definition without inspector protocol

Figure 7.38

This traffic rule allows accessing service without protocol inspection

Warning

To disable a protocol inspector, it is not sufficient to define a service that would not use the

inspector! Protocol inspectors are applied to all traffic performed by corresponding protocols

by default. To disable a protocol inspector, special traffic rules must be defined.

7.8 Use of Full cone NAT

However, many applications (especially applications working with multimedia, Voice over IP

technologies, etc.) use another traffic method where other clients can (with direct connection

established) connect to a port “opened” by an outgoing packet. For these cases, WinRoute

includes a special mode of address translation, known as Full cone NAT. In this mode, opened

port can be accessed from any IP address and the traffic is always redirected to a correspond-

ing client in the local network.

Use of Full cone NAT may bring certain security risk. Each connection established in this mode

opens a possible passage from the Internet to the local network. To keep the security as high

as possible, it is therefore necessary to enable Full cone NAT for particular clients and services

only. The following example refers to an IP telephone with the SIP protocol.

Note: For details on traffic rules definition, refer to chapter

7.3

.