Kerio Tech Firewall6 User Manual
Page 99
7.8 Use of Full cone NAT
99
Example: SIP telephone in local network
In the local network, there is an IP telephone registered to an SIP server in the Internet. The
parameters may be as follows:
•
IP address of the phone: 192.168.1.100
•
Public IP address of the firewall: 195.192.33.1
•
SIP server: sip.server.com
Since the firewall performs IP address translation, the telephone is registered on the SIP server
with the firewall’s public address (195.192.33.1). If there is a call from another telephone
to this telephone, the connection will go through the firewall’s address (195.192.33.1) and
the corresponding port. Under normal conditions, such connection can be established only
directly from the SIP server (to which the original outgoing connection for the registration was
established). However, use of Full cone NAT allows such connection for any client calling to
the SIP telephone in the local network.
Full cone NAT will be enabled by an extremely restrictive traffic rule (to keep the security level
as high as possible):
Figure 7.39
Definition of a Full cone NAT traffic rule
•
Source — IP address of an SIP telephone in the local network.
•
Destination — name or IP address of an SIP server in the Internet. Full cone NAT will
apply only to connection with this server.
•
Service — SIP service (for an SIP telephone). Full cone NAT will not apply to any other
services.
•
Action — traffic must be allowed.
•
Translation — select a source NAT method (see chapter
) and enable the Allow
returning packets from any host (Full cone NAT) option.
Rule for Full cone NAT must precede the general rule with NAT allowing traffic from the local
network to the Internet.