Kerio Tech Firewall6 User Manual

7.8 Use of Full cone NAT

99

Example: SIP telephone in local network

In the local network, there is an IP telephone registered to an SIP server in the Internet. The

parameters may be as follows:

•

IP address of the phone: 192.168.1.100

•

Public IP address of the firewall: 195.192.33.1

•

SIP server: sip.server.com

Since the firewall performs IP address translation, the telephone is registered on the SIP server

with the firewall’s public address (195.192.33.1). If there is a call from another telephone

to this telephone, the connection will go through the firewall’s address (195.192.33.1) and

the corresponding port. Under normal conditions, such connection can be established only

directly from the SIP server (to which the original outgoing connection for the registration was

established). However, use of Full cone NAT allows such connection for any client calling to

the SIP telephone in the local network.

Full cone NAT will be enabled by an extremely restrictive traffic rule (to keep the security level

as high as possible):

Figure 7.39

Definition of a Full cone NAT traffic rule

•

Source — IP address of an SIP telephone in the local network.

•

Destination — name or IP address of an SIP server in the Internet. Full cone NAT will

apply only to connection with this server.

•

Service — SIP service (for an SIP telephone). Full cone NAT will not apply to any other

services.

•

Action — traffic must be allowed.

•

Translation — select a source NAT method (see chapter

7.3

) and enable the Allow

returning packets from any host (Full cone NAT) option.

Rule for Full cone NAT must precede the general rule with NAT allowing traffic from the local

network to the Internet.