Use of full cone nat, 8 use of full cone nat – Kerio Tech KERIO WINROUTE FIREWALL 6 User Manual

Page 101

Advertising
background image

7.8 Use of Full cone NAT

101

Note: In the default configuration of the Traffic rules section, the Protocol inspector column

is hidden. To show it, modify settings through the Modify columns dialog (see chapter

3.2

).

Warning

To disable a protocol inspector, it is not sufficient to define a service that would not use the

inspector! Protocol inspectors are applied to all traffic performed by corresponding protocols

by default. To disable a protocol inspector, special traffic rules must be defined.

7.8 Use of Full cone NAT

However, many applications (especially applications working with multimedia, Voice over IP

technologies, etc.) use another traffic method where other clients can (with direct connection

established) connect to a port “opened” by an outgoing packet. For these cases, WinRoute

includes a special mode of address translation, known as Full cone NAT. In this mode, opened

port can be accessed from any IP address and the traffic is always redirected to a correspond-

ing client in the local network.

Use of Full cone NAT may bring certain security risk. Each connection established in this mode

opens a possible passage from the Internet to the local network. To keep the security as high

as possible, it is therefore necessary to enable Full cone NAT for particular clients and services

only. The following example refers to an IP telephone with the SIP protocol.

Note: For details on traffic rules definition, refer to chapter

7.3

.

Example: SIP telephone in local network

In the local network, there is an IP telephone registered to an SIP server in the Internet. The

parameters may be as follows:

IP address of the phone: 192.168.1.100

Public IP address of the firewall: 195.192.33.1

SIP server: sip.server.com

Since the firewall performs IP address translation, the telephone is registered on the SIP server

with the firewall’s public address (195.192.33.1). If there is a call from another telephone

to this telephone, the connection will go through the firewall’s address (195.192.33.1) and

the corresponding port. Under normal conditions, such connection can be established only

directly from the SIP server (to which the original outgoing connection for the registration was

established). However, use of Full cone NAT allows such connection for any client calling to

the SIP telephone in the local network.

Full cone NAT will be enabled by an extremely restrictive traffic rule (to keep the security level

as high as possible):

Advertising
Popular Brands
Popular manuals