9.13. Application Layer Gateway

ALG is a feature that allows several applications to work correctly when they pass through the NAT. When an application client sends a private IP address and port in its message, ALG allocates a public IP address and port and translates them in the message. Simply put, ALG does the same thing with application messages as NAT does with the regular IP header. This translation is necessary so that the application server can send a response to a correct public IP address and port.

NAT supports ALG for FTP, TFTP, PPTP, SIP, RTSP, and DNS.

FTP ALG

When using NAT44, the subscriber can use the passive FTP mode to work through the NAT with ALG disabled. Otherwise, if the subscriber uses the active FTP mode, ALG needs to be enabled. In this case, ALG translates the IP address and port in the PORT message.

When using NAT64, ALG must be enabled to allow subscribers to use FTP. In this case, ALG translates the IP address and port in the following messages:

  • EPRT. In addition to address and port translation, the command itself is changed to PORT.

  • EPSV. The command is changed to PASV.

  • 227 (response to PASV). The command is changed to 229 (response to EPSV).

Commands

<nat|nat64> inspection ftp enable [{control-port (1-65535)|vrf NAME}]

FTP ALG is disabled by default. This command enables it.

show <nat|nat64> counters [vrf NAME] alg ftp

Display FTP ALG counters information.

Counter

Description

FTP translations

Translation of internal ip:port to external ip:port and vice versa

FTP packets dropped

The number of FTP packets that were dropped

FTP session entries

The number of the sessions established at the moment

FTP session creations

The number of the sessions established over a whole period of the operation

clear <nat|nat64> counters [vrf NAME] alg ftp

Clear FTP ALG counters.

TFTP ALG

TFTP does not send IP addresses in its messages, but it is incompatible with Address-and-Port-Dependent Filtering behavior. If this mode is used, TFTP ALG must be enabled to allow users to use TFTP.

Commands

<nat|nat64> inspection tftp enable [{control-port (1-65535)|vrf NAME}]

TFTP ALG is disabled by default. This command enables it.

show <nat|nat64> counters [vrf NAME] alg tftp

Display TFTP ALG counters information.

Counter

Description

TFTP translations

Translation of internal ip:port to external ip:port and vice versa

TFTP session entries

The number of the sessions established at the moment

TFTP session creations

The number of the sessions established over a whole period of the operation

clear <nat|nat64> counters [vrf NAME] alg tftp

Clear TFTP ALG counters.

PPTP ALG

For both NAT44 and NAT64, PPTP ALG must be enabled to allow subscribers to use PPTP. PPTP ALG translates IP address and port in the following messages:

  • Outgoing-Call-Request

  • Outgoing-Call-Reply

  • Call-Clear-Request

  • Call-Disconnect-Notify

  • WAN-Error-Notify

  • Set-Link-Info

Commands

<nat|nat64> inspection pptp enable [{control-port (1-65535)|vrf NAME}]

PPTP ALG is disabled by default. This command enables it.

show <nat|nat64> counters [vrf NAME] alg pptp

Display counters for PPTP ALG.

Counter

Description

PPTP translations

Translation of internal ip:port to external ip:port and vice versa

PPTP packets dropped

The number of PPTP packets that were dropped

PPTP outgoing call requests

These requests are PPTP control messages sent by the PNS (refers to the remote client) to the PAC (refers to the server) to indicate that an outbound call from the PAC is to be established. See RFC 2637 Section 2.7

PPTP call clear requests

Control message indicates that a particular call is to be disconnected. See RFC 2637 Section 2.12 for reference

PPTP outgoing call replies

Control messages from the PAC to the PNS in response to a received Outgoing-Call-Request message. See RFC 2637 Section 2.8 for reference

PPTP call disconnect notifies

Control message from the PAC to the PNS is issued whenever a call is disconnected. See RFC 2637 Section 2.13 for reference

PPTP session entries

The number of the sessions established at the moment

PPTP session creations

The number of the sessions established over a whole period of the operation

clear <nat|nat64> counters [vrf NAME] alg pptp

Clear PPTP ALG counters.

SIP ALG

Warning

The vast majority of SIP clients support NAT-traversal techniques described in RFC 6314, so SIP ALG is not necessary for them. Furthermore, you SHOULD NOT enable SIP ALG unless you have a specific reason to do that because SIP ALG may interfere with NAT traversal techniques.

For both NAT44 and NAT64, SIP ALG translates IP address and port in the following messages:

  • REGISTER

  • INVITE

  • UPDATE

  • ACK

  • PRACK

  • BYE

Commands

<nat|nat64> inspection sip enable [{control-port (1-65535)|vrf NAME}]

SIP ALG is disabled by default. This command enables it.

show <nat|nat64> counters [vrf NAME] alg sip

Display SIP ALG counters information.

Counter

Description

SIP translations

Translation of internal ip:port to external ip:port and vice versa

SIP packets dropped

The number of SIP packets that were dropped

SIP session entries

The number of the sessions established at the moment

SIP session creations

The number of the sessions established over a whole period of the operation

clear <nat|nat64> counters [vrf NAME] alg sip

Clear SIP ALG counters.

RTSP ALG

Warning

The vast majority of RTSP clients support NAT-traversal techniques described in RFC 7604 and RFC 7825, so RTSP ALG is not necessary for them. Furthermore, you SHOULD NOT enable RTSP ALG unless you have a specific reason to do that because RTSP ALG may interfere with NAT traversal techniques.

For both NAT44 and NAT64, RTSP ALG translates the IP address and port in SETUP messages.

Commands

<nat|nat64> inspection rtsp enable [{control-port (1-65535)|vrf NAME}]

RTSP ALG is disabled by default. This command enables it.

show <nat|nat64> counters [vrf NAME] alg rtsp

Display RTSP ALG counters information.

Counter

Description

RTSP translations

Translation of internal ip:port to external ip:port and vice versa

RTSP packets dropped

The number of RTSP packets that were dropped

RTSP setup messages

These messages are used to specify the transport mechanism for the streamed media. See RFC 2326 Section 10.4 for reference

RTSP session entries

The number of the sessions established at the moment

RTSP session creations

The number of the sessions established over a whole period of the operation

clear <nat|nat64> counters [vrf NAME] alg rtsp

Clear RTSP ALG counters.

DNS ALG

When using NAT44, DNS ALG is not necessary for the correct work of DNS protocol because it does not use private IP addresses in its messages. However, when you enable DNS ALG, it tracks DNS requests sent by subscribers and immediately deletes the session when the corresponding DNS response is received. This allows to significantly reduce the number of concurrent sessions in the NAT session table.

When using NAT64, DNS ALG is necessary to process DNS requests sent by subscribers through the NAT. It translates AAAA requests into A requests and A responses into AAAA responses.

Warning

The correct network architecture for NAT64 involves using a separate DNS64 network element that processes all DNS requests from subscribers. In this case, no DNS requests pass through the NAT, and DNS ALG is not necessary.

Commands

<nat|nat64> inspection dns enable [{control-port (1-65535)|vrf NAME}]

DNS ALG is disabled by default. This command enables it.

show <nat|nat64> counters [vrf NAME] alg dns

Display DNS ALG counters information.

Counter

Description

DNS translations

Translation of internal ip:port to external ip:port and vice versa

DNS reply packets

Display the number of the reply packets

DNS oversized packets

DNS packets consider oversized when the TC flag (1 bit) is set in the DNS header. This flag is set in the reply packet if the server could not put all the necessary information in the packet because of restrictions

DNS amplification packets

Shows how many requests related to DNS amplification were dropped

DNS invalid packets

This counter will increment when the security appliance detects an invalid DNS packet. For example, a DNS packet with no DNS header, the number of DNS resource records not matching the counter in the header, etc.

DNS session entries

The number of the sessions established at the moment

DNS session creations

The number of the sessions established over a whole period of the operation

clear <nat|nat64> counters [vrf NAME] alg dns

Clear DNS ALG counters.

Additional Considerations

Subscribers behind the NAT may experience issues with their VPN connections when using IPsec. It happens because IPsec uses ESP as an underlying protocol, and its payload is encrypted, so it is not possible to implement an ALG that would translate IP/TCP headers inside the ESP header.

To solve this problem, subscribers should enable NAT-traversal in their IPsec VPN clients. The vast majority of them support this functionality as described in RFC 3715 and RFC 3947.