9.13. Application Layer Gateway¶
ALG is a feature that allows several applications to work correctly when they pass through the NAT. When an application client sends a private IP address and port in its message, ALG allocates a public IP address and port and translates them in the message. Simply put, ALG does the same thing with application messages as NAT does with the regular IP header. This translation is necessary so that the application server can send a response to a correct public IP address and port.
NAT supports ALG for FTP, TFTP, PPTP, SIP, RTSP, and DNS.
FTP ALG¶
When using NAT44, the subscriber can use the passive
FTP mode to work through the NAT with ALG disabled. Otherwise, if the subscriber uses the active
FTP mode, ALG needs to be enabled. In this case, ALG translates the IP address and port in the PORT
message.
When using NAT64, ALG must be enabled to allow subscribers to use FTP. In this case, ALG translates the IP address and port in the following messages:
EPRT
. In addition to address and port translation, the command itself is changed toPORT
.EPSV
. The command is changed toPASV
.227
(response toPASV
). The command is changed to229
(response toEPSV
).
Commands
- <nat|nat64> inspection ftp enable [{control-port (1-65535)|vrf NAME}]¶
FTP ALG is disabled by default. This command enables it.
- show <nat|nat64> counters [vrf NAME] alg ftp¶
Display FTP ALG counters information.
Counter
Description
FTP translations
Translation of internal ip:port to external ip:port and vice versa
FTP packets dropped
The number of FTP packets that were dropped
FTP session entries
The number of the sessions established at the moment
FTP session creations
The number of the sessions established over a whole period of the operation
- clear <nat|nat64> counters [vrf NAME] alg ftp¶
Clear FTP ALG counters.
TFTP ALG¶
TFTP does not send IP addresses in its messages, but it is incompatible with Address-and-Port-Dependent Filtering behavior. If this mode is used, TFTP ALG must be enabled to allow users to use TFTP.
Commands
- <nat|nat64> inspection tftp enable [{control-port (1-65535)|vrf NAME}]¶
TFTP ALG is disabled by default. This command enables it.
- show <nat|nat64> counters [vrf NAME] alg tftp¶
Display TFTP ALG counters information.
Counter
Description
TFTP translations
Translation of internal ip:port to external ip:port and vice versa
TFTP session entries
The number of the sessions established at the moment
TFTP session creations
The number of the sessions established over a whole period of the operation
- clear <nat|nat64> counters [vrf NAME] alg tftp¶
Clear TFTP ALG counters.
PPTP ALG¶
For both NAT44 and NAT64, PPTP ALG must be enabled to allow subscribers to use PPTP. PPTP ALG translates IP address and port in the following messages:
Outgoing-Call-Request
Outgoing-Call-Reply
Call-Clear-Request
Call-Disconnect-Notify
WAN-Error-Notify
Set-Link-Info
Commands
- <nat|nat64> inspection pptp enable [{control-port (1-65535)|vrf NAME}]¶
PPTP ALG is disabled by default. This command enables it.
- show <nat|nat64> counters [vrf NAME] alg pptp¶
Display counters for PPTP ALG.
Counter
Description
PPTP translations
Translation of internal ip:port to external ip:port and vice versa
PPTP packets dropped
The number of PPTP packets that were dropped
PPTP outgoing call requests
These requests are PPTP control messages sent by the PNS (refers to the remote client) to the PAC (refers to the server) to indicate that an outbound call from the PAC is to be established. See RFC 2637 Section 2.7
PPTP call clear requests
Control message indicates that a particular call is to be disconnected. See RFC 2637 Section 2.12 for reference
PPTP outgoing call replies
Control messages from the PAC to the PNS in response to a received Outgoing-Call-Request message. See RFC 2637 Section 2.8 for reference
PPTP call disconnect notifies
Control message from the PAC to the PNS is issued whenever a call is disconnected. See RFC 2637 Section 2.13 for reference
PPTP session entries
The number of the sessions established at the moment
PPTP session creations
The number of the sessions established over a whole period of the operation
- clear <nat|nat64> counters [vrf NAME] alg pptp¶
Clear PPTP ALG counters.
SIP ALG¶
Warning
The vast majority of SIP clients support NAT-traversal techniques described in RFC 6314, so SIP ALG is not necessary for them. Furthermore, you SHOULD NOT enable SIP ALG unless you have a specific reason to do that because SIP ALG may interfere with NAT traversal techniques.
For both NAT44 and NAT64, SIP ALG translates IP address and port in the following messages:
REGISTER
INVITE
UPDATE
ACK
PRACK
BYE
Commands
- <nat|nat64> inspection sip enable [{control-port (1-65535)|vrf NAME}]¶
SIP ALG is disabled by default. This command enables it.
- show <nat|nat64> counters [vrf NAME] alg sip¶
Display SIP ALG counters information.
Counter
Description
SIP translations
Translation of internal ip:port to external ip:port and vice versa
SIP packets dropped
The number of SIP packets that were dropped
SIP session entries
The number of the sessions established at the moment
SIP session creations
The number of the sessions established over a whole period of the operation
- clear <nat|nat64> counters [vrf NAME] alg sip¶
Clear SIP ALG counters.
RTSP ALG¶
Warning
The vast majority of RTSP clients support NAT-traversal techniques described in RFC 7604 and RFC 7825, so RTSP ALG is not necessary for them. Furthermore, you SHOULD NOT enable RTSP ALG unless you have a specific reason to do that because RTSP ALG may interfere with NAT traversal techniques.
For both NAT44 and NAT64, RTSP ALG translates the IP address and port in SETUP
messages.
Commands
- <nat|nat64> inspection rtsp enable [{control-port (1-65535)|vrf NAME}]¶
RTSP ALG is disabled by default. This command enables it.
- show <nat|nat64> counters [vrf NAME] alg rtsp¶
Display RTSP ALG counters information.
Counter
Description
RTSP translations
Translation of internal ip:port to external ip:port and vice versa
RTSP packets dropped
The number of RTSP packets that were dropped
RTSP setup messages
These messages are used to specify the transport mechanism for the streamed media. See RFC 2326 Section 10.4 for reference
RTSP session entries
The number of the sessions established at the moment
RTSP session creations
The number of the sessions established over a whole period of the operation
- clear <nat|nat64> counters [vrf NAME] alg rtsp¶
Clear RTSP ALG counters.
DNS ALG¶
When using NAT44, DNS ALG is not necessary for the correct work of DNS protocol because it does not use private IP addresses in its messages. However, when you enable DNS ALG, it tracks DNS requests sent by subscribers and immediately deletes the session when the corresponding DNS response is received. This allows to significantly reduce the number of concurrent sessions in the NAT session table.
When using NAT64, DNS ALG is necessary to process DNS requests sent by subscribers through the NAT. It translates AAAA
requests into A
requests and A
responses into AAAA
responses.
Warning
The correct network architecture for NAT64 involves using a separate DNS64 network element that processes all DNS requests from subscribers. In this case, no DNS requests pass through the NAT, and DNS ALG is not necessary.
Commands
- <nat|nat64> inspection dns enable [{control-port (1-65535)|vrf NAME}]¶
DNS ALG is disabled by default. This command enables it.
- show <nat|nat64> counters [vrf NAME] alg dns¶
Display DNS ALG counters information.
Counter
Description
DNS translations
Translation of internal ip:port to external ip:port and vice versa
DNS reply packets
Display the number of the reply packets
DNS oversized packets
DNS packets consider oversized when the TC flag (1 bit) is set in the DNS header. This flag is set in the reply packet if the server could not put all the necessary information in the packet because of restrictions
DNS amplification packets
Shows how many requests related to DNS amplification were dropped
DNS invalid packets
This counter will increment when the security appliance detects an invalid DNS packet. For example, a DNS packet with no DNS header, the number of DNS resource records not matching the counter in the header, etc.
DNS session entries
The number of the sessions established at the moment
DNS session creations
The number of the sessions established over a whole period of the operation
- clear <nat|nat64> counters [vrf NAME] alg dns¶
Clear DNS ALG counters.
Additional Considerations¶
Subscribers behind the NAT may experience issues with their VPN connections when using IPsec. It happens because IPsec uses ESP as an underlying protocol, and its payload is encrypted, so it is not possible to implement an ALG that would translate IP/TCP headers inside the ESP header.
To solve this problem, subscribers should enable NAT-traversal in their IPsec VPN clients. The vast majority of them support this functionality as described in RFC 3715 and RFC 3947.