9.13. Application Layer Gateway¶

ALG is a feature that allows several applications to work correctly when they pass through the NAT. When an application client sends a private IP address and port in its message, ALG allocates a public IP address and port and translates them in the message. Simply put, ALG does the same thing with application messages as NAT does with the regular IP header. This translation is necessary so that the application server can send a response to a correct public IP address and port.

NAT supports ALG for FTP, TFTP, PPTP, SIP, RTSP, and DNS.

FTP ALG¶

When using NAT44, the subscriber can use the passive FTP mode to work through the NAT with ALG disabled. Otherwise, if the subscriber uses the active FTP mode, ALG needs to be enabled. In this case, ALG translates the IP address and port in the PORT message.

When using NAT64, ALG must be enabled to allow subscribers to use FTP. In this case, ALG translates the IP address and port in the following messages:

EPRT. In addition to address and port translation, the command itself is changed to PORT.
EPSV. The command is changed to PASV.
227 (response to PASV). The command is changed to 229 (response to EPSV).

Commands

<nat|nat64> inspection ftp enable [{control-port (1-65535)|vrf NAME}]¶: FTP ALG is disabled by default. This command enables it.

show <nat|nat64> counters [vrf NAME] alg ftp¶

Display FTP ALG counters information.

Counter	Description
`FTP translations`	Translation of internal ip:port to external ip:port and vice versa
`FTP packets dropped`	The number of FTP packets that were dropped
`FTP session entries`	The number of the sessions established at the moment
`FTP session creations`	The number of the sessions established over a whole period of the operation

clear <nat|nat64> counters [vrf NAME] alg ftp¶: Clear FTP ALG counters.

TFTP ALG¶

TFTP does not send IP addresses in its messages, but it is incompatible with Address-and-Port-Dependent Filtering behavior. If this mode is used, TFTP ALG must be enabled to allow users to use TFTP.

Commands

<nat|nat64> inspection tftp enable [{control-port (1-65535)|vrf NAME}]¶: TFTP ALG is disabled by default. This command enables it.

show <nat|nat64> counters [vrf NAME] alg tftp¶

Display TFTP ALG counters information.

Counter	Description
`TFTP translations`	Translation of internal ip:port to external ip:port and vice versa
`TFTP session entries`	The number of the sessions established at the moment
`TFTP session creations`	The number of the sessions established over a whole period of the operation

clear <nat|nat64> counters [vrf NAME] alg tftp¶: Clear TFTP ALG counters.

PPTP ALG¶

For both NAT44 and NAT64, PPTP ALG must be enabled to allow subscribers to use PPTP. PPTP ALG translates IP address and port in the following messages:

Outgoing-Call-Request
Outgoing-Call-Reply
Call-Clear-Request
Call-Disconnect-Notify
WAN-Error-Notify
Set-Link-Info

Commands

<nat|nat64> inspection pptp enable [{control-port (1-65535)|vrf NAME}]¶: PPTP ALG is disabled by default. This command enables it.

show <nat|nat64> counters [vrf NAME] alg pptp¶

Display counters for PPTP ALG.

Counter	Description
`PPTP translations`	Translation of internal ip:port to external ip:port and vice versa
`PPTP packets dropped`	The number of PPTP packets that were dropped
`PPTP outgoing call requests`	These requests are PPTP control messages sent by the PNS (refers to the remote client) to the PAC (refers to the server) to indicate that an outbound call from the PAC is to be established. See RFC 2637#section-2.7
`PPTP call clear requests`	Control message indicates that a particular call is to be disconnected. See RFC 2637#section-2.12 for reference
`PPTP outgoing call replies`	Control messages from the PAC to the PNS in response to a received Outgoing-Call-Request message. See RFC 2637#section-2.8 for reference
`PPTP call disconnect notifies`	Control message from the PAC to the PNS is issued whenever a call is disconnected. See RFC 2637#section-2.13 for reference
`PPTP session entries`	The number of the sessions established at the moment
`PPTP session creations`	The number of the sessions established over a whole period of the operation

clear <nat|nat64> counters [vrf NAME] alg pptp¶: Clear PPTP ALG counters.

SIP ALG¶

Warning

The vast majority of SIP clients support NAT-traversal techniques described in RFC 6314, so SIP ALG is not necessary for them. Furthermore, you SHOULD NOT enable SIP ALG unless you have a specific reason to do that because SIP ALG may interfere with NAT traversal techniques.

For both NAT44 and NAT64, SIP ALG translates IP address and port in the following messages:

REGISTER
INVITE
UPDATE
ACK
PRACK
BYE

Commands

<nat|nat64> inspection sip enable [{control-port (1-65535)|vrf NAME}]¶: SIP ALG is disabled by default. This command enables it.

show <nat|nat64> counters [vrf NAME] alg sip¶

Display SIP ALG counters information.

Counter	Description
`SIP translations`	Translation of internal ip:port to external ip:port and vice versa
`SIP packets dropped`	The number of SIP packets that were dropped
`SIP session entries`	The number of the sessions established at the moment
`SIP session creations`	The number of the sessions established over a whole period of the operation

clear <nat|nat64> counters [vrf NAME] alg sip¶: Clear SIP ALG counters.

RTSP ALG¶

Warning

The vast majority of RTSP clients support NAT-traversal techniques described in RFC 7604 and RFC 7825, so RTSP ALG is not necessary for them. Furthermore, you SHOULD NOT enable RTSP ALG unless you have a specific reason to do that because RTSP ALG may interfere with NAT traversal techniques.

For both NAT44 and NAT64, RTSP ALG translates the IP address and port in SETUP messages.

Commands

<nat|nat64> inspection rtsp enable [{control-port (1-65535)|vrf NAME}]¶: RTSP ALG is disabled by default. This command enables it.

show <nat|nat64> counters [vrf NAME] alg rtsp¶

Display RTSP ALG counters information.

Counter	Description
`RTSP translations`	Translation of internal ip:port to external ip:port and vice versa
`RTSP packets dropped`	The number of RTSP packets that were dropped
`RTSP setup messages`	These messages are used to specify the transport mechanism for the streamed media. See RFC 2326#section-10.4 for reference
`RTSP session entries`	The number of the sessions established at the moment
`RTSP session creations`	The number of the sessions established over a whole period of the operation

clear <nat|nat64> counters [vrf NAME] alg rtsp¶: Clear RTSP ALG counters.

DNS ALG¶

When using NAT44, DNS ALG is not necessary for the correct work of DNS protocol because it does not use private IP addresses in its messages. However, when you enable DNS ALG, it tracks DNS requests sent by subscribers and immediately deletes the session when the corresponding DNS response is received. This allows to significantly reduce the number of concurrent sessions in the NAT session table.

When using NAT64, DNS ALG is necessary to process DNS requests sent by subscribers through the NAT. It translates AAAA requests into A requests and A responses into AAAA responses.

Warning

The correct network architecture for NAT64 involves using a separate DNS64 network element that processes all DNS requests from subscribers. In this case, no DNS requests pass through the NAT, and DNS ALG is not necessary.

Commands

<nat|nat64> inspection dns enable [{control-port (1-65535)|vrf NAME}]¶: DNS ALG is disabled by default. This command enables it.

show <nat|nat64> counters [vrf NAME] alg dns¶

Display DNS ALG counters information.

Counter	Description
`DNS translations`	Translation of internal ip:port to external ip:port and vice versa
`DNS reply packets`	Display the number of the reply packets
`DNS oversized packets`	DNS packets consider oversized when the TC flag (1 bit) is set in the DNS header. This flag is set in the reply packet if the server could not put all the necessary information in the packet because of restrictions
`DNS amplification packets`	Shows how many requests related to DNS amplification were dropped
`DNS invalid packets`	This counter will increment when the security appliance detects an invalid DNS packet. For example, a DNS packet with no DNS header, the number of DNS resource records not matching the counter in the header, etc.
`DNS session entries`	The number of the sessions established at the moment
`DNS session creations`	The number of the sessions established over a whole period of the operation

clear <nat|nat64> counters [vrf NAME] alg dns¶: Clear DNS ALG counters.

Additional Considerations¶

Subscribers behind the NAT may experience issues with their VPN connections when using IPsec. It happens because IPsec uses ESP as an underlying protocol, and its payload is encrypted, so it is not possible to implement an ALG that would translate IP/TCP headers inside the ESP header.

To solve this problem, subscribers should enable NAT-traversal in their IPsec VPN clients. The vast majority of them support this functionality as described in RFC 3715 and RFC 3947.