Figure 10.4 SIP ALG for firewall traversal
The other alternative to an ALG, which proxies both the signaling and
media, is to use a SIP firewall proxy that communicates with the firewall or
NAT. The firewall proxy performs any authentication, authorization, and so
on, and then parses the SIP messages for the source and destination IP
addresses and port numbers of the RTP packets. For example, the source and
destination IP addresses and port numbers can be obtained from the SDP in
the INVITEand 200 OKmessages. The firewall proxy then tells the firewall to
open pinholes to let only those RTP packets pass. The firewall proxy also main-
tains the NAT address binding, and modifies the SDP accordingly so that the
RTP packets can be sent directly between the UAs. Upon session termination
with a BYE, the firewall proxy tells the firewall to close the pinholes and the
NAT to remove the address binding. There is currently no standard protocol
for communication between the SIP proxy and the firewall/NAT.
For these types of firewall traversal to work, the Contactheader of the UA
behind the firewall either must be set by the UA to resolve to the IP address of
the ALG or firewall proxy, or the ALG or firewall proxy must Record-Route.
A proxy inserts a Record-Routeheader containing an entry that resolves
1 INVITE sdp A3 100 Trying5 180 Ringing2 INVITE sdp ALG9 ACKFirewall permits
SIP and RTP
signaling to the
ALG proxy only -
all other SIP and
RTP packets are
blocked.Also works for
NAT traversal4 180 Ringing8 ACK10 BYEMedia SessionNo More Media SessionMedia Session7 200 OK sdp ALG13 200 OK6 200 OK sdp B11 BYE12 200 OKClient SIP ALG Firewall ServerNAT and Firewall Traversal 181