However, many applications (especially applications working with multimedia, Voice over IP technologies, etc.) use another traffic method where other clients can (with direct connection established) connect to a port “opened” by an outgoing packet. For these cases, WinRoute includes a special mode of address translation, known as Full cone NAT. In this mode, opened port can be accessed from any IP address and the traffic is always redirected to a corresponding client in the local network.
Use of Full cone NAT may bring certain security risk. Each connection established in this mode opens a possible passage from the Internet to the local network. To keep the security as high as possible, it is therefore necessary to enable Full cone NAT for particular clients and services only. The following example refers to an IP telephone with the SIP protocol.
Note: For details on traffic rules definition, refer to chapter 7.3 Definition of Custom Traffic Rules.
In the local network, there is an IP telephone registered to an SIP server in the Internet. The parameters may be as follows:
IP address of the phone: 192.168.1.100
Public IP address of the firewall: 195.192.33.1
SIP server: sip.server.com
Since the firewall performs IP address translation, the telephone is registered on the SIP server with the firewall's public address (195.192.33.1
). If there is a call from another telephone to this telephone, the connection will go through the firewall's address (195.192.33.1
) and the corresponding port. Under normal conditions, such connection can be established only directly from the SIP server (to which the original outgoing connection for the registration was established). However, use of Full cone NAT allows such connection for any client calling to the SIP telephone in the local network.
Full cone NAT will be enabled by an extremely restrictive traffic rule (to keep the security level as high as possible):
Source — IP address of an SIP telephone in the local network.
Destination — name or IP address of an SIP server in the Internet. Full cone NAT will apply only to connection with this server.
Service — SIP service (for an SIP telephone). Full cone NAT will not apply to any other services.
Action — traffic must be allowed.
Translation — select a source NAT method (see chapter 7.3 Definition of Custom Traffic Rules) and enable the Allow returning packets from any host (Full cone NAT) option.
Rule for Full cone NAT must precede the general rule with NAT allowing traffic from the local network to the Internet.