NAT ALG (Application Level Gateways)

This topic is to discuss the following lesson:

Superb lesson Boss…

Hi Rene,

So for NAT ALG only extra command is ip virtual-reassembly in right ??

br//zaman

Hello Zaman.

The command ip virtual-reassembly is not related to NAT ALG. This command is used for detecting and preventing several different types of fragmentation attacks. More about this command can be found at the following link.

https://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_zbf/configuration/15-2mt/sec-cbac-vfr.html#GUID-0A94C3F4-5D7A-4E85-8FAE-0F8F6EBABACF

In the lesson, R1 employs NAT ALG by default and Rene is showing an example of how it actually functions. No specialized configuration is necessary for NAT ALG to function.

I hope this has been helpful!

Laz

It’s quite surprising, but this autoconfiguration can sometimes cause more issues than it fixes.

I’ve been requested to disable this before to get sip working.

The command to disable for UDP is:

no ip nat service sip udp port 5060

1 Like

Hello Chris

Yes, you are correct that NAT ALG can cause some interesting and often unpredictable results. This is usually the case when used in conjunction with some other security appliance such as a firewall where additional NAT or VPN functionality takes place. It is the policy of some networking professionals to disable this service in order to avoid these unpredictable results.

In any case it is necessary to approach NAT ALG with caution and make sure to take into account all possible contingencies.

I hope this has been helpful!

Laz

Hi,

I Can’t understand which is the difference on the configuration bewteen a normal nat and an ALG NAT.

The comunication must be NATTED by R1 as a normal NAT right?

Thank you

Hello Giovanni

NAT ALG on most (if not all) Cisco IOS routers is enabled by default. This means that you don’t actually have to do anything to configure it. The purpose of this lesson was to show how a router behaves with NAT ALG.

Now with or without NAT ALG, the actual NAT configuration does not change. You still configure it the same way. NAT ALG is actually configured using nat service commands. For example, if you were to disable NAT ALG for SIP (which is one of the most popular uses of ALG), you would issue the following command

no ip nat service sip udp port 5060

Notice that the NAT ALG configuration includes information such as the application layer protocol for which you want the config to function, as well as the transport layer protocol and the port being used. If you want to reenable the feature, you would simply issue the same command without the “no” keyword.

Depending on the capabilities of the IOS version and router, you can specify the service and the port that you want to enable/disable the feature for.

For more info on the enabling/disabling/configuration of ALG, take a look at this Cisco documentation.

I hope this has been helpful!

Laz