Chapter 21 ALG
ZyWALL USG 300 User’s Guide
• There should be only one SIP server (total) on the ZyWALL’s private networks.
Any other SIP servers must be on the WAN. So for example you could have a
Back-to-Back User Agent such as the IPPBX x6004 or an asterisk PBX on the
DMZ or on the LAN but not on both.
• Using the SIP ALG allows you to use bandwidth management on SIP traffic.
• The SIP ALG handles SIP calls that go through NAT or that the ZyWALL routes.
You can also make other SIP calls that do not go through NAT or routing.
Examples would be calls between LAN IP addresses that are on the same
• The SIP ALG supports peer-to-peer SIP calls. The firewall (by default) allows
peer to peer calls from the LAN zone to go to the WAN zone and blocks peer to
peer calls from the WAN zone to the LAN zone.
• The SIP ALG allows UDP packets with a specified port destination to pass
• The ZyWALL allows SIP audio connections.
• You do not need to use TURN (Traversal Using Relay NAT) for VoIP devices
behind the ZyWALL when you enable the SIP ALG.
• Configuring the SIP ALG to use custom port numbers for SIP traffic also
configures the application patrol (see Chapter 32 on page 547) to use the same
port numbers for SIP traffic. Likewise, configuring the application patrol to use
custom port numbers for SIP traffic also configures SIP ALG to use the same
port numbers for SIP traffic.
Peer-to-Peer Calls and the ZyWALL
The ZyWALL ALG can allow peer-to-peer VoIP calls for both H.323 and SIP. You
must configure the firewall and NAT (port forwarding) to allow incoming (peer-to-
peer) calls from the WAN to a private IP address on the LAN (or DMZ).
VoIP Calls from the WAN with Multiple Outgoing Calls
When you configure the firewall and NAT (port forwarding) to allow calls from the
WAN to a specific IP address on the LAN, you can also use policy routing to have
H.323 (or SIP) calls from other LAN or DMZ IP addresses go out through a
different WAN IP address. The policy routing lets the ZyWALL correctly forward the
return traffic for the calls initiated from the LAN IP addresses.
For example, you configure the firewall and NAT to allow LAN IP address A to
receive calls from the Internet through WAN IP address 1. You also use a policy
route to have LAN IP address A make calls out through WAN IP address 1.
Configure another policy route to have H.323 (or SIP) calls from LAN IP addresses
B and C go out through WAN IP address 2. Even though only LAN IP address A