Overview of the Application Layer Gateway (ALG) that details its purpose and features.
Vyatta NOS Application Layer Gateway (ALG) is a software protocol that provides network address and port translations in the IP packet payloads for the supported applications. The packet payloads allow supported applications to work as expected across a Network Address Translation (NAT) boundary.
When you configure NAT, the ALG protocol detects that an application-specific packet flow originates within the private area of the NAT boundary. If the packet matches with an IP protocol or with the configured destination port, the packet is forwarded to a specific ALG for deep packet inspection. If required, the ALG rewrites the packet payload that uses an appropriate translation network address and a port address. It also rewrites the checksums, TCP sequence, or acknowledgment numbers, and the packet is forwarded to its destination address. You may see different packet lengths on packets that are delivered to the public side of a NAT configuration because certain application protocols are text based.
Several common application protocols consist of multiple packet flows. For example, when a packet contains various protocol commands, an application may consist of a control flow. These command packets may result in one of more secondary packet flows that are related to the control flow. The ALG protocol identifies these applications and creates connections between the sessions that are established for these flows.
When an ALG inspects a control flow, it recognizes that a secondary flow may begin at some point in the future. In that case, the ALG protocol creates an entry in the ALG flow table. When the secondary flow begins, the ALG is notified, and it creates a session that is appropriate for the secondary flow. The established session allows secondary flows to be established regardless of whether they originate from the private or public side of a NAT boundary.
The ALG protocol also creates a firewall pinhole to enable these ALG secondary flows through which these ALG secondary flows can pass. These firewall pinholes are valid only for the duration of the secondary flow, and after the flow is completed, the pinholes are removed.