Applications, such as QQ and MSN, are available:
Client-A in the Trust zone uses private IP address 192.168.1.1 to access the server at 202.101.1.1 in the Untrust zone with NAT outbound implemented. UDP sessions, such as 192.168.1.1 :8001[202.101.2.1 :8002]->202.101.1.1 :8003 are established. At this time, the server notifies Client-B in the Untrust zone of launching an access to port 8002 on Client-A at 202.101.2.1. Because Client-B cannot match sessions established during Client-A's access to the server, Client-B fails to access Client-A.
To meet the requirements of these applications, you can configure the user-define function in the interzone to enable Client-B in the Untrust zone to access Client-A in the Trust zone. The user-define function is implemented through ACLs. If Client-A launches an access to the server, it matches the configured ACL and creates a server map entry during session establishment. This server map entry contains the source IP address and port (through which Client-A launches access) and the IP address and port after NAT (UDP:192.168.1.1:8001[202.101.2.1:8002]). Before the server map entry ages, Client-B matches the server map entry if launching an access to Client-A. In this way, packets can be correctly forwarded to Client-A, and sessions between Client-B and Client-A are established.
For applications, such as QQ and MSN, the communication, that is, short message transmitting, between the client and the server is relayed through the server. To perform audio and video functions, clients establish connections in between. Therefore, if public users launch audio or video requests to private users, run the detect qq/detect msn or detect user-define command in the interzone.
