Technical Documentation

• Downloads
• Example: Configuring DIP Pools on the Untrust Interface (NSM Procedure)    

• Related Topics
• Example: Configuring Interface-Based DIP (NSM Procedure)
• Interface Network Address Translation Using DIPs

Example: Configuring DIP Pools on the Untrust Interface (NSM Procedure)

In this example, you configure a DIP pool on the Untrust interface to perform NAT on incoming SIP calls. After creating the DIP pool and Global DIP object, you configure a firewall rule to permit SIP traffic from the Untrust zone to the Trust zone and reference the DIP pool. You also configure a rule to permit SIP traffic from the Trust to the Untrust zone, which enables hosts in the Trust zone to register with the proxy in the Untrust zone.

1. Add a NetScreen-204 device named Office B. Choose Model when adding each device and configure as running ScreenOS 5.1.
2. Configure ethernet1 (Trust Zone) for Office B:
   • Double-click Office B device to open the device configuration. In the device navigation tree, select Network > Interface.
   • Double-click ethernet1. The General Properties screen appears.
   • Configure IP address/netmask as 10.1.1.1/24 and Interface mode as NAT.
   • Click OK to save your changes.
3. Configure ethernet3 (Untrust Zone) for Office B:
   • Double-click ethernet3. The General Properties screen appears.
   • Configure IP address/netmask as 1.1.1.1/24.
4. In the interface navigation tree, select NAT > DIP, and then click the Add icon. The new DIP Pool dialog box appears. Configure as detailed below:
5. Enter the DIP ID.
6. Add multiple DIP ranges for a particular DIP ID:
   • Enable the Multiple DIP Range check box.
   • Click the Add icon to display the New MultiRange of DIP dialog box.
   • Enter the identification range for Rang ID.
   • For Lower IP, enter the same IP address as the subnet interface IP address.
   • For Upper IP, enter the same IP address as the subnet interface IP address.
7. For Start, enter 1.1.1.20.
8. For End, enter 1.1.1.40.
9. For Shift From, enter 1.1.1.20.
10. For Scale-Size, enter 1.
11. Select the Fixed Port check box.

    Note: The Fixed Port is enabled by default while adding multiple DIP range for a DIP ID.

12. For Extended IP, enter 211.10.1.10.
13. For Netmask, enter 24.
14. Select Incoming NAT.
15. Click OK.
16. Create a Global DIP to reference the Incoming NAT DIP on Office B. You use a Global DIP when configuring NAT in a firewall rule; the Global DIP references the Incoming NAT DIP for an individual device.
    • In the navigation tree, select Object Manager > NAT Objects > DIP.
    • Click the Add icon to display the new Global DIP dialog box.
17. Configure the Global DIP.
18. Configure firewall rules:
    • Rule 1 handles outgoing SIP traffic and uses the outgoing interface to perform NAT.
    • Rule 2 handles incoming SIP traffic and uses the interface DIP to perform NAT.