Passing H.323 ALG Traffic to a Gatekeeper in the Internal Zone

In the following example, you set up two policies that allow H.323 traffic to pass between IP phone hosts and a gatekeeper in the private zone, and an IP phone host (2.2.2.5) in the public zone.

In this example, the J-series device can be in either route or NAT mode. See Figure 67.

Figure 67: H.323 Gatekeeper in Zone1

To configure a gatekeeper in the internal zone, use either J-Web or the CLI Configuration editor.

This topic covers:

• J-Web Configuration
• CLI Configuration
• Related Topics

J-Web Configuration

To configure an address book, to configure a a policy from the internal zone to the external zone, and to configure policies from the external zone to the internal zone using the J-Web configuration editor, follow the sequence of steps listed below:

To configure an address book:

1. Select Configuration > View and Edit > Edit Configuration.

   The Configuration page appears.

2. Next to Security, click Configure or Edit.
3. Next to Zones, click Configure or Edit.
4. Next to Security zones, click Add new entry.
5. In the Name box, type public.
6. Next to Address book, click Configure or Edit.
7. Next to Address, click Add new entry.
8. In the Address name box, type ip_phone 2.2.2.5/32 and click OK.

To configure a policy from the internal zone to the external zone:

1. Select Configuration > View and Edit > Edit Configuration.

   The Configuration page appears.

2. Next to Security, click Configure or Edit.
3. Next to Policies, select the check box and click Configure or Edit.
4. Next to Policy, click Add new entry.
5. In the From-zone name box, type private.
6. In the To-zone name box, type public and click OK.
7. Under the From zone name column, click private.
8. Next to Policy, click Add new entry.
9. In the Policy name box, type p1.
10. Select the Match check box.
11. Select the Then check box.
12. Next to Match, click Configure.
13. From the Source address list, select Source address.
14. Next to Source address, click Add new entry.
15. From the Value keyword list, select any and click OK.
16. From the Destination address choice list, select Destination address.
17. Next to destination address, click Add new entry.
18. From the Value keyword list, select Enter Specific Value.
19. In the Address box, type ip_phone and click OK.
20. From the Application choice list, select Application.
21. Next to Application, click Add new entry.
22. In the Value keyword box, type junos-h323 and click OK.
23. Next to Then, click Configure.
24. Next to Action, select permit and click OK.

To configure policies from the external zone to the internal zone:

1. Select Configuration > View and Edit > Edit Configuration.

   The Configuration page appears.

2. Next to Security, click Configure or Edit.
3. Next to Policies, select the check box and click Configure or Edit.
4. Under From zone name column, click private.
5. Next to Policy, click Add new entry.
6. In the From zone name box, type private.
7. In the To zone name box, type public and click OK.
8. Under the From zone name column, click private.
9. Next to Policy, click Add new entry.
10. In the Policy name box, type p2.
11. Select the Match check box.
12. Select the Then check box.
13. Next to Match, click Configure.
14. From the Source address list, select Source address.
15. Next to Source address, click Add new entry.
16. From the Value keyword list, select any and click OK.
17. Next to Destination address, click Add new entry.
18. From the Value keyword list, select Enter Specific Value.
19. In the Address box, type ip_phone and click OK.
20. Next to Application, click Add new entry.
21. In the Value keyword box, type junos-h323 and click OK.
22. Next to Then, click Configure.
23. From the Action list, select permit and click OK.
24. If you are finished configuring the J-series device, commit the configuration.

CLI Configuration

To configure an address book, to configure a policy from the internal zone to the external zone, and to configure policies from the external zone to the internal zone, follow the sequence of steps listed below:

1. Configure an address book.

   user@host# set security zones security-zone public address-book address ip_phone 2.2.2.5/32

2. Configure a policy from the internal zone to the external zone.

   user@host# set security policies from-zone private to-zone public policy p1 match source-address any

   user@host# set security policies from-zone private to-zone public policy p1 match destination-address ip_phone

   user@host# set security policies from-zone private to-zone public policy p1 match application junos-h323

   user@host# set security policies from-zone private to-zone public policy p1 then permit

3. Configure policies from the external zone to the internal zone.

   user@host# set security policies from-zone public to-zone private policy p2 match source-address any

   user@host# set security policies from-zone public to-zone private policy p2 match destination-address ip_phone

   user@host# set security policies from-zone public to-zone private policy p2 match application junos-h323

   user@host# set security policies from-zone public to-zone private policy p2 then permit

4. If you are finished configuring the J-series device, commit the configuration.

Related Topics

• Passing H.323 ALG Traffic to a Gatekeeper in the External Zone
• Using NAT and the H.323 ALG to Enable Outgoing Calls
• Using NAT and the H.323 ALG to Enable Incoming Calls
• Understanding the SIP ALG
• Setting SCCP Inactive Media Timeout
• Configuring a Media Gateway in Subscribers' Homes