Example: Configuring Interface-Based DIP (NSM Procedure)
In this example, you configure an interface-based DIP on the Untrust interface of the security device, and then configure a firewall rule that permits SIP traffic from the Untrust zone to the Trust zone and references the interface DIP. You also configure a rule that permits SIP traffic from the Trust to the Untrust zone using NAT source, which enables hosts in the Trust zone to register with the proxy in the Untrust zone.
Add a NetScreen-208 device named Office A. Choose Model when adding each device and configure as running ScreenOS 5.1.
Configure ethernet1 (Trust Zone) for Office A:
Double-click Office A device to open the device configuration. In the device navigation tree, select Network > Interface.
Double-click ethernet1. The General Properties screen appears.
Configure IP address/netmask as 10.1.1.1/24 and Interface mode as NAT.
Click OK to save your changes.
Configure ethernet3 (Untrust Zone) for Office A:
Double-click ethernet3. The General Properties screen appears.
Configure IP address/netmask as 22.214.171.124/24.
In the interface navigation tree, select NAT > DIP, and then click the Interface DIP tab.
Select Incoming NAT.
Click OK to save your changes to the interface, and then click OK again to save your changes to the device.
Create a Global DIP to reference the Interface DIP on Office A. You use a Global DIP when configuring NAT in a firewall rule; the Global DIP references the Interface DIP for an individual device.
In the navigation tree, select Object Manager > NAT Objects > DIP.
Click the Add icon to display the new Global DIP dialog box.
Configure the Global DIP.
Configure firewall rules:
Rule 1 handles outgoing SIP traffic, and uses the outgoing interface to perform NAT.
Rule 2 handles incoming SIP traffic, and uses the Interface DIP as the destination to perform NAT.
SIP is a predefined service that uses port 5060 as the destination port. To specify the SIP service in the Service column of a firewall rule, you must select the predefined service group VoIP, which includes the H.323 and SIP service objects.