Example: Passing H.323 ALG Traffic to a Gatekeeper in the External Zone

This example shows how to set up two policies to allow H.323 traffic to pass between IP phone hosts in the internal zone, and the IP phone at IP address 2.2.2.5/32 (and the gatekeeper) in the external zone.

• Requirements
• Overview
• Configuration
• Verification

Requirements

Before you begin:

• Understand and configure any Avaya H.323-specific features. See the Administrator Guide for Avaya Communication Manager, Avaya IP Telephony Implementation Guide, and Avaya Application Solutions IP Telephony Deployment Guide at http://support.avaya.com.
• Configure security zones. See Understanding Security Zones.

Overview

Because route mode does not require address mapping of any kind, a device configuration for a gatekeeper in the external, or public, zone is usually identical to the configuration for a gatekeeper in an internal, or private, zone. This example shows how to set up two policies to allow H.323 traffic to pass between IP phone hosts in the internal zone, and the IP phone at IP address 2.2.2.5/32 (and the gatekeeper) in the external zone. The device can be in transparent or route mode. See Figure 15.

Configuration

CLI Quick Configuration

To quickly configure the device to pass H.323 ALG traffic to a gatekeeper in the external zone, copy the following commands and paste them into the CLI:

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

To configure the device to pass H.323 ALG traffic to a gatekeeper in the external zone:

1. Configure two address books.
   [edit]
   user@host# set security zones security-zone external address-book address IP_Phone 2.2.2.5/32
   user@host# set security zones security-zone internal address-book address gatekeeper 2.2.2.10/32
2. Configure policy P1 from the internal zone to the external zone.
   [edit]
   user@host# set security policies from-zone internal to-zone external policy P1 match source-address any
   user@host# set security policies from-zone internal to-zone external policy P1 match destination-address IP_Phone
   user@host# set security policies from-zone internal to-zone external policy P1 match application junos-h323
   user@host# set security policies from-zone internal to-zone external policy P1 then permit
3. Configure policy P2 to allow traffic between the internal zone and the gatekeeper in the external zone.
   [edit]
   user@host# set security policies from-zone internal to-zone external policy P2 match source-address any
   user@host# set security policies from-zone internal to-zone external policy P2 match destination-address gatekeeper
   user@host# set security policies from-zone internal to-zone external policy P2 match application junos-h323
   user@host# set security policies from-zone internal to-zone external policy P2 then permit
4. Configure policy P3 to allow traffic between phones in the internal zone and the external zone.
   [edit]
   user@host# set security policies from-zone external to-zone internal policy P3 match source-address IP_Phone
   user@host# set security policies from-zone external to-zone internal policy P3 match destination-address any
   user@host# set security policies from-zone external to-zone internal policy P3 match application junos-h323
   user@host# set security policies from-zone external to-zone internal policy P3 then permit
5. Configure policy P4 to allow traffic between phones in the internal zone and the gatekeeper in the external zone.
   [edit]
   user@host# set security policies from-zone external to-zone internal policy P4 match source-address gatekeeper
   user@host# set security policies from-zone external to-zone internal policy P4 match destination-address any
   user@host# set security policies from-zone external to-zone internal policy P4 match application junos-h323
   user@host# set security policies from-zone external to-zone internal policy P4 then permit

Results

From configuration mode, confirm your configuration by entering the show security policies command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

For brevity, this show output includes only the configuration that is relevant to this example. Any other configuration on the system has been replaced with ellipses (...).

...
from-zone internal to-zone external {
    policy P1 {
        match {
            source-address any;
            destination-address IP_Phone;
            application junos-h323;
        }
        then {
            permit;
        }
    }
    policy P2 {
        match {
            source-address any;
            destination-address gatekeeper;
            application junos-h323;
        }
        then {
            permit;
        }
    }
}
from-zone external to-zone internal {
    policy P3 {
        match {
            source-address IP_Phone;
            destination-address any;
            application junos-h323;
        }
        then {
            permit;
        }
    }
    policy P4 {
        match {
            source-address gatekeeper;
            destination-address any;
            application junos-h323;
        }
        then {
            permit;
        }
    }
}
...

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform this task:

• Verifying H.323 ALG Configurations

Verifying H.323 ALG Configurations

Purpose

Display information about active calls.

Note: H.323 counters for calls and active calls in the output to this show security command do not apply to the proprietary Avaya implementation of H.323. This is because Q.931 setup and connect messages are exchanged right after the phone is powered up and call creation and tear down is done by Facility messages. Counters for calls and active calls are increased when the resources allocated for calls are increased—that is, messages belonging to the same call and that pass the firewall multiple times increment the counters. This applies when resources for a call need to be allocated multiple times. For example, in a two-zone scenario the setup and connect message pair allocates one call resource, and the active call counter is increased by one. But in a three-zone scenario the setup and connect message pair passes the firewall twice, each time allocating different call resources. In this case, the counter is incremented.

Action

From the J-Web interface, select Monitor>ALGs>H323. Alternatively, from the CLI, enter the show security alg h323 counters command.

Counters for H.245 messages received also will not be accurate in the case of H.245 tunneling. Because H.245 messages are encapsulated in Q.931 packets, the counter for H.245 messages received will remain zero even when there are H.245 messages. The Other H245 counter will, however, reflect these packet transmissions.

H.323 counters summary:
  Packets received         : 0
  Packets dropped          : 0
  RAS message received     : 0
  Q.931 message received   : 0
  H.245 message received   : 0
  Number of calls          : 0
  Number of active calls   : 0
H.323 error counters:
  Decoding errors          : 0
  Message flood dropped    : 0
  NAT errors               : 0
  Resource manager errors  : 0
H.323 message counters:
  RRQ       : 0
  RCF       : 0
  ARQ       : 0
  ACF       : 0
  URQ       : 0
  UCF       : 0
  DRQ       : 0
  DCF       : 0
  Oth RAS   : 0
  Setup     : 0
  Alert     : 0
  Connect   : 0
  CallProd  : 0
  Info      : 0
  RelCmpl   : 0
  Facility  : 0
  Empty     : 0
  OLC       : 0
  OLC-ACK   : 0
  Oth H245  : 0

Related Topics

• Junos OS Feature Support Reference for SRX Series and J Series Devices
• Understanding H.323 ALGs
• H.323 ALG Configuration Overview