Example: Using NAT and the H.323 ALG to Enable Outgoing Calls (CLI)

In this example, the devices in the external zone include the endpoint host (10.1.1.5) and the gatekeeper (10.1.1.25). IP_Phone2 (2.2.2.5) is in Zone 2. You configure the device to allow traffic between the endpoint host IP_Phone1 and the gatekeeper in the external zone and the endpoint host IP_Phone2 in the internal zone.

When the Juniper Networks device uses NAT, a gatekeeper or endpoint device in the external zone has a private address, and when it is in the internal zone, it has a public address. See Figure 17.

1. Configure interfaces.
   user@host# set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.1/24user@host# set interfaces fe-1/0/0 unit 0 family inet address 1.1.1.1/24user@host# set security zones security-zone zone1 interfaces ge-0/0/0.0user@host# set security zones security-zone zone2 interfaces fe-1/0/0.0
2. Configure zones.
   user@host# set security zones security-zone zone1 interfaces ge-0/0/0.0user@host# set security zones security-zone zone1 address-book address IP_Phone1 10.1.1.5/32user@host# set security zones security-zone zone1 address-book address gatekeeper 10.1.1.25/32 user@host# set security zones security-zone zone2 interfaces fe-1/0/0.0user@host# set security zones security-zone zone2 address-book address IP_Phone2 2.2.2.5/32user@host# set security zones Global
3. Configure interface NAT.
   user@host# set security nat interface fe-1/0/0.0 static-nat 1.1.1.5/32 host 10.1.1.5/32user@host# set security nat interface fe-1/0/0.0 static-nat 1.1.1.25/32 host 10.1.1.25/32
4. Configure policies.
   user@host# set security policy from-zone zone1 to-zone zone2 policy zone1_to_zone2 match source-address IP_Phone1user@host# set security policy from-zone zone1 to-zone zone2 policy zone1_to_zone2 match source-address gatekeeperuser@host# set security policy from-zone zone1 to-zone zone2 policy zone1_to_zone2 match destination-address IP_Phone2user@host# set security policy from-zone zone1 to-zone zone2 policy zone1_to_zone2 match application junos-h323user@host# set security policy from-zone zone1 to-zone zone2 policy zone1_to_zone2 then permit user@host# set security policy from-zone zone2 to-zone Global policy zone2_to_Global match source-address IP_Phone2user@host# set security policy from-zone zone2 to-zone Global policy zone2_to_Global match destination-address static_nat_1.1.1.5_32user@host# set security policy from-zone zone2 to-zone Global policy zone2_to_Global match destination-address static_nat_1.1.1.25_32user@host# set security policy from-zone zone2 to-zone Global policy zone2_to_Global match application junos-h323user@host# set security policy from-zone zone2 to-zone Global policy zone2_to_Global then permit
5. If you are finished configuring the device, commit the configuration.

Related Topics

• Junos OS Feature Support Reference for SRX Series and J Series Devices
• Understanding H.323 ALGs
• H.323 ALG Configuration Overview