Example: Configuring a Source NAT Pool for Incoming SIP Calls (CLI)

In a two-zone scenario with the Session Initiation Protocol (SIP) proxy server in an external, or public zone, you can use Network Address Translation (NAT) for incoming calls by configuring a NAT pool on the interface to the public zone.

In this example, phone1 is in the private zone, and phone2 and the proxy server are in the public zone. You configure a source NAT pool on the ge-0/0/2.0 interface to do NAT on incoming calls, then set a policy permitting SIP traffic from the public zone to the private zone and reference the NAT pool in the policy. You also create a policy that permits SIP traffic from the private to the public zone. This enables phone1 in the private zone to register with the proxy in the public zone. See Figure 23.

To configure a source NAT pool for incoming calls:

1. Configure interfaces.
   user@host# set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.1/24user@host# set interfaces ge-0/0/2 unit 0 family inet address 1.1.1.1/24user@host# set security zones security-zone private interface ge-0/0/0.0
2. Configure addresses.
   user@host# set security zones security-zone private address-book address phone1 10.1.1.3/32user@host# set security zones security-zone public address-book address proxy 10.1.1.3/32user@host# set security zones security-zone public address-book address phone2 1.1.1.4/32
3. Configure zones.
   user@host# set security zones security-zone privateuser@host# set security zones security-zone publicuser@host# set security zones security-zone private interfaces ge-0/0/0.0user@host# set security zones security-zone public interfaces ge-0/0/2.0
4. Configure the source NAT pool.
   user@host# set security nat source-nat address-persistentuser@host# set security nat interface ge-0/0/2.0 source-nat pool sip-pool address-range low 1.1.1.20 high 1.1.1.60user@host# set security nat interface ge-0/0/2.0 source-nat pool sip-pool allow incoming
5. Configure policies.
   user@host# set security policies from-zone private to-zone public policy outgoing match source-address phone1 destination-address any application junos-sipuser@host# set security policies from-zone private to-zone public policy outgoing then permit source-nat pool sip-pooluser@host# set security policies from-zone private to-zone public policy incoming match source-address any destination-address incoming-nat-sip-pool application junos-sipuser@host# set security policies from-zone public to-zone private policy incoming then permit

Related Topics

• Junos OS Feature Support Reference for SRX Series and J Series Devices
• Understanding SIP ALGs and NAT
• SIP ALG Configuration Overview
• Verifying SIP ALG Configurations