Hide Navigation Pane
Show Navigation Pane
Feedback
Download
SHA1
Example: Configuring the SIP Proxy and NAT in the Public Zone (CLI)
When you locate the SIP proxy server in an external, or public, zone, you will typically want to configure NAT on the interface to that zone.
In this example, phone1 is on the ge-0/0/0.0 interface in the private zone, and the proxy server and phone2 are on the ge-0/0/2.0 interface in the public zone. You configure source NAT on the ge-0/0/2.0 interface in the public zone, then create a policy permitting SIP traffic from the public zone to the private zone and reference the NAT interface. You also create a policy from private to public to allow phone1 to register with the proxy server in the public zone. See Figure 26.
Figure 26: Proxy in the Public Zone
To configure the SIP proxy in the public zone:
- Configure interfaces.user@host# set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.1/24user@host# set interfaces ge-0/0/2 unit 0 family inet address 1.1.1.1/24
- Configure zones.user@host# set security zones security-zone privateuser@host# set security zones security-zone publicuser@host# set security zones security-zone private interfaces ge-0/0/0.0user@host# set security zones security-zone public interfaces ge-0/0/2.0
- Configure addresses.user@host# set security zones security-zone private address-book address phone1 10.1.1.3/32user@host# set security zones security-zone public address-book address phone2 1.1.1.4/32user@host# set security zones security-zone public address-book address proxy 1.1.1.3/32
- Configure interface source NAT.user@host# set security nat source-nat address-persistentuser@host# set security nat interface ge-0/0/2.0 allow-incoming
- Configure policies.user@host# set security policies from-zone private to-zone public policy outgoing match source-address phone1user@host# set security policies from-zone private to-zone public policy outgoing match destination-address anyuser@host# set security policies from-zone private to-zone public policy outgoing match application junos-sipuser@host# set security policies from-zone private to-zone public policy outgoing then permit source-nat interfaceuser@host# set security policies from-zone public to-zone private policy incoming match source-address anyuser@host# set security policies from-zone public to-zone private policy incoming match destination-address incoming_nat_ge-0/0/2.0user@host# set security policies from-zone public to-zone private policy incoming match application junos-sipuser@host# set security policies from-zone public to-zone private policy incoming then permit
Related Topics
- Junos OS Feature Support Reference for SRX Series and J Series Devices
- Understanding SIP ALGs and NAT
- SIP ALG Configuration Overview
- Verifying SIP ALG Configurations
