Hide Navigation Pane
Show Navigation Pane
Feedback
Download
SHA1
Example: Configuring a Three-Zone SIP ALG and NAT Scenario (CLI)
In a three-zone SIP configuration, the SIP proxy server is typically in a different zone than the calling and called parties. Such a scenario requires additional address and zone configuration, and policies to ensure that all parties have access to each other and to the proxy server.
In this example, phone1 is on the ge-0/0/0 interface in the private zone, phone2 is on the ge-0/0/2 interface in the public zone, and the proxy server is on the ge-0/0/1.0 interface in the DMZ. You configure static NAT on the ge-0/0/1 interface to phone1 in the private zone. You then create policies from the private zone to the DMZ and from the DMZ to the private zone, from the public zone to the DMZ and from the DMZ to the public zone, and from the private zone to the public zone. The arrows in Figure 27 show the flow of SIP signaling traffic when phone2 in the public zone places a call to phone1 in the private zone. After the session is initiated, the media flows directly between phone1 and phone2.
Figure 27: Three-Zone SIP Configuration with Proxy in the DMZ
To configure a three-zone SIP scenario:
- Configure interfaces.user@host# set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.1/24user@host# set interfaces ge-0/0/1 unit 0 family inet address 2.2.2.2/24user@host# set interfaces ge-0/0/2 unit 0 family inet address 1.1.1.1/24
- Configure zones.user@host# set security zones security-zone private interfaces ge-0/0/0.0user@host# set security zones security-zone public interfaces ge-0/0/2.0user@host# set security zones security-zone dmz interfaces ge-0/0/1.0
- Configure addresses.user@host# set security zones security-zone private address-book address phone1 10.1.1.3/32user@host# set security zones security-zone public address-book address phone2 1.1.1.4/32user@host# set security zones security-zone dmz address-book address proxy 2.2.2.4/32
- Configure static NAT.set security nat static rule-set incoming-SIP from zone dmz set security nat static rule-set incoming-SIP rule phone1 match destination-address 2.2.2.3/32 set security nat static rule-set incoming-SIP rule phone1 then static-nat prefix 10.1.1.3/32
- Configure interface NAT for communication from phone1
to proxy. set security nat source rule-set sip-phones from zone private set security nat source rule-set sip-phones to zone dmz set security nat source rule-set sip-phones rule phone1 match source-address 10.1.1.3/32 set security nat source rule-set sip-phones rule phone1 then source-nat interface
- Configure interface NAT for communication from phone1
to phone2: set security nat source rule-set sip-phones from zone private set security nat source rule-set sip-phones to zone public set security nat source rule-set sip-phones rule phone1 match source-address 10.1.1.3/32 set security nat source rule-set sip-phones rule phone1 then source-nat interface
- Configure policies.user@host# set security policies from-zone private to-zone dmz policy private-to-proxy match source-address phone1user@host# set security policies from-zone private to-zone dmz policy private-to-proxy match destination-address proxyuser@host# set security policies from-zone private to-zone dmz policy private-to-proxy match application junos-sipuser@host# set security policies from-zone private to-zone dmz policy private-to-proxy then permit source-nat interfaceuser@host# set security policies from-zone public to-zone dmz policy public-to-proxy match source-address phone2user@host# set security policies from-zone public to-zone dmz policy public-to-proxy match destination-address proxyuser@host# set security policies from-zone public to-zone dmz policy public-to-proxy match application junos-sipuser@host# set security policies from-zone public to-zone dmz policy public-to-proxy then permituser@host# set security policies from-zone private to-zone public policy private-to-public match source-address phone1user@host# set security policies from-zone private to-zone public policy private-to-public match destination-address phone2user@host# set security policies from-zone private to-zone public policy private-to-public match application junos-sipuser@host# set security policies from-zone private to-zone public policy private-to-public then permit source-nat interfaceuser@host# set security policies from-zone dmz to-zone private policy proxy-to-private match source-address proxyuser@host# set security policies from-zone dmz to-zone private policy proxy-to-private match destination-address static_nat_2.2.2.3_32user@host# set security policies from-zone dmz to-zone private policy proxy-to-private match application junos-sipuser@host# set security policies from-zone dmz to-zone private policy proxy-to-private then permituser@host# set security policies from-zone dmz to-zone public policy proxy-to-public match source-address proxyuser@host# set security policies from-zone dmz to-zone public policy proxy-to-public match destination-address phone2user@host# set security policies from-zone dmz to-zone public policy proxy-to-public match application junos-sipuser@host# set security policies from-zone dmz to-zone public policy proxy-to-public then permit
Related Topics
- Junos OS Feature Support Reference for SRX Series and J Series Devices
- Understanding SIP ALGs and NAT
- SIP ALG Configuration Overview
- Verifying SIP ALG Configurations
