Example: Passing H.323 ALG Traffic to a Gatekeeper in the Internal Zone

This example shows how to set up two policies that allow H.323 traffic to pass between IP phone hosts and a gatekeeper in the private zone, and an IP phone host (2.2.2.5/32) in the public zone.

Requirements

Before you begin:

Understand and configure any Avaya H.323-specific features. See the Administrator Guide for Avaya Communication Manager, Avaya IP Telephony Implementation Guide, and Avaya Application Solutions IP Telephony Deployment Guide at http://support.avaya.com.
Configure security zones. See Understanding Security Zones.

Overview

This example shows how to set up two policies that allow H.323 traffic to pass between IP phone hosts and a gatekeeper in the private zone, and an IP phone host (2.2.2.5/32) in the public zone. The device can be in either route mode or NAT mode. See Figure 12.

Figure 12: H.323 Gatekeeper in Zone1

Image g030625.gif

Configuration

CLI Quick Configuration

To quickly configure the device to pass H.323 ALG traffic to a gatekeeper in the internal zone, copy the following commands and paste them into the CLI:

[edit]

set security zones security-zone public address-book
address ip_phone 2.2.2.5/32

set security policies from-zone private to-zone
public policy P1 match source-address any

set security policies from-zone private to-zone
public policy P1 match destination-address IP_Phone

set security policies from-zone private to-zone
public policy P1 match application junos-h323

set security policies from-zone private to-zone
public policy P1 then permit

set security policies from-zone public to-zone
private policy P2 match source-address any

set security policies from-zone public to-zone
private policy P2 match destination-address gateway

set security policies from-zone public to-zone
private policy P2 match application junos-h323

set security policies from-zone public to-zone
private policy P2 then permit

Step-by-Step Procedure

The following example requires you to navigate throughout various levels in the configuration hierarchy. For instructions on how to do this, see Using the CLI Editor in Configuration Mode.

To configure the device to pass H.323 ALG traffic to a gatekeeper in the internal zone:

Configure an address book.

[edit] user@host# set security zones security-zone public address-book address ip_phone 2.2.2.5/32
Configure policy P1 from the internal zone to the external zone.

[edit] user@host# set security policies from-zone private to-zone public policy P1 match source-address any user@host# set security policies from-zone private to-zone public policy P1 match destination-address IP_Phone user@host# set security policies from-zone private to-zone public policy P1 match application junos-h323 user@host# set security policies from-zone private to-zone public policy P1 then permit
Configure policy P2 from the external zone to the internal zone.

user@host# set security policies from-zone public to-zone private policy P2 match source-address any user@host# set security policies from-zone public to-zone private policy P2 match destination-address gateway user@host# set security policies from-zone public to-zone private policy P2 match application junos-h323 user@host# set security policies from-zone public to-zone private policy P2 then permit

Results

Confirm your configuration by entering the show security policies command from configuration mode. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

For brevity, this show output includes only the configuration that is relevant to this example. Any other configuration on the system has been replaced with ellipses (...).

user@host# show security policies

...
from-zone trust to-zone trust {
    policy default-permit {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
        }
    }
}
from-zone trust to-zone untrust {
    policy default-permit {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
        }
    }
}
from-zone untrust to-zone trust {
    policy default-deny {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            deny;
        }
    }
}
from-zone private to-zone public {
    policy P1 {
        match {
            source-address any;
            destination-address IP_Phone;
            application junos-h323;
        }
        then {
            permit;
        }
    }
}
from-zone public to-zone private {
    policy P2 {
        match {
            source-address any;
            destination-address gateway;
            application junos-h323;
        }
        then {
            permit;
        }
    }
}
...

Verification

To confirm that the configuration is working properly, perform this task:

Verifying H.323 ALG Configurations

Verifying H.323 ALG Configurations

Purpose

Display information about active calls.

Note: H.323 counters for calls and active calls in the output to this show security command do not apply to the proprietary Avaya implementation of H.323. This is because Q.931 setup and connect messages are exchanged right after the phone is powered up and call creation and tear down is done by Facility messages.

Counters for calls and active calls are increased when the resources allocated for calls are increased—that is, messages belonging to the same call and that pass the firewall multiple times increment the counters. This applies when resources for a call need to be allocated multiple times. For example, in a two-zone scenario the setup and connect message pair allocates one call resource, and the active call counter is increased by one. But in a three-zone scenario the setup and connect message pair passes the firewall twice, each time allocating different call resources. In this case, the counter is incremented.

Action

From the J-Web interface, select Monitor>ALGs>H323. Alternatively, from the CLI, enter the show security alg h323 counters command.

Counters for H.245 messages received also will not be accurate in the case of H.245 tunneling. Because H.245 messages are encapsulated in Q.931 packets, the counter for H.245 messages received will remain zero even when there are H.245 messages. The Other H245 counter will, however, reflect these packet transmissions.

user@host> show security alg h323 counters

H.323 counters summary:
  Packets received         : 0
  Packets dropped          : 0
  RAS message received     : 0
  Q.931 message received   : 0
  H.245 message received   : 0
  Number of calls          : 0
  Number of active calls   : 0
H.323 error counters:
  Decoding errors          : 0
  Message flood dropped    : 0
  NAT errors               : 0
  Resource manager errors  : 0
H.323 message counters:
  RRQ       : 0
  RCF       : 0
  ARQ       : 0
  ACF       : 0
  URQ       : 0
  UCF       : 0
  DRQ       : 0
  DCF       : 0
  Oth RAS   : 0
  Setup     : 0
  Alert     : 0
  Connect   : 0
  CallProd  : 0
  Info      : 0
  RelCmpl   : 0
  Facility  : 0
  Empty     : 0
  OLC       : 0
  OLC-ACK   : 0
  Oth H245  : 0