Example: Passing H.323 ALG Traffic to a Gatekeeper in the Internal Zone
This example shows how to set up two policies that allow H.323 traffic to pass between IP phone hosts and a gatekeeper in the private zone, and an IP phone host (2.2.2.5/32) in the public zone.
Requirements
Before you begin:
- Understand and configure any Avaya H.323-specific features. See the Administrator Guide for Avaya Communication Manager, Avaya IP Telephony Implementation Guide, and Avaya Application Solutions IP Telephony Deployment Guide at http://support.avaya.com.
- Configure security zones. See Understanding Security Zones.
Overview
This example shows how to set up two policies that allow H.323 traffic to pass between IP phone hosts and a gatekeeper in the private zone, and an IP phone host (2.2.2.5/32) in the public zone. The device can be in either route mode or NAT mode. See Figure 12.
Figure 12: H.323 Gatekeeper in Zone1
Configuration
CLI Quick Configuration
To quickly configure the device to pass H.323 ALG traffic to a gatekeeper in the internal zone, copy the following commands and paste them into the CLI:
[edit]
set security zones security-zone public address-book
address ip_phone 2.2.2.5/32
set security policies from-zone private to-zone
public policy P1 match source-address any
set security policies from-zone private to-zone
public policy P1 match destination-address IP_Phone
set security policies from-zone private to-zone
public policy P1 match application junos-h323
set security policies from-zone private to-zone
public policy P1 then permit
set security policies from-zone public to-zone
private policy P2 match source-address any
set security policies from-zone public to-zone
private policy P2 match destination-address gateway
set security policies from-zone public to-zone
private policy P2 match application junos-h323
set security policies from-zone public to-zone
private policy P2 then permit
Step-by-Step Procedure
The following example requires you to navigate throughout various levels in the configuration hierarchy. For instructions on how to do this, see Using the CLI Editor in Configuration Mode.
To configure the device to pass H.323 ALG traffic to a gatekeeper in the internal zone:
- Configure an address book.
[edit]
user@host# set security zones security-zone public address-book address ip_phone 2.2.2.5/32 - Configure policy P1 from the internal zone to the
external zone.
[edit]
user@host# set security policies from-zone private to-zone public policy P1 match source-address any
user@host# set security policies from-zone private to-zone public policy P1 match destination-address IP_Phone
user@host# set security policies from-zone private to-zone public policy P1 match application junos-h323
user@host# set security policies from-zone private to-zone public policy P1 then permit - Configure policy P2 from the external zone to the
internal zone.
user@host# set security policies from-zone public to-zone private policy P2 match source-address any
user@host# set security policies from-zone public to-zone private policy P2 match destination-address gateway
user@host# set security policies from-zone public to-zone private policy P2 match application junos-h323
user@host# set security policies from-zone public to-zone private policy P2 then permit
Results
Confirm your configuration by entering the show security policies command from configuration mode. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
For brevity, this show output includes only the configuration that is relevant to this example. Any other configuration on the system has been replaced with ellipses (...).
user@host# show security policies
... from-zone trust to-zone trust { policy default-permit { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone trust to-zone untrust { policy default-permit { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone untrust to-zone trust { policy default-deny { match { source-address any; destination-address any; application any; } then { deny; } } } from-zone private to-zone public { policy P1 { match { source-address any; destination-address IP_Phone; application junos-h323; } then { permit; } } } from-zone public to-zone private { policy P2 { match { source-address any; destination-address gateway; application junos-h323; } then { permit; } } } ...
Verification
To confirm that the configuration is working properly, perform this task:
Verifying H.323 ALG Configurations
Purpose
Display information about active calls.
![]() | Note: H.323 counters for calls and active calls in the output to this show security command do not apply to the proprietary Avaya implementation of H.323. This is because Q.931 setup and connect messages are exchanged right after the phone is powered up and call creation and tear down is done by Facility messages. Counters for calls and active calls are increased when the resources allocated for calls are increased—that is, messages belonging to the same call and that pass the firewall multiple times increment the counters. This applies when resources for a call need to be allocated multiple times. For example, in a two-zone scenario the setup and connect message pair allocates one call resource, and the active call counter is increased by one. But in a three-zone scenario the setup and connect message pair passes the firewall twice, each time allocating different call resources. In this case, the counter is incremented. |
Action
From the J-Web interface, select Monitor>ALGs>H323. Alternatively, from the CLI, enter the show security alg h323 counters command.
Counters for H.245 messages received also will not be accurate in the case of H.245 tunneling. Because H.245 messages are encapsulated in Q.931 packets, the counter for H.245 messages received will remain zero even when there are H.245 messages. The Other H245 counter will, however, reflect these packet transmissions.
user@host> show security alg h323 counters
H.323 counters summary: Packets received : 0 Packets dropped : 0 RAS message received : 0 Q.931 message received : 0 H.245 message received : 0 Number of calls : 0 Number of active calls : 0 H.323 error counters: Decoding errors : 0 Message flood dropped : 0 NAT errors : 0 Resource manager errors : 0 H.323 message counters: RRQ : 0 RCF : 0 ARQ : 0 ACF : 0 URQ : 0 UCF : 0 DRQ : 0 DCF : 0 Oth RAS : 0 Setup : 0 Alert : 0 Connect : 0 CallProd : 0 Info : 0 RelCmpl : 0 Facility : 0 Empty : 0 OLC : 0 OLC-ACK : 0 Oth H245 : 0
Related Topics
- JUNOS Software Feature Support Reference for SRX Series and J Series Devices
- Understanding H.323 ALGs
- H.323 ALG Configuration Overview