[Contents] [Prev] [Next] [Index] [Report an Error]

Example: Using NAT and the H.323 ALG to Enable Incoming Calls (CLI)

In this example, you configure the device to accept incoming calls over a NAT boundary. To do this, you can create an interface NAT address pool for dynamically allocating destination addresses. This differs from most configurations, where a source pool provides source addresses only. See Figure 14.

Figure 14: Network Address Translation—Incoming Calls

Image g030628.gif

With interface NAT, the source pool uses the same address as an interface IP address. You can use such address entries as destination addresses in policies, together with H.323, SIP, or other VoIP protocols, to support incoming calls.

In the following example, you configure interfaces, a NAT address pool, zones, and security policies for incoming and outgoing traffic:

  1. Configure interfaces.
    user@host# set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.1/24user@host# set interfaces fe-1/0/0 unit 0 family inet address 1.1.1.1/24
  2. Configure interface NAT.
    user@host# set security nat source-nat address-persistentuser@host# set security nat interface fe-1/0/0.0 source-nat pool p1 address-range low 1.1.1.12 high 1.1.1.150
  3. Configure zones.
    user@host# set security zones security-zone zone1 interfaces ge-0/0/0.0user@host# set security zones security-zone zone1 address-book address IP_Phone1 10.1.1.5/32user@host# set security zones security-zone zone1 address-book address gatekeeper 10.1.1.25/32 user@host# set security zones security-zone zone2 interfaces fe-1/0/0.0user@host# set security zones security-zone zone2 address-book address IP_Phone2 2.2.2.5/32user@host# set security zones Global
  4. Configure policies for outgoing traffic.
    user@host# set security policy from-zone zone1 to-zone zone2 policy zone1_to_zone2 match source-address IP_Phone1user@host# set security policy from-zone zone1 to-zone zone2 policy zone1_to_zone2 match source-address gatekeeperuser@host# set security policy from-zone zone1 to-zone zone2 policy zone1_to_zone2 match destination-address IP_Phone2user@host# set security policy from-zone zone1 to-zone zone2 policy zone1_to_zone2 match application junos-h323user@host# set security policy from-zone zone1 to-zone zone2 policy zone1_to_zone2 then permit source-nat pool p1
  5. Configure policies for incoming traffic.
    user@host# set security policy from-zone zone2 to-zone Global policy zone2_to_Global match source-address IP_Phone2user@host# set security policy from-zone zone2 to-zone Global policy zone2_to_Global match destination-address incoming_nat_p1user@host# set security policy from-zone zone2 to-zone Global policy zone2_to_Global match application junos-h323user@host# set security policy from-zone zone2 to-zone Global policy zone2_to_Global then permit
  6. If you are finished configuring the device, commit the configuration.

Related Topics

[Contents] [Prev] [Next] [Index] [Report an Error]


[an error occurred while processing this directive]