Example: Configuring Interface Source NAT for Incoming SIP Calls (CLI)

In a two-zone scenario with the SIP proxy server in an external, or public zone, you can use NAT for incoming calls by configuring source NAT on the interface to the public zone.

In this example, phone1 is on the ge-0/0/0 interface in the private zone, and phone2 and the proxy server are on the ge-0/0/2 interface in the public zone. You configure interface source NAT on ge-0/0/2.0 for incoming calls, then create a policy permitting SIP traffic from the public zone to the private zone and reference the source NAT in the policy. You also create a policy that permits SIP traffic from the private to the public zone, again referencing the source NAT address pool. This enables phone1 in the private zone to register with the proxy in the public zone. See Figure 20.

Figure 20: Source NAT for Incoming Calls

Image g030631.gif

To configure interface source NAT for incoming calls:

  1. Configure interfaces.
    user@host# set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.1/24user@host# set interfaces ge-0/0/2 unit 0 family inet address 1.1.1.1/24user@host# set security zones security-zone private interface ge-0/0/0.0
  2. Configure addresses.
    user@host# set security zones security-zone private address-book address phone1 10.1.1.3/32user@host# set security zones security-zone public address-book address proxy 10.1.1.3/32user@host# set security zones security-zone public address-book address phone2 1.1.1.4/32
  3. Configure zones.
    user@host# set security zones security-zone privateuser@host# set security zones security-zone publicuser@host# set security zones security-zone private interfaces ge-0/0/0.0user@host# set security zones security-zone public interfaces ge-0/0/2.0
  4. Configure source NAT.
    user@host# set security nat interface ge-0/0/2.0 source-nat allow-incominguser@host# set security nat source-nat address-persistent
  5. Configure policies.
    user@host# set security policies from-zone private to-zone public policy outgoing match source-address phone1 destination-address any application junos-sipuser@host# set security policies from-zone private to-zone public policy outgoing then permit source-nat interfaceuser@host# set security policies from-zone public to-zone private policy incoming match source-address any destination-address incoming-nat-fe0/0/2.0 application junos-sipuser@host# set security policies from-zone public to-zone private policy incoming then permit

Related Topics