Example: Configuring the SCCP ALG CallManager/TFTP Server in the Private Zone (CLI)

When the same device serves as both the CallManager and the TFTP server and are located in the private network, you might want to configure static NAT on the outgoing interface of the Juniper Networks device.

In this example, phone1 and the CallManager/TFTP server are on the ge-0/0/0.0 interface in the private zone, and phone2 is on the ge-0/0/1.0 interface in the public zone. You configure static NAT for the CallManager/TFTP server on the ge-0/0/1.0 interface, so that when phone2 boots up it can contact the TFTP server and obtain the IP address of the CallManager. (We recommend that you change the IP address of the CallManager in the TFTP server config file (sep <mac_addr>.cnf) to the NAT IP address of the CallManager.) You then create a policy allowing SCCP traffic from the public to the private zone and reference that NAT in the policy. You also create a policy from the Trust to the Untrust zone to allow phone1 to call out. See Figure 27.

To configure the SCCP CallManager/TFTP server in the private zone:

1. Configure interfaces.
   user@host# set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.1/24user@host# set interfaces ge-0/0/1 unit 0 family inet address 1.1.1.1/24
2. Configure zone.
   user@host# set security zones security-zone private interface ge-0/0/0.0user@host# set security zones security-zone private address-book address phone1 10.1.1.3/32user@host# set security zones security-zone private address-book address cm-tftp_server 10.1.1.4/32user@host# set security zones security-zone public interface ge-0/0/1.0user@host# set security zones security-zone public address-book address phone2 1.1.1.4/32
3. Configure static NAT.
   user@host# set security nat interface ge-0/0/1.0 static 1.1.1.2 host 10.1.1.4
4. Configure policies.
   user@host# set security policies from-zone private to-zone public policy out-pol match source-address anyuser@host# set security policies from-zone private to-zone public policy out-pol match destination-address phone2user@host# set security policies from-zone private to-zone public policy out-pol match application junos-sccpuser@host# set security policies from-zone private to-zone public policy out-pol then permit source-nat interfaceuser@host# set security policies from-zone public to-zone junos-global policy in-pol match source-address phone2user@host# set security policies from-zone public to-zone junos-global policy in-pol match destination-address static_nat_1.1.1.2_32 user@host# set security policies from-zone public to-zone junos-global policy in-pol match application junos-sccpuser@host# set security policies from-zone public to-zone junos-global policy in-pol then permit

Related Topics

• JUNOS Software Feature Support Reference for SRX Series and J Series Devices
• Understanding SCCP ALGs
• SCCP ALG Configuration Overview
• Verifying SCCP ALG Configurations