Example: Configuring Three-Zone ISP-Hosted Service Using MGCP ALGs and NAT (CLI)
When an Internet service provider (ISP) in one geographical location provides service to two networks in different geographical locations, a three-zone configuration might be necessary.
In this example, (see Figure 29) an ISP located on the American west coast provides MGCP service to customers in separate networks in Asia and San Francisco. Asia customers are in the asia_3 zone and supported by the asia_gw gateway; San Francisco customers are in the sf_2 zone and supported by the sf_gw gateway; and the west_ca call agent is in the DMZ. The gateways and the call agent are listed in Table 34, showing the corrsponding IP address, interface, and zone.
Table 34: Three-Zone ISP-Host Service
Gateway | IP Address | Interface | Zone |
|---|---|---|---|
sf_gw | 2.2.2.201 | ge-0/0/0 | sf_2 |
asia-gw | 3.3.3.110 | ge-0/0/1 | asia_3 |
west_ca | 10.1.1.101 | ge-0/0/2 | DMZ |
After creating zones and setting addresses for the gateways and the call agent, you associate the zones and addresses to interfaces, and then configure Network Address Translation (NAT) (ge-0/0/1.0) and policies.
Figure 29: Three-Zone ISP-Hosted Service
To configure a three-zone ISP-hosted service using source and static NAT:
- Configure interfaces.user@host# set interfaces ge-0/0/0 unit 0 family inet address 2.2.2.10/24user@host# set interfaces ge-0/0/1 unit 0 family inet address 3.3.3.10/24user@host# set interfaces ge-0/0/2 unit 0 family inet address 10.1.1.2/24
- Configure addresses.user@host# set security zones security-zone sf_2 address-book address sf_gw 2.2.2.201/32user@host# set security zones security-zone asia_3 address-book address asia_gw 3.3.3.110/32user@host# set security zones security-zone dmz address-book address west_ca 10.1.1.101/32
- Associate the zones and addresses to interfaces.user@host# set security zones security-zone sf_2 interfaces ge-0/0/0user@host# set security zones security-zone asia_3 interfaces ge-0/0/1user@host# set security zones security-zone dmz interfaces ge-0/0/2
- Configure zones sf_2, asia_3, and DMZ to allow incoming
VoIP traffic.user@host# set security zones security-zone sf_2user@host# set security zones security-zone sf_2 host-inbound-traffic system-services alluser@host# set security zones security-zone sf_2 host-inbound-traffic protocols alluser@host# set security zones security-zone asia_3user@host# set security zones security-zone asia_3 host-inbound-traffic system-services alluser@host# set security zones security-zone asia_3 host-inbound-traffic protocols alluser@host# set security zones security-zone dmzuser@host# set security zones security-zone dmz host-inbound-traffic system-services alluser@host# set security zones security-zone dmz host-inbound-traffic protocols all
- Configure static NAT on interface ge-0/0/ and source NAT
on interface ge-0/0/2.user@host# set security nat interface ge-0/0/1.0 static-nat 3.3.3.101/32 host 10.1.1.101/32user@host# set security nat interface ge-0/0/1.0 source-nat pool src-nat-pool address 2.2.2.10
- Configure policies.user@host# set security policies from-zone dmz to-zone asia_3 policy pol-dmz-to-asia_3 match source-address west_causer@host# set security policies from-zone dmz to-zone asia_3 policy pol-dmz-to-asia_3 match destination-address asia_gwuser@host# set security policies from-zone dmz to-zone asia_3 policy pol-dmz-to-asia_3 match application junos-mgcpuser@host# set security policies from-zone dmz to-zone asia_3 policy pol-dmz-to-asia_3 then permituser@host# set security policies from-zone asia_3 to-zone dmz policy pol-asia_3-to-dmz match source-address asia_gwuser@host# set security policies from-zone asia_3 to-zone dmz policy pol-asia_3-to-dmz match destination-address 3.3.3.101user@host# set security policies from-zone asia_3 to-zone dmz policy pol-asia_3-to-dmz match application junos-mgcpuser@host# set security policies from-zone asia_3 to-zone dmz policy pol-asia_3-to-dmz then permituser@host# set security policies from-zone sf_2 to-zone dmz policy pol-sf_2-to-dmz match source-address sf_gwuser@host# set security policies from-zone sf_2 to-zone dmz policy pol-sf_2-to-dmz match destination-address west-causer@host# set security policies from-zone sf_2 to-zone dmz policy pol-sf_2-to-dmz match application junos-mgcpuser@host# set security policies from-zone sf_2 to-zone dmz policy pol-sf_2-to-dmz then permituser@host# set security policies from-zone dmz to-zone sf_2 policy pol-dmz-to-sf_2 match source-address west_causer@host# set security policies from-zone dmz to-zone sf_2 policy pol-dmz-to-sf_2 match destination-address sf_gwuser@host# set security policies from-zone dmz to-zone sf_2 policy pol-dmz-to-sf_2 match application junos-mgcpuser@host# set security policies from-zone dmz to-zone sf_2 policy pol-dmz-to-sf_2 then permituser@host# set security policies from-zone sf_2 to-zone asia_3 policy pol-sf_2-to-asia_3 match source-address sf_gwuser@host# set security policies from-zone sf_2 to-zone asia_3 policy pol-sf_2-to-asia_3 match destination-address asia_gwuser@host# set security policies from-zone sf_2 to-zone asia_3 policy pol-sf_2-to-asia_3 match application junos-mgcpuser@host# set security policies from-zone sf_2 to-zone asia_3 policy pol-sf_2-to-asia_3 then permit source-nat pool src-nat-pooluser@host# set security policies from-zone sf_2 to-zone asia_3 policy pol-sf_2-to-asia_3 match source-address sf_gwuser@host# set security policies from-zone sf_2 to-zone asia_3 policy pol-sf_2-to-asia_3 match destination-address asia_gwuser@host# set security policies from-zone sf_2 to-zone asia_3 policy pol-sf_2-to-asia_3 match application junos-mgcpuser@host# set security policies from-zone sf_2 to-zone asia_3 policy pol-sf_2-to-asia_3 then permit source-nat pool src-nat-pooluser@host# set security policies from-zone sf_2 to-zone asia_3 policy pol-intra-sf_2 match source-address anyuser@host# set security policies from-zone sf_2 to-zone asia_3 policy pol-intra-sf_2 match destination-address anyuser@host# set security policies from-zone sf_2 to-zone asia_3 policy pol-intra-sf_2 match application anyuser@host# set security policies from-zone sf_2 to-zone asia_3 policy pol-intra-sf_2 then permituser@host# set security policies from-zone sf_2 to-zone asia_3 policy pol-intra-asia_3 match source-address anyuser@host# set security policies from-zone sf_2 to-zone asia_3 policy pol-intra-asia_3 match destination-address anyuser@host# set security policies from-zone sf_2 to-zone asia_3 policy pol-intra-asia_3 match application anyuser@host# set security policies from-zone sf_2 to-zone asia_3 policy pol-intra-asia_3 then permit
Related Topics
- JUNOS Software Feature Support Reference for SRX Series and J Series Devices
- Understanding MGCP ALGs
- MGCP ALG Configuration Overview
- Verifying MGCP ALG Configurations