Configuring a Source NAT Pool for Incoming SIP Calls

In a two-zone scenario with the SIP proxy server in an external, or public zone, you can use NAT for incoming calls by configuring a NAT pool on the interface to the public zone.

In this example, phone1 is in the private zone, and phone2 and the proxy server are in the public zone. You configure a source NAT pool on the ge-0/0/2.0 interface to do NAT on incoming calls, then set a policy permitting SIP traffic from the public zone to the private zone and reference the NAT pool in the policy. You also create a policy that permits SIP traffic from the private to the public zone.. This enables phone1 in the private zone to register with the proxy in the public zone. See Figure 77.

Figure 77: Source NAT Pool for Incoming Calls

To configure a source NAT pool for incoming calls, use either the J-Web or CLI configuration editor.

This topic covers:

• J-Web Configuration
• CLI Configuration
• Related Topics

J-Web Configuration

To configure interfaces:

1. Select Configuration > View and Edit > Edit Configuration. The Configuration page appears.
2. Next to Interfaces, click Configure or Edit.
3. Next to Interface, click Add new entry.
4. In the Interface name box, type ge-0/0/0.
5. Next to Unit, click Add new entry.
6. In the Interface unit number box, type 0.
7. Under Family, select inet and click Configure.
8. Next to Address, click Add new entry.
9. To specify the source address, next to Source box, type 10.1.1.1/24 and click OK.
10. To configure other interface, ge-0/0/2, and to add address, repeat Step 2 through Step 9 and click OK.
11. To save and commit the configuration, click Commit.

To configure a private zone and assign an interface to it:

1. Select Configuration > View and Edit > Edit Configuration. The Configuration page appears.
2. Next to Security, click Configure or Edit.
3. Next to Zones, click Configure.
4. Next to Security zones, click Add new entry.
5. In the Name box, type private.
6. Next to Interfaces, click Add new entry.
7. In the Interface unit box, type ge-0/0/0.0 and click OK.
8. To save and commit the configuration, click Commit.

To configure addresses:

1. Select Configuration > View and Edit > Edit Configuration. The Configuration page appears.
2. Next to Security, click Configure or Edit
3. Next to Zones, click Configure.
4. Next to Security zones, click Add new entry.
5. In the Name box, type private.
6. Next to Address book click Configure.
7. Next to Address, click Add new entry.
8. In the Address name box, type phone1 10.1.1.3/32 and click OK.
9. To configure more security zones, public, and address books entries such as proxy 10.1.1.3/32 and phone2 1.1.1.4/32, repeat Step 3 through Step 7and click OK.
10. To save and commit the configuration, click Commit.

To configure zones:

1. Select Configuration > View and Edit > Edit Configuration. The Configuration page appears.
2. Next to Security, click Configure or Edit.
3. Next to Zones, click Configure.
4. Next to Security zones, click Add new entry.
5. In the Name box, type private and click OK.
6. To specify the name of the another security zone, click Add new entry next to Security zone.
7. Next to the Name box, type public and click OK.
8. To configure an interface to the private zone, click private.
9. Next to Interfaces, click Add new entry.
10. In the Interface unit box, type ge-0/0/0.0 and click OK.
11. To configure an interface to the public zone, click public.
12. Next to Interfaces, click Add new entry.
13. In the Interface unit box, type ge-0/0/2.0 and click OK.
14. To save and commit the configuration, click Commit.

To configure source NAT pool:

1. Select Configuration > View and Edit > Edit Configuration. The Configuration page appears.
2. Next to Security, click Configure or Edit.
3. Next to Source Nat, click Configure.
4. Next to Address persistent, select the check box and click OK.
5. Next to Interface, click Add new entry.
6. In the Name box, type ge-0/0/2.0.
7. Next to Source nat, click Configure.
8. Next to Pool, click Add new entry.
9. In the Name box, type sip-pool.
10. Next to Address range, click Add new entry.
11. Next to High box, type 1.1.1.60 and next to Low box, type 1.1.1.20 and click OK.
12. Next to Allow incoming, select the check box and click OK.
13. To save and commit the configuration, click Commit.

To configure policies:

1. Select Configuration > View and Edit > Edit Configuration. The Configuration page appears.
2. Next to Security, click Configure or Edit.
3. Next to Policies, select the check box and click Configure.
4. Next to Policy, click Add new entry.
5. In the From zone name box, type private.
6. In the To zone name box, type public.
7. Next to Policy, click Add new entry.
8. In the Policy name box, type outgoing.
9. Select the Match check box.
10. Select the Then check box.
11. Next to Match check box, click Configure.
12. From the Source address choice list, select Source address.
13. Next to Source address, click Add new entry.
14. From the Value keyword list, select Enter Specific Value.
15. In the Address box, type phone1 and click OK.
16. From the Destination address choice list, select Destination address.
17. Next to Destination address, click Add new entry.
18. Next to Value keyword list, select any and click OK.
19. From the Application choice list, select Application.
20. Next to Application, click Add new entry.
21. In the Value keyword box, type junos-sip and click OK.
22. Next to Then, click Configure.
23. Next to Action, select permit.
24. Click Configure next to Permit.
25. Next to Source nat, select the check box and click Configure.
26. From the Source nat choice list, select interface and click OK.
27. In the From zone name box, type private.
28. In the To zone name box, type public.
29. Next to Policy, click Add new entry.
30. In the Policy name box, type incoming.
31. Select the Match check box.
32. Select the Then check box.
33. Click Configure next to Match check box.
34. Next to Source address choice list select Source address.
35. Next to Source address, click Add new entry.
36. From the Value keyword list, select any and click OK.
37. From the Destination address choice list, select Destination address.
38. Next to Destination address, click Add new entry.
39. Next to Value keyword list, select Enter Specific Value.
40. To specify the address, type incoming-nat-fe0/0/2.0 and click OK.
41. From the Application choice list, select Application.
42. Next to Application, click Add new entry.
43. Next to Value keyword box, type junos-sip and click OK.
44. Next to Then, click Configure.
45. Next to Action, select permit.
46. To save and commit the configuration, click Commit.

CLI Configuration

1. Configure interfaces.

   user@host# set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.1/24

   user@host# set interfaces ge-0/0/2 unit 0 family inet address 1.1.1.1/24

   user@host# set security zones security-zone private interface ge-0/0/0.0

2. Configure addresses.

   user@host# set security zones security-zone private address-book address phone1 10.1.1.3/32

   user@host# set security zones security-zone public address-book address proxy 10.1.1.3/32

   user@host# set security zones security-zone public address-book address phone2 1.1.1.4/32

3. Configure zones.

   user@host# set security zones security-zone private

   user@host# set security zones security-zone public

   user@host# set security zones security-zone private interfaces ge-0/0/0.0

   user@host# set security zones security-zone public interfaces ge-0/0/2.0

4. Configure the source NAT pool.

   user@host# set security nat source-nat address-persistent

   user@host# set security nat interface ge-0/0/2.0 source-nat pool sip-pool address-range low 1.1.1.20 high 1.1.1.60

   user@host# set security nat interface ge-0/0/2.0 source-nat pool sip-pool allow incoming

5. Configure policies.

   user@host# set security policies from-zone private to-zone public policy outgoing match source-address phone1 destination-address any application junos-sip

   user@host# set security policies from-zone private to-zone public policy outgoing then permit source-nat pool sip-pool

   user@host# set security policies from-zone private to-zone public policy incoming match source-address any destination-address incoming-nat-sip-pool application junos-sip

   user@host# set security policies from-zone public to-zone private policy incoming then permit

Related Topics

• Understanding SIP with Network Address Translation (NAT)
• Understanding Incoming SIP Call Support Using the SIP Registrar
• Configuring Interface Source NAT for Incoming SIP Calls
• Configuring Static NAT for Incoming SIP Calls
• Configuring the SIP Proxy in the Private Zone
• Configuring the SIP Proxy in the Public Zone
• Configuring a Three-Zone SIP Scenario