Configuring a Three-Zone SIP Scenario

In a three-zone SIP configuration, the SIP proxy server is typically in a different zone than the calling and called parties. Such a scenario requires additional address and zone configuration, and policies to ensure that all parties have access to each other and to the proxy server.

In this example, phone1 is on the ge-0/0/0 interface in the private zone, phone2 is on the ge-0/0/0/2 interface in the public zone, and the proxy server is on the ge-0/0/1.0 interface in the DMZ. You configure static NAT on the ge-0/0/1 interface to phone1 in the private zone. You then create policies from the private zone to the DMZ and from the DMZ ot the private zone, from the public zone to the DMZ and from the DMZ to the public zone, and from the pirvate zone to the public zone. The arrows in Figure 81 show the flow of SIP signaling traffic when phone2 in the public zone places a call to phone1 in the private zone. After the session is initiated, the media flows directly between phone1 and phone2.

Figure 81: Three-Zone, Proxy in the DMZ

To configure a three-zone SIP scenario, use either the J-Web or CLI configuration editor.

This topic covers:

• J-Web Configuration
• CLI Configuration
• Related Topics

J-Web Configuration

To configure interfaces:

1. Select Configuration > View and Edit > Edit Configuration. The Configuration page appears.
2. Next to Interfaces, click Configure or Edit.
3. Next to Interface, click Add new entry.
4. In the Interface name box, type ge-0/0/0.
5. Next to Unit, click Add new entry.
6. Next to Interface unit number, type 0.
7. Next to Inet, select the check box and click Configure.
8. Next to Address, click Add new entry.
9. Next to Source, type 10.1.1.1/24 and click OK.
10. To configure another interface, ge-0/0/1 and ge-0/0/2, and addresses, 2.2.2.2/24 and 1.1.1.1/24, repeat Step 2 through Step 9 and click OK.
11. To save and commit the configuration, click Commit.

To configure zones:

1. Select Configuration > View and Edit > Edit Configuration. The Configuration page appears.
2. Next to Security, click Configure or Edit.
3. Next to Zones, click Configure.
4. Next to Security zones, click Add new entry.
5. In the Name box, type private and click OK.
6. Next to Security zone, click Add new entry.
7. In the Name box, type public and click OK.
8. Next to Security zone, click Add new entry.
9. In the Name box, type dmz and click OK.
10. To configure an interface to the private zone, click private.
11. Next to Interfaces, click Add new entry.
12. Next to Interface unit box, type ge-0/0/0.0 and click OK.
13. To configure an interface to the public zone, click public.
14. Next to Interfaces, click Add new entry.
15. Next to Interface unit box, type ge-0/0/2.0 and click OK.
16. To configure an interface to the dmz, click dmz.
17. Next to Interfaces, click Add new entry.
18. Next to Interface unit box, type ge-0/0/1.0 and click OK.
19. To save and commit the configuration, click Commit.

To configure addresses:

1. Select Configuration > View and Edit > Edit Configuration. The Configuration page appears.
2. Next to Security, click Configure or Edit.
3. Next to Zones, click Configure.
4. Next to Security zone, click Add new entry.
5. In the Name box, type private.
6. Next to Address book, click Configure.
7. Next to Address, click Add new entry.
8. In the Address name box, type phone1 10.1.1.3/32 and click OK.
9. To configure more security zones, public and dmz, and address books entries such as phone2 1.1.1.4/32 and proxy 2.2.2.4/32, repeat Step 4 through Step 8, and click OK.
10. To save and commit the configuration, click Commit.

To configure static NAT:

1. Select Configuration > View and Edit > Edit Configuration. The Configuration page appears.
2. Next to Security, click Configure or Edit.
3. Next to Nat, click Configure.
4. Next to Interfaces, click Add new entry.
5. In the Name box, type ge-0/0/1.0.
6. Next to Static nat, click Add new entry.
7. In the Address box, type 2.2.2.3/32.
8. In the Host box, type 10.1.1.3/32 and click OK.
9. To save and commit the configuration, click Commit.

To configure policies:

1. Select Configuration > View and Edit > Edit Configuration. The Configuration page appears.
2. Next to Security, click Configure or Edit.
3. Next to Policies, select the check box and click Configure.
4. Next to Policy, click Add new entry.
5. In the From zone name box, type private.
6. In the To zone name box, type dmz.
7. Next to Policy, click Add new entry.
8. In the Policy name box, type private-to-proxy.
9. Select the Match check box.
10. Select the Then check box.
11. Next to Match check box, click Configure.
12. From the Source address choice list, select Source address.
13. Next to Source address, click Add new entry.
14. From the Value keyword list, select Enter Specific Value.
15. In the Address box, type phone1 and click OK.
16. From the Destination address choice list, select Destination address.
17. Next to Destination address, click Add new entry.
18. Next to Value keyword list, select proxy and click OK.
19. From the Application choice list, select Application.
20. Next to Application, click Add new entry.
21. In the Value keyword box, type junos-sip and click OK.
22. Next to Then, click Configure.
23. Next to Action, select permit.
24. Click Configure next to Permit.
25. Next to Source nat, select the check box and click Configure.
26. From the Source nat choice list, select interface and click OK.

To configure from zone, public, and to zone, dmz, and the respective source address, destination address, and application:

1. Select Configuration > View and Edit > Edit Configuration. The Configuration page appears.
2. Next to Security, click Configure or Edit.
3. Next to Policies, select the check box and click Configure.
4. Next to Policy, click Add new entry
5. In the From zone name box, type public.
6. In the To zone name box, type private.
7. Next to Policy, click Add new entry.
8. In the Policy name box, type public-to-proxy.
9. Select the Match check box.
10. Select the Then check box.
11. Click Configure next to Match check box.
12. Next to Source address choice list select Source address.
13. Next to Source address, click Add new entry.
14. From the Value keyword list, type phone2 and click OK.
15. From the Destination address choice list, select Destination address.
16. Next to Destination address, click Add new entry.
17. Next to Value keyword list, select Enter Specific Value.
18. To specify the address, type proxy and click OK.
19. From the Application choice list, select Application.
20. Next to Application, click Add new entry.
21. Next to Value keyword box, type junos-sip and click OK.
22. Next to Then, click Configure.
23. Next to Action, select permit and click OK.

To configure from zone, private, and to zone, public, and the respective source address, destination address, and application:

1. Select Configuration > View and Edit > Edit Configuration. The Configuration page appears.
2. Next to Security, click Configure or Edit.
3. Next to Policies, select the check box and click Configure.
4. Next to Policy, click Add new entry.
5. In the From zone name box, type private.
6. In the To zone name box, type public.
7. Next to Policy, click Add new entry.
8. In the Policy name box, type private-to-public.
9. Select the Match check box.
10. Select the Then check box.
11. Next to Match check box, click Configure.
12. From the Source address choice list, select Source address.
13. Next to Source address, click Add new entry.
14. From the Value keyword list, select Enter Specific Value.
15. In the Address box, type phone1 and click OK.
16. From the Destination address choice list, select Destination address.
17. Next to Destination address, click Add new entry.
18. Next to Value keyword list, type phone2 and click OK.
19. From the Application choice list, select Application.
20. Next to Application, click Add new entry.
21. In the Value keyword box, type junos-sip and click OK.
22. Next to Then, click Configure.
23. Next to Action, select permit.
24. Click Configure next to Permit.
25. Next to Source nat, select the check box and click Configure.
26. From the Source nat choice list, select interface and click OK.

To configure from zone, dmz, and to zone, private, and the respective source address, destination address, and application:

1. Select Configuration > View and Edit > Edit Configuration. The Configuration page appears.
2. Next to Security, click Configure or Edit.
3. Next to Policies, select the check box and click Configure.
4. Next to Policy, click Add new entry
5. In the From zone name box, type dmz.
6. In the To zone name box, type private.
7. Next to Policy, click Add new entry.
8. In the Policy name box, type proxy-to-private.
9. Select the Match check box.
10. Select the Then check box.
11. Click Configure next to Match check box.
12. Next to Source address choice list select Source address.
13. Next to Source address, click Add new entry.
14. From the Value keyword list, type proxy and click OK.
15. From the Destination address choice list, select Destination address.
16. Next to Destination address, click Add new entry.
17. Next to Value keyword list, select Enter Specific Value.
18. To specify the address, type static_nat_2.2.2.3_32 and click OK.
19. From the Application choice list, select Application.
20. Next to Application, click Add new entry.
21. Next to Value keyword box, type junos-sip and click OK.
22. Next to Then, click Configure.
23. Next to Action, select permit and click OK.

To configure from zone, dmz, and to zone, public, and the respective source address, destination address, and application:

1. Select Configuration > View and Edit > Edit Configuration. The Configuration page appears.
2. Next to Security, click Configure or Edit.
3. Next to Policies, select the check box and click Configure.
4. Next to Policy, click Add new entry
5. In the From zone name box, type dmz.
6. In the To zone name box, type public.
7. Next to Policy, click Add new entry.
8. In the Policy name box, type proxy-to-public.
9. Select the Match check box.
10. Select the Then check box.
11. Click Configure next to Match check box.
12. Next to Source address choice list select Source address.
13. Next to Source address, click Add new entry.
14. From the Value keyword list, type proxy and click OK.
15. From the Destination address choice list, select Destination address.
16. Next to Destination address, click Add new entry.
17. Next to Value keyword list, select Enter Specific Value.
18. To specify the address, type phone2 and click OK.
19. From the Application choice list, select Application.
20. Next to Application, click Add new entry.
21. Next to Value keyword box, type junos-sip and click OK.
22. Next to Then, click Configure.
23. Next to Action, select permit and click OK.
24. To save and commit the configuration, click Commit.
25. To check the configuration, see “Verifying the SIP Configuration” on page 522.

CLI Configuration

1. Configure interfaces.

   user@host# set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.1/24

   user@host# set interfaces ge-0/0/1 unit 0 family inet address 2.2.2.2/24

   user@host# set interfaces ge-0/0/2 unit 0 family inet address 1.1.1.1/24

2. Configure zones.

   user@host# set security zones security-zone private interfaces ge-0/0/0.0

   user@host# set security zones security-zone public interfaces ge-0/0/2.0

   user@host# set security zones security-zone dmz interfaces ge-0/0/1.0

3. Configure addresses.

   user@host# set security zones security-zone private address-book address phone1 10.1.1.3/32

   user@host# set security zones security-zone public address-book address phone2 1.1.1.4/32

   user@host# set security zones security-zone dmz address-book address proxy 2.2.2.4/32

4. Configure static-NAT.

   user@host# set security nat interface ge-0/0/1.0 static-nat 2.2.2.3/32 host 10.1.1.3/32

5. Configure policies.

   user@host# set security policies from-zone private to-zone dmz policy private-to-proxy match source-address phone1

   user@host# set security policies from-zone private to-zone dmz policy private-to-proxy match destination-address proxy

   user@host# set security policies from-zone private to-zone dmz policy private-to-proxy match application junos-sip

   user@host# set security policies from-zone private to-zone dmz policy private-to-proxy then permit source-nat interface

   user@host# set security policies from-zone public to-zone dmz policy public-to-proxy match source-address phone2

   user@host# set security policies from-zone public to-zone dmz policy public-to-proxy match destination-address proxy

   user@host# set security policies from-zone public to-zone dmz policy public-to-proxy match application junos-sip

   user@host# set security policies from-zone public to-zone dmz policy public-to-proxy then permit

   user@host# set security policies from-zone private to-zone public policy private-to-public match source-address phone1

   user@host# set security policies from-zone private to-zone public policy private-to-public match destination-address phone2

   user@host# set security policies from-zone private to-zone public policy private-to-public match application junos-sip

   user@host# set security policies from-zone private to-zone public policy private-to-public then permit source-nat interface

   user@host# set security policies from-zone dmz to-zone private policy proxy-to-private match source-address proxy

   user@host# set security policies from-zone dmz to-zone private policy proxy-to-private match destination-address static_nat_2.2.2.3_32

   user@host# set security policies from-zone dmz to-zone private policy proxy-to-private match application junos-sip

   user@host# set security policies from-zone dmz to-zone private policy proxy-to-private then permit

   user@host# set security policies from-zone dmz to-zone public policy proxy-to-public match source-address proxy

   user@host# set security policies from-zone dmz to-zone public policy proxy-to-public match destination-address phone2

   user@host# set security policies from-zone dmz to-zone public policy proxy-to-public match application junos-sip

   user@host# set security policies from-zone dmz to-zone public policy proxy-to-public then permit

Related Topics

• Understanding SIP with Network Address Translation (NAT)
• Understanding Incoming SIP Call Support Using the SIP Registrar
• Configuring Interface Source NAT for Incoming SIP Calls
• Configuring a Source NAT Pool for Incoming SIP Calls
• Configuring Static NAT for Incoming SIP Calls
• Configuring the SIP Proxy in the Private Zone
• Configuring the SIP Proxy in the Public Zone