[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

Configuring the SIP Proxy in the Public Zone

When you locate the SIP proxy server in an external, or public, zone, you will typically want to configure NAT on the interface to that zone.

Before You Begin

For background information, read

In this example, phone1 is on the ge-0/0/0.0 interface in the private zone, and the proxy server and phone2 are on the ge-0/0/2.0 interface in the public zone. You configure source NAT on interface 0/0/2.0 in the public zone, then create a policy permitting SIP traffic from the public zone to the private zone and reference the NAT interface. You also create a policy from private to public to allow phone1 to register with the proxy server in the public zone. See Figure 80.

Figure 80: Proxy in the Public Zone

Image g030635.gif

To configure the SIP proxy in the public zone, use either the J-Web or the CLI configuration editor.

This topic covers:

J-Web Configuration

To configure interfaces:

  1. Select Configuration > View and Edit > Edit Configuration. The Configuration page appears.
  2. Next to Interfaces, click Configure or Edit.
  3. Next to Interface, click Add new entry.
  4. In the Interface name box, type ge-0/0/0.
  5. Next to Unit, click Add new entry.
  6. Next to Interface unit number, type 0.
  7. Next to Inet, select the check box and click Configure.
  8. Next to Address, click Add new entry.
  9. Next to Source, type 10.1.1.1/24 and click OK.
  10. To configure another interface, ge-0/0/2, and address, 1.1.1.1/24, repeat Step 2 through Step 9 and click OK.
  11. To save and commit the configuration, click Commit.

To configure zones:

  1. Select Configuration > View and Edit > Edit Configuration. The Configuration page appears.
  2. Next to Security, click Configure or Edit.
  3. Next to Zones, click Configure.
  4. Next to Security zones, click Add new entry.
  5. In the Name box, type private and click OK.
  6. Next to Security zone, click Add new entry.
  7. In the Name box, type public and click OK.
  8. To configure an interface to the private zone, click private.
  9. Next to Interfaces, click Add new entry.
  10. Next to Interface unit box, type ge-0/0/0.0 and click OK.
  11. To configure an interface to the public zone, click public.
  12. Next to Interfaces, click Add new entry.
  13. Next to Interface unit box, type ge-0/0/2.0 and click OK.
  14. To save and commit the configuration, click Commit.

To configure addresses:

  1. Select Configuration > View and Edit > Edit Configuration. The Configuration page appears.
  2. Next to Security, click Configure or Edit.
  3. Next to Zones, click Configure or Edit.
  4. Next to Security zone, click Add new entry.
  5. In the Name box, type private.
  6. Next to Address book, click Configure or Edit.
  7. Next to Address, click Add new entry.
  8. In the Address name box, type phone1 10.1.1.3/32 and click OK.
  9. To configure another security zone public and address books entries such as phone2 1.1.1.4/32 and proxy 1.1.1.3/32, repeat Step 4 through Step 8 and click OK.
  10. To save and commit the configuration, click Commit.

To interface Source-Nat:

  1. Select Configuration > View and Edit > Edit Configuration. The Configuration page appears.
  2. Next to Security, click Configure or Edit.
  3. Next to Nat, click Configure.
  4. Next to Source nat, click Configure.
  5. Next to Address persistent, select the check box and click OK.
  6. Next to Interface, click Add new entry.
  7. In the Name box, type ge-0/0/2.0.
  8. Next to Allow incoming, select the check box and click OK.
  9. To save and commit the configuration, click Commit.

To configure policies:

  1. Select Configuration > View and Edit > Edit Configuration. The Configuration page appears.
  2. Next to Security, click Configure or Edit.
  3. Next to Policies, select the check box and click Configure.
  4. Next to Policy, click Add new entry.
  5. In the From zone name box, type private.
  6. In the To zone name box, type public and click OK.
  7. Under the From zone name column, click private.
  8. Next to Policy, click Add new entry.
  9. In the Policy name box, type outgoing.
  10. Select the Match check box.
  11. Select the Then check box.
  12. Next to Match, click Configure.
  13. Next to Source address, select Source address.
  14. Next to Source address, click Add new entry.
  15. From the Value keyword list, select Enter Specific Value.
  16. In the Address box, type phone1 and click OK.
  17. From the Destination address choice list, select Destination address.
  18. Next to Destination address, click Add new entry.
  19. From the Value keyword list, select any and click OK.
  20. From the Application choice list, select Application.
  21. Next to Application, click Add new entry.
  22. In the Value keyword box, type junos-sip and click OK.
  23. Next to Then, click Configure.
  24. Next to Action, select permit and click OK.
  25. Next to Permit, click Configure.
  26. Select the Source Nat check box, and click Configure.
  27. From the Source nat list, select Interface and click OK.
  28. To save and commit the configuration, click Commit.

To configure another policy From-zone, public, and To zone, private, follow the sequence of steps listed below:

  1. Select Configuration > View and Edit > Edit Configuration. The Configuration page appears.
  2. Next to Security, click Configure or Edit.
  3. Next to Policies, select the check box and click Configure.
  4. Next to Policy, click Add new entry.
  5. In the From zone name box, type public.
  6. In the To zone name box, type private and click OK.
  7. Under the From zone name column, click public.
  8. Next to Policy, click Add new entry.
  9. In the Policy name box, type incoming.
  10. Select the Match check box.
  11. Select the Then check box.
  12. Next to Match, click Configure.
  13. Next to Source address, select Source address.
  14. Next to Source address, click Add new entry.
  15. From the Value keyword list, select any and click OK.
  16. In the Address box, type phone2 and click OK.
  17. From the Destination address choice list, select Destination address.
  18. Next to Destination address, click Add new entry.
  19. From the Value keyword list, select Enter Specific Value.
  20. In the Address box, type incoming_nat_ge-0/0/2.0 and click OK.
  21. From the Application choice list, select Application.
  22. Next to Application, click Add new entry.
  23. In the Value keyword box, type junos-sip and click OK.
  24. Next to Then, click Configure.
  25. Next to Action, select permit and click OK.
  26. To save and commit the configuration, click Commit.

CLI Configuration

  1. Configure interfaces.
    user@host# set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.1/24
    user@host# set interfaces ge-0/0/2 unit 0 family inet address 1.1.1.1/24
  2. Configure zones.
    user@host# set security zones security-zone private
    user@host# set security zones security-zone public
    user@host# set security zones security-zone private interfaces ge-0/0/0.0
    user@host# set security zones security-zone public interfaces ge-0/0/2.0
  3. Configure addresses.
    user@host# set security zones security-zone private address-book address phone1 10.1.1.3/32
    user@host# set security zones security-zone public address-book address phone2 1.1.1.4/32
    user@host# set security zones security-zone public address-book address proxy 1.1.1.3/32
  4. Configure interface source-Nat.
    user@host# set security nat source-nat address-persistent
    user@host# set security nat interface ge-0/0/2.0 allow-incoming
  5. Configure policies.
    user@host# set security policies from-zone private to-zone public policy outgoing match source-address phone1
    user@host# set security policies from-zone private to-zone public policy outgoing match destination-address any
    user@host# set security policies from-zone private to-zone public policy outgoing match application junos-sip
    user@host# set security policies from-zone private to-zone public policy outgoing then permit source-nat interface
    user@host# set security policies from-zone public to-zone private policy incoming match source-address any
    user@host# set security policies from-zone public to-zone private policy incoming match destination-address incoming_nat_ge-0/0/2.0
    user@host# set security policies from-zone public to-zone private policy incoming match application junos-sip
    user@host# set security policies from-zone public to-zone private policy incoming then permit

Related Topic

[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

[an error occurred while processing this directive]