In this example, you configure the J-series device to accept incoming calls over a NAT boundary. To do this, you can create an interface NAT address pool for dynamically allocating destination addresses. This differs from most configurations, where a source pool provides source addresses only. See Figure 70.
Before You Begin |
---|
For background information, read Understanding the H.323 ALG. |
Figure 70: Network Address Translation—Incoming Calls
Interface NAT is when the source pool uses the same address as an interface IP address. You can use such address entries as destination addresses in policies, together with H.323, SIP, or other VoIP protocols, to support incoming calls.
To configure incoming calls using NAT, use either the J-Web or CLI Configuration editor.
This topic covers:
In the following example, you configure interfaces, a NAT address pool, zones, and security policies for incoming and outgoing traffic:
- user@host# set security zones security-zone zone1 interfaces
ge-0/0/0.0
- user@host# set security zones security-zone zone1 address-book
address IP_Phone1 10.1.1.5/32
- user@host# set security zones security-zone zone1 address-book
address gatekeeper 10.1.1.25/32
- user@host# set security zones security-zone zone2 interfaces
fe-1/0/0.0
- user@host# set security zones security-zone zone2 address-book
address IP_Phone2 2.2.2.5/32
- user@host# set security zones Global
- user@host# set security policy from-zone zone1 to-zone
zone2 policy zone1_to_zone2 match source-address IP_Phone1
- user@host# set security policy from-zone zone1 to-zone
zone2 policy zone1_to_zone2 match source-address gatekeeper
- user@host# set security policy from-zone zone1 to-zone
zone2 policy zone1_to_zone2 match destination-address IP_Phone2
- user@host# set security policy from-zone zone1 to-zone
zone2 policy zone1_to_zone2 match application junos-h323
- user@host# set security policy from-zone zone1 to-zone
zone2 policy zone1_to_zone2 then permit source-nat pool p1
- user@host# set security policy from-zone zone2 to-zone
Global policy zone2_to_Global match source-address IP_Phone2
- user@host# set security policy from-zone zone2 to-zone
Global policy zone2_to_Global match destination-address incoming_nat_p1
- user@host# set security policy from-zone zone2 to-zone
Global policy zone2_to_Global match application junos-h323
- user@host# set security policy from-zone zone2 to-zone
Global policy zone2_to_Global then permit