Configuring Static NAT for Incoming SIP Calls

When you locate the SIP proxy server in an external, or public, zone, static NAT configured on the interface to the public will enable callers in the internal, or private, zone to register with the proxy.

In this example, phone1 is on the ge-0/0/0 interface in the private zone, and phone2 and the proxy server are on the ge-0/0/2 interface in the public zone. You configure static NAT on the ge-0/0/2.0 interface to phone1, then create policies that allow SIP traffic from the public zone to the private zone, and reference the static NAT in the policy. This example is similar to the (Configuring Interface Source NAT for Incoming SIP Calls and Configuring a Source NAT Pool for Incoming SIP Calls, except that with static NAT you need one public address for each private address in the private zone, while with a DIP pool a single interface address can serve multiple private addresses. See Figure 78.

Figure 78: Static NAT for Incoming Calls

To configure static NAT for incoming calls, use either the J-Web or CLI configuration editor.

This topic covers:

• J-Web Configuration
• CLI Configuration
• Related Topics

J-Web Configuration

To configure interfaces:

1. Select Configuration > View and Edit > Edit Configuration. The Configuration page appears.
2. Next to Interfaces, click Configure or Edit.
3. Next to Interfaces, click Add new entry.
4. In the Interface name box, type ge-0/0/0.
5. Next to Unit, click Add new entry.
6. In the Interface unit number box, type 0.
7. Under Family, select inet and click Configure.
8. Next to Address, click Add new entry.
9. In the Source box, type 10.1.1.1/24 and click OK.
10. To configure other interface, ge-0/0/2, and to add address, repeat Step 2 through Step 9, and click OK.
11. To save and commit the configuration, click Commit.

To configure a zone and assign an interface:

1. Select Configuration > View and Edit > Edit Configuration. The Configuration page appears.
2. Next to Security, click Configure or Edit.
3. Next to Zones, click Configure.
4. Next to Security zones, click Add new entry.
5. In the Name box, type private.
6. Next to Interfaces, click Add new entry.
7. In the Interface unit box, type ge-0/0/0.0 and click OK.
8. To save and commit the configuration, click Commit.

To configure addresses:

1. Select Configuration > View and Edit > Edit Configuration. The Configuration page appears.
2. Next to Security, click Configure or Edit.
3. Next to Zones, click Configure.
4. Next to Security zones, click Add new entry.
5. In the Name box, type private.
6. Next to Address book, click Configure.
7. Next to Address, click Add new entry.
8. In the Address name box, type phone1 10.1.1.3/32.
9. To configure more security zones, public, and address books entries such as proxy 10.1.1.3/32 and phone2 1.1.1.4/32, repeat Step 3 through Step 8 and click OK.
10. To save and commit the configuration, click Commit.

To configure zones:

1. Select Configuration > View and Edit > Edit Configuration. The Configuration page appears.
2. Next to Security, click Configure or Edit.
3. Next to Zones, click Configure.
4. Next to Security zones, click Add new entry.
5. In the Name box, type private and click OK.
6. To specify the name of the another security zone, next to Security zone, click Add new entry.
7. In the Name box, type public and click OK.
8. To configure an interface to the private zone, click private.
9. Next to Interfaces, click Add new entry.
10. In the Interface unit box, type ge-0/0/0.0 and click OK.
11. To configure an interface to the public zone, click public.
12. Next to Interfaces, click Add new entry.
13. In the Interface unit box, type ge-0/0/0.0 and click OK.
14. To configure an interface to the private zone, click private.
15. Next to Interfaces, click Add new entry.
16. In the Interface unit box, type ge-0/0/2.0 and click OK.
17. To save and commit the configuration, click Commit.

To configure static NAT:

1. Select Configuration > View and Edit > Edit Configuration. The Configuration page appears.
2. Next to Security, click Configure or Edit.
3. Next to Nat, click Configure or Edit.
4. Next to Interfaces, click Add new entry.
5. In the Name box, type ge-0/0/2.0 and click OK.
6. Under the Name column, click ge-0/0/2.0.
7. Next to Static nat, click Add new entry.
8. In the Address box, type 1.1.1.3/32.
9. In the Host box, type 10.1.1.3/32 and click OK.
10. To save and commit the configuration, click Commit.

To configure policies:

1. Select Configuration > View and Edit > Edit Configuration. The Configuration page appears.
2. Next to Security, click Configure or Edit.
3. Next to Policies, select the check box and click Configure.
4. Next to Policy, click Add new entry.
5. In the From zone name box, type public.
6. In the To zone name box, type private and click OK.
7. Under the From zone name column, click public.
8. Next to Policy, click Add new entry.
9. In the Policy name box, type incoming.
10. Select the Match check box.
11. Select the Then check box.
12. Next to Match, click Configure.
13. Next to Source address, select Source address.
14. Next to Source address, click Add new entry.
15. From the Value keyword list, select any and click OK.
16. From the Destination address choice list, select Destination address.
17. Next to Destination address, click Add new entry.
18. From the Value keyword list, select Enter Specific Value.
19. In the Address box, type static_nat_1.1.1.3-32 and click OK.
20. From the Application choice list, select Application.
21. Next to Application, click Add new entry.
22. In the Value keyword box, type junos-jsrp and click OK.
23. Next to Then, click Configure.
24. Next to Action, select permit and click OK.
25. To save and commit the configuration, click Commit.

CLI Configuration

1. Configure interfaces.

   user@host# set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.1/24

   user@host# set interfaces ge-0/0/2 unit 0 family inet address 1.1.1.1/24

   user@host# set security zones security-zone private interface ge-0/0/0.0

2. Configure addresses.

   user@host# set security zones security-zone private address-book address phone1 10.1.1.3/32

   user@host# set security zones security-zone public address-book address proxy 10.1.1.3/32

   user@host# set security zones security-zone public address-book address phone2 1.1.1.4/32

3. Configure zones.

   user@host# set security zones security-zone private

   user@host# set security zones security-zone public

   user@host# set security zones security-zone private interfaces ge-0/0/0.0

   user@host# set security zones security-zone public interfaces ge-0/0/2.0

4. Configure static NAT.

   user@host# set security nat interface ge-0/0/2.0 static-nat 1.1.1.3/32 host 10.1.1.3/32

5. Configure Policies.

   user@host# set security policies from-zone public to-zone private policy incoming match source-address any destination-address static_nat_1.1.1.3-32 application junos-jsrp

   user@host# set security policies from-zone public to-zone private policy incoming then permit

Related Topics

• Understanding SIP with Network Address Translation (NAT)
• Understanding Incoming SIP Call Support Using the SIP Registrar
• Configuring Interface Source NAT for Incoming SIP Calls
• Configuring a Source NAT Pool for Incoming SIP Calls
• Configuring the SIP Proxy in the Private Zone
• Configuring a Three-Zone SIP Scenario