Passing H.323 ALG Traffic to a Gatekeeper in the External Zone

Because route mode does not require address mapping of any kind, a J-series device configuration for a gatekeeper in the external, or public, zone is usually identical to the configuration for a gatekeeper in an internal, or private, zone.

In the following example, you set up two policies to allow H.323 traffic to pass between IP phone hosts in the internal zone, and the IP phone at IP address 2.2.2.5 (and the gatekeeper) in the external zone. The J-series device can be in transparent or route mode. See Figure 68.

Figure 68: H.323 Gatekeeper in Zone2

To configure a gatekeeper in the external zone, use either J-Web or the CLI Configuration editor.

This topic covers:

• J-Web Configuration
• CLI Configuration
• Related Topics

J-Web Configuration

To configure addresses, to configure a policy from the internal zone to the external zone, and to configure a policy to allow traffic between the internal zone and the gatekeeper in the external zone using the J-Web configuration editor, follow the sequence of steps listed below:

To configure addresses:

1. Select Configuration > View and Edit > Edit Configuration.

   The Configuration page appears.

2. Next to Security, click Configure or Edit.
3. Next to Zones, click Configure or Edit.
4. Next to Security zone, click Add new entry.
5. In the Name box, type external.
6. Next to Address book, click Configure or Edit.
7. Next to Address, click Add new entry.
8. In the Address name box, type ip_phone 2.2.2.5/32 and click OK.
9. To configure another security zone internal, repeat Step 2 through Step 4 and click OK.
10. Next to Address book, click Configure.
11. Next to Address, click Add new entry.
12. In the Address name box, type gatekeeper 2.2.2.10/32 and click OK.

To configure a policy from the internal zone to the external zone:

1. Select Configuration > View and Edit > Edit Configuration.

   The Configuration page appears.

2. Next to Security, click Configure or Edit.
3. Next to Policies, select the check box and click Configure or Edit.
4. Next to Policy, click Add new entry.
5. In the From zone name box, type internal.
6. In the To zone name box, type external and click OK.
7. Under the From zone name column, click internal.
8. Next to Policy, click Add new entry.
9. In the Name box, type p_1.
10. Select the Match check box.
11. Select the Then check box.
12. Next to Match, click Configure or Edit.
13. Next to Source address, select Enter Source address and click Add new entry.
14. From the Value keyword list, select any and click OK.
15. Next to Destination address, click Add new entry.
16. From the Value keyword list, select Enter Specific Value.
17. In the Address box, type ip_phone and click OK.
18. Next to Application, click Add new entry.
19. In the Value keyword box, type junos-h323 and click OK.
20. Next to Then, click Configure.
21. Next to Action, enter permit and click OK.

To configure a policy to allow traffic between the internal zone and the gatekeeper in the external zone:

1. Select Configuration > View and Edit > Edit Configuration.

   The Configuration page appears.

2. Next to Security, click Configure or Edit.
3. Next to Policies, select the check box and click Configure or Edit.
4. Next to Policy, click Add new entry.
5. In the From zone name box, type internal.
6. In the To zone name box, type external and click OK.
7. Next to Policy, click Add new entry.
8. In the Policy name box, type p_2.
9. Select the Match check box.
10. Select the Then check box.
11. Next to Match, click Configure.
12. Next to Source address, select Enter Source address and click Add new entry.
13. From the Value keyword list, select any and click OK.
14. Next to Destination address, click Add new entry.
15. From the Value keyword list, select Enter Specific Value.
16. Next to Address box, type gatekeeper and click OK.
17. Next to Application, click Add new entry.
18. In the Value keyword box, type junos-h323 and click OK
19. Next to Then, click Configure.
20. Next to Action, enter permit and click OK.

To configure a policy to allow traffic between phones in the internal zone and the external zone:

1. Select Configuration > View and Edit > Edit Configuration.

   The Configuration page appears.

2. Next to Security, click Configure or Edit.
3. Next to Policies, select the check box and click Configure or Edit.
4. Next to Policy, Add new entry.
5. In the From zone name box, type external.
6. In the To zone name box, type internal and click OK.
7. Under the From zone name column, click external.
8. Next to Policy, click Add new entry.
9. In the Policy name box, type p_3.
10. Select the Match check box.
11. Select the Then check box.
12. Next to Match, click Configure.
13. Next to Source address, select Enter Source address and click Add new entry.
14. From the Value keyword list, select ip_phone and click OK.
15. Next to Destination address, click Add new entry.
16. From the Value keyword list, select Enter Specific Value.
17. In the Address box, type any and click OK.
18. Next to Application, click Add new entry.
19. In the Value keyword box, type junos-h323 and click OK
20. Next to Then, click Configure.
21. Next to Action, enter permit and click OK.

To configure a policy to allow traffic between phones in the internal zone and the gatekeeper in the external zone:

1. Select Configuration > View and Edit > Edit Configuration.

   The Configuration page appears.

2. Next to Security, click Configure or Edit.
3. Select the Policies check box, and click Configure or Edit.
4. Next to Policy, Add new entry.
5. In the From zone name box, type external.
6. In the To zone name box, type internal and click OK.
7. Next to Policy, click Add new entry.
8. Under the From zone name column, click external.
9. In the Policy name box, type p_4.
10. Select the Match check box.
11. Select the Then check box.
12. Next to Match, click Configure.
13. Next to Source address, select Enter Source address and click Add new entry.
14. From the Value keyword list, select gatekeeper and click OK.
15. Next to Destination address, click Add new entry.
16. From the Value keyword list, select Enter Specific Value.
17. In the Address box, type any and click OK.
18. Next to Application, click Add new entry.
19. In the Value keyword box, type junos-h323 and click OK
20. Next to Then, click Configure.
21. Next to Action, enter permit and click OK.
22. If you are finished configuring the J-series device, commit the configuration.

CLI Configuration

1. Configure addresses.

   user@host# set security zones security-zone external address-book address IP_Phone 2.2.2.5/32

   user@host# set security zones security-zone internal address-book address gatekeeper 2.2.2.10/32

2. Configure a policy from the internal zone to the external zone.

   user@host# set security policies from-zone internal to-zone external policy p_1 match source-address any

   user@host# set security policies from-zone internal to-zone external policy p_1 match destination-address IP_Phone

   user@host# set security policies from-zone internal to-zone external policy p_1 match application junos-h323

   user@host# set security policies from-zone internal to-zone external policy p_1 then permit

3. Configure a policy to allow traffic between the internal zone and the gatekeeper in the external zone.

   user@host# set security policies from-zone internal to-zone external p_2 match source-address any

   user@host# set security policies from-zone internal to-zone external policy p_2 match destination-address gatekeeper

   user@host# set security policies from-zone internal to-zone external policy p_2 match application junos-h323

   user@host# set security policies from-zone internal to-zone external policy p_2 then permit

4. Configure a policy to allow traffic between phones in the internal zone and the external zone.

   user@host# set security policies from-zone external to-zone internal policy p_3 match source-address IP_Phone

   user@host# set security policies from-zone external to-zone internal policy p_3 match destination-address any

   user@host# set security policies from-zone external to-zone internal policy p_3 match application junos-h323

   user@host# set security policies from-zone external to-zone internal policy p_3 then permit

5. Configure a policy to allow traffic between phones in the internal zone and the gatekeeper in the external zone.

   user@host# set security policies from-zone external to-zone internal policy id_4 match source-address gatekeeper

   user@host# set security policies from-zone external to-zone internal policy p_4 match destination-address any

   user@host# set security policies from-zone external to-zone internal policy p_4 match application junos-h323

   user@host# set security policies from-zone external to-zone internal policy p_4 then permit

6. If you are finished configuring the J-series device, commit the configuration.

Related Topics

• Passing H.323 ALG Traffic to a Gatekeeper in the Internal Zone
• Using NAT and the H.323 ALG to Enable Incoming Calls
• Using NAT and the H.323 ALG to Enable Outgoing Calls
• Understanding the SIP ALG
• Setting SCCP Inactive Media Timeout
• Configuring a Media Gateway in Subscribers' Homes