[j-nsp] ScreenOS and VoIP and NAT

Ivan c ivannetw at gmail.com
Sun Nov 15 17:38:59 EST 2009 

No responses, so I guessing it's not feasible or no screenos ninjas around?

>From this I see you can configure a one to one MIP that isn't in the
interface IP subnet, but I want to NAT "any" source address on a
particluar flow to a single IP that isn't in the egress interface
subnet


"Before ScreenOS 6.1, MIPs could be in a different network from the
interface’s IP only on an interface in the Untrust zone. (This is an
important caveat, but it is the only caveat regarding MIPs.) You can
configure a MIP that is in the same network with its interface on any
interface in any zone. MIPs are most often used on the Untrust zone.
If you need to perform destination translation to an IP that is not in
the same network as the ingress interface, use a policy NAT-DST
translation KB11910 - [Inbound direction] How to configure Destination
Network Address Translation (NAT-Dst) in combination with a DIP if the
reverse connection is desired as well: KB11901 - [Outbound direction]
How to configure Source Network Address Translation (NAT-src) and
source Port Address Translation (PAT)."

http://kb.juniper.net/KB12835

On Fri, Nov 13, 2009 at 4:38 PM, Ivan c <ivannetw at gmail.com> wrote:
> Hey,
>
> I have a query on NAT interaction for VoIP protocols. I'll attempt
> some ascii art....
>
>                                10.0.0.0/8
>                 192.168.1.0/30
> Internal subnet
> Internal LAN<------------------------------->Netscreen<----------------------------------->Cisco<------------------------->Partner
> LAN
>          |
>
>                                                    |
>          |
>
>                                                    |
> SIP & Phones
>
>                                SIP & Phones
>
> No the inter-agency subnet of 192.168.1.0.30 is used for link
> addressing and there is agreement to use other private addressing for
> services, such as VoIP... For example the subnet 192.168.100.0/24 is
> used by the Netscreen and 192.168.200.0/24 for the Cisco. So on the
> Cisco side they hide the SIP and RTP VoIP traffic behind a single
> address of 192.168.200.100 and I need to do the same on the Netscreen
> and hide the traffic behind a single IP 192.168.100.100.
>
> I can do a MIP for the SIP proxy, as it is a one to one correlation,
> but how do I hide multiple IPs behind a single IP that isnt in the
> Netscreen interface subnet?
>
> Is there a way to do a ANY to a single IP that is not in the egress
> interface range?
>
>
> thanks
> Ivan
>

More information about the juniper-nsp mailing list