[j-nsp] ScreenOS and VoIP and NAT

[Ivan c]

I am open to any ideas on how to treat the VoIP traffic that is
initiated from the untrust side......

So from trust to untrust I set the DIP

set int e0/1 dip interface-ip incoming

then the ruleset

set policy from Trust to Untrust any any SIP nat permit

The recipe has the untrust to trust as

set policy from Untrust to Trust any DIP(ethernet0/0) SIP permit

Note sure how the netscreen knows what to NAT the incoming traffic
for... The cookbook states

"You can see the two flows for outbound and inbound calls, with the
second row being an inbound call. Notice that although hide NAT was
configured (all phones hide behind the same IP of 1.1.1.100) the
firewall translates to the correct internal phone, in this case
192.168.1.1."

On Mon, Nov 23, 2009 at 4:14 PM, Ivan c <ivannetw at gmail.com> wrote:
> hi Tony, thanks for replying.
>
> The problem I have is that we use a Alcatel voip system and every
> handset needs to talk directly rather being proxy-ed....
>
> So I have a SIP server and the voip handset on my side and a partner
> has a sip and handsets on there side. The "Recipe 8.2. Configure Hide
> NAT with VoIP" in the screenos cookbook works fine for trust to
> untrust, but the problem I have is the partner inititated voice
> traffic.
>
> The interface DIP wont work as it doesn't know what to NAT the
> incoming traffic to.....
>
> thanks for any help
> Ivan
>
> On Tue, Nov 17, 2009 at 5:33 PM, Tony Frank <tony.frank at ericsson.com> wrote:
>> Hi Ivan,
>>
>>> Is there a way to do a ANY to a single IP that is not in the egress interface range?
>>
>> Have you looked at extended interface DIP?
>> See "Using DIP in a Different Subnet" in C&E volume 2, ScreenOS 6.1.0 and probably later as well.
>>
>> You could also look at using a loopback interface and applying the MIP/DIP there.
>>
>> Regards,
>> Tony
>>
>