[j-nsp] ScreenOS and VoIP and NAT

[Tony Frank]

Personally I've mainly worked in the server to server scenario, handsets are usually hidden behind a SBG or a proxy.

Are you using the SIP alg ?
In that case the netscreen will open 'pinhole' for incoming RTP based on inspection of the SIP messages passing through.
SIP messages will be modified in flight with NAT to map the internal IP to the interface IP and vice-versa.

The main concern in that case will be SIP traffic initiated from remote side, coming to a single interface IP and knowing which handset to forward to.

Are incoming calls handset to SIP server, or direct handset to handset?
Do you actually talk SIP handset to handset, or just RTP handset to handset?


-----Original Message-----
From: Ivan c [mailto:ivannetw at gmail.com] 
Sent: Monday, 23 November 2009 16:25
To: Tony Frank; juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] ScreenOS and VoIP and NAT

I am open to any ideas on how to treat the VoIP traffic that is initiated from the untrust side......

So from trust to untrust I set the DIP

set int e0/1 dip interface-ip incoming

then the ruleset

set policy from Trust to Untrust any any SIP nat permit

The recipe has the untrust to trust as

set policy from Untrust to Trust any DIP(ethernet0/0) SIP permit

Note sure how the netscreen knows what to NAT the incoming traffic for... The cookbook states

"You can see the two flows for outbound and inbound calls, with the second row being an inbound call. Notice that although hide NAT was configured (all phones hide behind the same IP of 1.1.1.100) the firewall translates to the correct internal phone, in this case 192.168.1.1."