[j-nsp] ScreenOS and VoIP and NAT

Ivan c ivannetw at gmail.com
Mon Nov 23 01:35:09 EST 2009


it is all direct, the alcatel omni handles the SIP, and then hands off
to the phones, which talk direct RTP....

I am using the SIP ALG, and have set it up per the cookbook recipe....
But I still can't understand how the firewall would know how to NAT
the incoming traffic, first to the SIP server and then to each
handset....

The debug error for the SIP transaction is

flow_first_inline_vector: in <ethernet3/4>, out <N/A>

The trust to untrust SIP dip works fine.... But the incoming SIP/RTP
traffic is the issue......

On Mon, Nov 23, 2009 at 4:51 PM, Tony Frank <tony.frank at ericsson.com> wrote:
> Personally I've mainly worked in the server to server scenario, handsets are usually hidden behind a SBG or a proxy.
>
> Are you using the SIP alg ?
> In that case the netscreen will open 'pinhole' for incoming RTP based on inspection of the SIP messages passing through.
> SIP messages will be modified in flight with NAT to map the internal IP to the interface IP and vice-versa.
>
> The main concern in that case will be SIP traffic initiated from remote side, coming to a single interface IP and knowing which handset to forward to.
>
> Are incoming calls handset to SIP server, or direct handset to handset?
> Do you actually talk SIP handset to handset, or just RTP handset to handset?
>
>
> -----Original Message-----
> From: Ivan c [mailto:ivannetw at gmail.com]
> Sent: Monday, 23 November 2009 16:25
> To: Tony Frank; juniper-nsp at puck.nether.net
> Subject: Re: [j-nsp] ScreenOS and VoIP and NAT
>
> I am open to any ideas on how to treat the VoIP traffic that is initiated from the untrust side......
>
> So from trust to untrust I set the DIP
>
> set int e0/1 dip interface-ip incoming
>
> then the ruleset
>
> set policy from Trust to Untrust any any SIP nat permit
>
> The recipe has the untrust to trust as
>
> set policy from Untrust to Trust any DIP(ethernet0/0) SIP permit
>
> Note sure how the netscreen knows what to NAT the incoming traffic for... The cookbook states
>
> "You can see the two flows for outbound and inbound calls, with the second row being an inbound call. Notice that although hide NAT was configured (all phones hide behind the same IP of 1.1.1.100) the firewall translates to the correct internal phone, in this case 192.168.1.1."
>
>


More information about the juniper-nsp mailing list