Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Steps to configure incoming NAT

1

0

Article ID: KB35364 KB Last Updated: 16 Mar 2020Version: 1.0
Summary:

This article describes how to configure incoming NAT for traffic that has inbound and outbound connectivity.

 

Symptoms:

For VoIP phones, there is a need for inbound and outbound connectivity because calls can be made from and to a phone. Because there are many phones and not enough public IP addresses, ​it is not feasible to configure a static destination translation for each phone.

Unfortunately, protocols that are capable of solving this dilemma, such as the SIP protocol, are generally not compatible with stateful firewalls because they are exploiting a security weakness in simple NAT devices to open ​inbound pinholes.

 

Solution:

In ScreenOS, application intelligence is built into the VoIP ALGs for the Session Initiation Protocol (SIP) and H.323, facilitating translation from the shared NAT address to the right internal phone. The ALG dynamically records phone IP addresses as it monitors initial REGISTER messages sent by internal phones to the SIP registrar. This information is used later for the reverse connection. You can enable this feature by configuring an incoming dynamic IP pool (DIP).

From CLI

set int e0/1 dip 4 1.1.1.100 incoming
set policy from Trust to Untrust any any SIP nat dip-id 4 permit
set policy from Untrust to Trust any DIP(1.1.1.100) SIP permit

From WebUI

  1. ​Open the WebUI. For more information on accessing the WebUI, go to KB4060 - Accessing Your NetScreen, SSG, or ISG Firewall Using the WebUI.

  2. From the ScreenOS options menu, select Network > Interface > List.

  3. From the list, select the interface to configure DIP, then select DIP under Properties.

  1. The ID portion has an ID value by default. This ID value can be modified and must be between (4-1023).

  2. Specify an IP Address Range and select the "In the same subnet as interface IP or its secondary IPs" option.

  3. Select the Incoming NAT check box and click OK.

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search