Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Why are incoming SIP calls not working?

0

0

Article ID: KB9093 KB Last Updated: 21 Dec 2017Version: 6.0
Summary:
When source NAT/PAT is used to access the internet and there are SIP phones on the internal network, "incoming DIP" is needed to allow incoming calls from the internet.
Symptoms:
When only an outgoing (source NAT) policy to the internet is configured for SIP traffic, outgoing SIP calls will work. However, incoming calls will not work yet. For the SIP ALG to be able to open a pinhole for an incoming SIP call, it is necessary that an incoming policy towards a DIP pool is present.
Solution:

SIP calls will require different configurations based on the topology being used. If the SIP Proxy is on the untrust side, and the SIP Phones are on the trust side, use the DIP Incoming NAT feature. However, if the SIP Proxy and the SIP Phones are on the trust side, use MIP for the incoming calls.

Case 1: SIP Proxy on Untrust, and SIP Phone on Trust

This is an example working configuration (only relevant parts), that indicates how incoming SIP calls can be permitted into the local network (Trust zone), when interface NAT/PAT is used for internet access:
set interface "ethernet1/1" zone "Trust"
set interface "ethernet3/1" zone "Untrust"
set interface ethernet1/1 ip 192.168.1.1/24
set interface ethernet1/1 route
set interface ethernet3/1 ip 1.1.1.1/29
set interface ethernet3/1 route
set interface ethernet3/1 dip interface-ip incoming

set policy id 2 from "Trust" to "Untrust"  "Any" "Any" "SIP" nat src permit
set policy id 2
exit
set policy id 3 from "Untrust" to "Trust"  "Any" "DIP(ethernet3/1)" "SIP" permit
set policy id 3
exit

set route 0.0.0.0/0 interface ethernet3/1 gateway 1.1.1.2 preference 20

If a DIP pool is used for traffic to the internet, then this DIP pool needs to be configured as "incoming" (or "Incoming NAT" in the WebUI). The configuration will then look like this:
set interface "ethernet1/1" zone "Trust"
set interface "ethernet3/1" zone "Untrust"
set interface ethernet1/1 ip 192.168.1.1/24
set interface ethernet1/1 route
set interface ethernet3/1 ip 1.1.1.1/29
set interface ethernet3/1 route
set interface ethernet3/1 dip 4 1.1.1.5 1.1.1.10 incoming

set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "SIP" nat src dip-id 4 permit
set policy id 1
exit
set policy id 2 from "Untrust" to "Trust"  "Any" "DIP(4)" "SIP" permit
set policy id 2
exit

set route 0.0.0.0/0 interface ethernet3/1 gateway 1.1.1.2 preference 20
 

Case 2: SIP Proxy and SIP Phone on trust zone. In this scenario, a MIP is defined for the SIP Proxy. The SIP Proxy is at 192.168.1.2, and the MIP for that SIP Proxy is 1.1.1.10

set interface "ethernet1/1" zone "Trust"
set interface "ethernet3/1" zone "Untrust"
set interface ethernet1/1 ip 192.168.1.1/24
set interface ethernet1/1 route
set interface ethernet3/1 ip 1.1.1.1/29
set interface ethernet3/1 route
set interface ethernet3/1 mip 1.1.1.10 host 192.168.1.2 netmask 255.255.255.255
set policy id 2 from "Trust" to "Untrust"  "Any" "Any" "SIP" nat src permit
set policy id 2
exit
set policy id 3 from "Untrust" to "Trust"  "Any" "MIP(1.1.1.10)" "SIP" permit
set policy id 3
exit

set route 0.0.0.0/0 interface ethernet3/1 gateway 1.1.1.2 preference 20
 

warning:   Before incoming calls can be made, the SIP Phones must register with the SIP Proxy, and the DID numbers must be configured properly on the SIP Proxy so that calls can be received by the SIP phone.

Modification History:
2017-12-07: Article reviewed for accuracy. Added ScreenOS tag in the title. Made changes to reflect configuation of non EOL devices. Article is correct and complete.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search