Concepts & Examples ScreenOS Reference Guide

Volume 6: Voice-over-Internet Protocol

Release 6.2.0, Rev. 01

Juniper Networks, Inc.
1194 North Mathilda Avenue Sunnyvale, CA 94089 USA 408-745-2000

www.juniper.net
Part Number: 530-023768-01, Revision 01

Copyright Notice
Copyright © 2008 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, JUNOS, NetScreen, ScreenOS, and Steel-Belted Radius are registered trademarks of Juniper Networks, Inc. in the United States and other countries. JUNOSe is a trademark of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. All specifications are subject to change without notice. Juniper Networks assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

FCC Statement
The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. The equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense. The following information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency energy. If it is not installed in accordance with Juniper Networks’ installation instructions, it may cause interference with radio and television reception. This equipment has been tested and found to comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules. These specifications are designed to provide reasonable protection against such interference in a residential installation. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures: Reorient or relocate the receiving antenna. Increase the separation between the equipment and receiver. Consult the dealer or an experienced radio/TV technician for help. Connect the equipment to an outlet on a circuit different from that to which the receiver is connected. Caution: Changes or modifications to this product could void the user's warranty and authority to operate this device.

Disclaimer
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR JUNIPER NETWORKS REPRESENTATIVE FOR A COPY.

ii

Table of Contents
About This Volume vii Document Conventions................................................................................. viii Web User Interface Conventions ........................................................... viii Command Line Interface Conventions ................................................... viii Naming Conventions and Character Types .............................................. ix Illustration Conventions ............................................................................ x Requesting Technical Support .......................................................................... x Self-Help Online Tools and Resources....................................................... xi Opening a Case with JTAC ........................................................................ xi Document Feedback ....................................................................................... xi Chapter 1 H.323 Application Layer Gateway 1

Overview ......................................................................................................... 1 Alternate Gatekeeper ....................................................................................... 2 Examples ......................................................................................................... 2 Example: Gatekeeper in the Trust Zone ..................................................... 2 Example: Gatekeeper in the Untrust Zone ................................................. 4 Example: Outgoing Calls with NAT ............................................................ 5 Example: Incoming Calls with NAT............................................................ 8 Example: Gatekeeper in the Untrust Zone with NAT................................ 10 Chapter 2 Session Initiation Protocol Application Layer Gateway 15

Overview ....................................................................................................... 15 SIP Request Methods ............................................................................... 16 Classes of SIP Responses ......................................................................... 18 SIP Application Layer Gateway ................................................................ 19 Session Description Protocol Sessions ..................................................... 20 Pinhole Creation ...................................................................................... 21 Session Inactivity Timeout....................................................................... 22 SIP Attack Protection ............................................................................... 23 Example: SIP Protect Deny ............................................................... 23 Example: UDP Flooding Protection ................................................... 24 SIP with Network Address Translation ........................................................... 25 Outgoing Calls ......................................................................................... 26 Incoming Calls......................................................................................... 26 Forwarded Calls....................................................................................... 27 Call Termination ...................................................................................... 27 Call Re-INVITE Messages ......................................................................... 27 Call Session Timers.................................................................................. 27 Call Cancellation ...................................................................................... 27 Forking .................................................................................................... 28 SIP Messages ........................................................................................... 28 SIP Headers ............................................................................................. 28
Table of Contents

iii

........................................................................................................................................................ 34 Example: Incoming Call (DIP Pool).......................................................... 67 MGCP Security ........ 85 SCCP Control Messages and RTP Flow......................... 76 Chapter 4 Skinny Client Control Protocol Application Layer Gateway 81 Overview ............................................................................................. 49 Example: Trust Intrazone.................................................................... Call Manager/TFTP Server in Trust Zone ........................................................................................................................................................................................................................................ 53 Example: Full-Mesh VPN for SIP..............83 SCCP Transactions......................................................................... 30 Examples ............. 81 SCCP Security ................. 30 SIP NAT Scenario........................................................ 72 Examples .......................................................... 64 Chapter 3 Media Gateway Control Protocol Application Layer Gateway 67 Overview ........................................... 83 SCCP Client ......................................................................................................... 68 Entities in MGCP........................................................................ 39 Example: Proxy in the Private Zone ................................................................................................................................................................ Call Manager/TFTP Server in Untrust Zone ...................................................................................................................................... 44 Example: Untrust Intrazone ............................................................................................... 88 Example: Call Manager/TFTP Server in the Untrust Zone ............................. 84 Client Initialization ............................................. 87 Examples ........................................ 83 Call Manager ................................................................................ 73 ISP-Hosted Service...................................................................................... 68 About MGCP........ 69 Connection ............................ 90 Example: Three-Zone.................................... 83 Cluster ............................. 69 Call................ 95 Example: Intrazone..................... 41 Example: Proxy in the Public Zone ........................................................................................................................................................... 32 Incoming SIP Call Support Using the SIP Registrar................... 84 Call Setup.............................................. 87 Example: Call Manager/TFTP Server in the Trust Zone....................................................................................................................................... 69 Call Agent ..................... 33 Example: Incoming Call (Interface DIP).......................................................................................... 99 Example: Full-Mesh VPN for SCCP ..Concepts & Examples ScreenOS Reference Guide SIP Body................ 83 SCCP Components.............................................................. 73 Media Gateway in Subscribers’ Homes—Call Agent at the ISP .................37 Example: Incoming Call with MIP ...................................................... 55 Bandwidth Management for VoIP Services ....................................................................................................................................................................................................................................................................... 68 Endpoint ................................................................. 92 Example: Intrazone....................................... 86 SCCP Messages.................................................................................................................................................................................................................................................................................... 84 Client Registration................................................................................... 82 About SCCP.. 69 Commands............70 Response Codes ..............................................................101 iv Table of Contents ......... Call Manager/TFTP Server in the DMZ .............................. 85 Media Setup ..........

...........Table of Contents Chapter 5 Apple iChat Application Layer Gateway 111 Overview ...........................................................................................................................................113 Scenario 1: Private–Public Network........................IX-I Table of Contents v .......................................................117 Scenario 3: Users Across Different Networks ..............120 Index........112 Configuration Examples .................113 Scenario 2: Intrazone Call Within Private Network ........................................................................................................111 Configuring the AppleiChat ALG ..............................................................................................................................

Concepts & Examples ScreenOS Reference Guide vi Table of Contents .

About This Volume Volume 6: Voice-over-Internet Protocol describes the supported VoIP Application Layer Gateways (ALGs) and contains the following chapters: Chapter 1. vii . Chapter 2. Examples of typical scenarios follow a summary of the AppleiChat architecture.” presents an overview of the Media Gateway Control Protocol (MGCP) ALG and lists the firewall security features of the implementation. “Media Gateway Control Protocol Application Layer Gateway. “H.” describes the H. Examples of typical scenarios follow a summary of the SCCP architecture. Chapter 3.323 protocol and provides examples of typical scenarios. “Skinny Client Control Protocol Application Layer Gateway. “Apple iChat Application Layer Gateway.” describes the Session Initiation Protocol (SIP) and shows how the SIP ALG processes calls in route and Network Address Translation (NAT) modes. Examples of typical scenarios follow a summary of the SIP architecture. “Session Initiation Protocol Application Layer Gateway.323 Application Layer Gateway. Examples of typical scenarios follow a summary of the MGCP architecture.” presents an overview of the Skinny Client Control Protocol (SCCP) ALG and lists the firewall security features of the implementation. Chapter 4. Chapter 5.” presents an overview of the AppleiChat ALG and lists the firewall security features of the implementation.

The navigation tree also provides a Help > Config Guide configuration page to help you configure security policies and Internet Protocol Security (IPSec). then click OK: Address Name: addr_1 IP Address/Domain Name: IP/Netmask: (select).5/32 Zone: Untrust To open Online Help for configuration settings. Command Line Interface Conventions The following conventions are used to present the syntax of command line interface (CLI) commands in text and examples. As you proceed. The following example shows the WebUI path and parameters for defining an address: Policy > Policy Elements > Addresses > List > New: Enter the following. and follow the instructions on the page. To enter configuration settings. begin by clicking a menu item in the navigation tree on the left side of the screen. Anything inside braces { } is required. In examples: Variables are in italic type. Anything inside square brackets [ ] is optional.2.2. 10. with each page separated by angle brackets. Click the ? character in the upper left for Online Help on the Config Guide. Select an option from the list.Concepts & Examples ScreenOS Reference Guide Document Conventions This document uses the conventions described in the following sections: “Web User Interface Conventions” on page viii “Command Line Interface Conventions” on page viii “Naming Conventions and Character Types” on page ix “Illustration Conventions” on page x Web User Interface Conventions The Web user interface (WebUI) contains a navigational path and configuration settings. In text. viii Document Conventions . click the question mark (?) in the upper left of the screen. your navigation path appears at the top of the screen. commands are in boldface type and variables are in italic type.

NOTE: A console connection only supports SBCS. admin users. each choice is separated by a pipe ( | ). depending on the character sets that your browser supports. Name strings are case-sensitive. Typing set adm u whee j12fmt54 will enter the command set admin user wheezer j12fmt54. and zones—defined in ScreenOS configurations: If a name string includes one or more spaces. except double quotes ( “ ). although many CLI keywords are case-insensitive.0/24 Any leading spaces or trailing text within a set of double quotes are trimmed. VPN tunnels. Examples of SBCS are ASCII. Document Conventions ix . “ local LAN ” becomes “local LAN”. The WebUI supports both SBCS and MBCS. and Japanese. and Hebrew. for example: set address trust “local LAN” 10. which have special significance as an indicator of the beginning or end of a name string that includes spaces. However. IKE gateways. Naming Conventions and Character Types ScreenOS employs the following conventions regarding the names of objects—such as addresses. for example. you only have to type enough letters to identify the word uniquely. Multiple consecutive spaces are treated as a single space. virtual systems. Examples of MBCS—also referred to as double-byte character sets (DBCS)—are Chinese. the entire string must be enclosed within double quotes. auth servers. For example. ScreenOS supports the following character types: Single-byte character sets (SBCS) and multiple-byte character sets (MBCS). or the ethernet3 interface”: set interface { ethernet1 | ethernet2 | ethernet3 } manage NOTE: When entering a keyword. all the commands documented in this guide are presented in their entirety. Korean.About This Volume If there is more than one choice.1. the following command means “set the management options for the ethernet1. “local LAN” is different from “local lan”. For example.1. European. ASCII characters from 32 (0x20 in hexadecimals) to 255 (0xff). the ethernet2.

you can access our tools and resources online or open a case with JTAC.juniper.net/customers/support/downloads/710059. Product warranties—For product warranty information.pdf. visit http://www.Concepts & Examples ScreenOS Reference Guide Illustration Conventions Figure 1 shows the basic set of images used in illustrations throughout this volume. or are covered under warranty.net/support/warranty/. JTAC hours of operation—The JTAC centers have resources available 24 hours a day. x Requesting Technical Support . If you are a customer with an active J-Care or JNASC support contract.juniper. Figure 1: Images in Illustrations Autonomous System or Virtual Routing Domain Local Area Network (LAN) with a Single Subnet or Security Zone Internet Dynamic IP (DIP) Pool Security Zone Interfaces: White = Protected Zone Interface (example = Trust Zone) Black = Outside Zone Interface (example = Untrust Zone) Policy Engine Generic Network Device Tunnel Interface Server VPN Tunnel Router Juniper Networks Security Devices Switch Hub Requesting Technical Support Technical product support is available through the Juniper Networks Technical Assistance Center (JTAC). 365 days a year. and need postsales technical support. review the JTAC User Guide located at http://www. JTAC policies—For a complete understanding of our JTAC procedures and policies. 7 days a week.

contact Juniper Networks at techpubs-comments@juniper.net/customers/cm/.juniper.net/alerts/ Join and participate in the Juniper Networks Community Forum— http://www.juniper.juniper.juniper. Call 1-888-314-JTAC (1-888-314-5822—toll free in USA.net/company/communities/ Open a case online in the CSC Case Manager— http://www. Document Feedback If you find any errors or omissions in this document.juniper. use our Serial Number Entitlement (SNE) Tool— https://tools.net/customers/csc/software/ Search technical bulletins for relevant hardware and software notifications— http://www.juniper. Canada.net/SerialNumberEntitlementSearch/ Opening a Case with JTAC You can open a case with JTAC on the Web or by telephone.juniper.net/customers/support/ Find product documentation—http://www. For international or direct-dial options in countries without toll-free numbers. and Mexico).juniper.About This Volume Self-Help Online Tools and Resources For quick and easy problem resolution. Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features: Find CSC offerings—http://www.net.juniper. Use the Case Manager tool in the CSC at http://www. visit us at http://www.net/customers/cm/ To verify service entitlement by product serial number.net/ Download the latest versions of software and review your release notes— http://www.net/techpubs/ Find solutions and answer questions using our Knowledge Base— http://kb.net/customers/support/requesting-support/.juniper. Document Feedback xi .

Concepts & Examples ScreenOS Reference Guide xii Document Feedback .

Figure 2: H. such as NetMeeting multimedia devices. although it is possible to make configurations for other hosts that use VoIP. admission.323 Protocol Gatekeeper Gatekeeper Permit Trust Zone Permit Endpoint Endpoint Internet Untrust Zone NOTE: Illustrations in this chapter use IP phones for illustrative purposes. Gatekeepers can reside in the two different zones or in the same zone.323 Application Layer Gateway (ALG) on a Juniper Networks security device. and call status for VoIP calls.323 Application Layer Gateway (ALG) allows you secure voice over IP (VoIP) communication between terminal endpoints such as IP phones and multimedia devices. In such a telephony system.Chapter 1 H. gatekeeper devices manage call registration.323 Application Layer Gateway This chapter describes the H.323 protocol and provides examples for configuring the H. This chapter contains the following sections: “Overview” on page 1 “Alternate Gatekeeper” on page 2 Overview The H. Overview 1 .

If the primary gatekeeper fails. All the IP end points must register with a gatekeeper through the Registration. the primary gatekeeper sends Gatekeeper Confirm (GCF) and Registration Confirm (RCF) messages to the endpoint. the Juniper Networks H. Examples This section contains the following configuration scenarios: “Example: Gatekeeper in the Trust Zone” on page 2 “Example: Gatekeeper in the Untrust Zone” on page 4 “Example: Outgoing Calls with NAT” on page 5 “Example: Incoming Calls with NAT” on page 8 “Example: Gatekeeper in the Untrust Zone with NAT” on page 10 Example: Gatekeeper in the Trust Zone In the following example. To use the alternate gatekeeper feature.2. These messages contain the list of available alternate gatekeepers. You can configure the primary and alternate gatekeepers in the Trust.Concepts & Examples ScreenOS Reference Guide Alternate Gatekeeper The H. you set up two policies that allow H. or DMZ zones. and Status (RAS) protocol before they can attempt calls between them. you need to configure a security policy that allows the endpoint device to reach the alternate gatekeeper when the endpoint cannot reach the primary gatekeeper.323 ALG supports the gatekeeper and the alternate gatekeeper in the same zone. 2 Alternate Gatekeeper . NOTE: Currently. IP-enabled phones and other multimedia devices registered with that gatekeeper are registered with the alternate gatekeeper. and an IP phone host (2. Untrust.323 ALG in ScreenOS supports the use of an alternate gatekeeper.5) in the Untrust zone.2.323 traffic to pass between IP phone hosts and a gatekeeper in the Trust zone. Both the Trust and Untrust security zones are in the trust-vr routing domain. the security device can be in either transparent or route mode. redundancy and scalability for the IP end points. During the registration process. Admission. The alternate gatekeeper provides high availability. In this example.

323 Action: Permit Policies > (From: Untrust. Any Service: H. 2. then click OK: Source Address: Address Book Entry: (select). To: Untrust) New: Enter the following. Policies Policies > (From: Trust.323 Application Layer Gateway Figure 3: H.5/32 Zone: Untrust 2.2. Address set address untrust IP_Phone 2.2.2.Chapter 1: H.323 permit set policy from untrust to trust IP_Phone any h. then click OK: Address Name: IP_Phone IP Address/Domain Name: IP/Netmask: (select).5/32 2.5 Endpoint IP Phones WebUI 1. IP_Phone Destination Address: Address Book Entry: (select). Address Policy > Policy Elements > Addresses > List > New: Enter the following. IP_Phone Service: H. Policies set policy from trust to untrust any IP_Phone h.2. Any Destination Address: Address Book Entry: (select).323 Action: Permit CLI 1. then click OK: Source Address: Address Book Entry: (select). To: Trust) New: Enter the following.323 Gatekeeper in the Trust Zone Trust Zone Gatekeeper Untrust Zone Internet Endpoint IP Phone 2.2.323 permit save Examples 3 .2.

Both the Trust and Untrust security zones are in the trust-vr routing domain.2. 2. then click OK: Source Address: Address Book Entry: (select). In the following example. Figure 4: H. you set up two policies to allow H.2.2. To: Trust) New: Enter the following. and the IP phone at IP address 2.2.323 Gatekeeper in the Untrust Zone Trust Zone LAN Untrust Zone Internet IP_Phones IP_Phone 2. security device configuration for a gatekeeper in the Untrust zone is usually identical to the configuration for a gatekeeper in the Trust zone. Policies Policies > (From: Trust.323 traffic to pass between IP phone hosts in the Trust zone. To: Untrust) New: Enter the following.2.5 (and the gatekeeper) in the Untrust zone. Addresses Policy > Policy Elements > Addresses > List > New: Enter the following.2.10/32 Zone: Untrust 2. 2. Any Destination Address: Address Book Entry: (select). then click OK: Address Name: IP_Phone IP Address/Domain Name: IP/Netmask: (select).5/32 WebUI 1. The device can be in transparent or route mode. IP_Phone Destination Address: Address Book Entry: (select). then click OK: Source Address: Address Book Entry: (select). IP_Phone Service: H. then click OK: Address Name: Gatekeeper IP Address/Domain Name: IP/Netmask: (select).5/32 Zone: Untrust Policy > Policy Elements > Addresses > List > New: Enter the following.Concepts & Examples ScreenOS Reference Guide Example: Gatekeeper in the Untrust Zone Because transparent and route modes do not require address mapping of any kind.2.2. Any 4 Examples .323 Action: Permit Policies > (From: Untrust.

2.1.1.25 MIP 1.5 Gateway 1.323 permit IP_Phone any h.1/24 Trust Zone Gatekeeper 10. you must map a public IP address to each device that needs to receive incoming traffic with a private address.1. IP_Phone2 (2.25 IP_Phone1 10.1.5/32 set address untrust gatekeeper 2.1.1/24 Untrust Zone Internet IP_Phone2 2.1.1.Chapter 1: H.5 Examples 5 .1.2. Gatekeeper Service: H.5 MIP 1.10/32 2.25).1.25 -> 10.323 permit Example: Outgoing Calls with NAT When the security device uses NAT (Network Address Translation).2.1. Figure 5: Network Address Translation—Outgoing Calls ethernet1 10.1.323 Action: Permit Policies > (From: Trust.2. Addresses set address untrust IP_Phone 2. a gatekeeper or endpoint device in the Trust zone has a private address.323 Action: Permit CLI 1.5 -> 10.1.2. then click OK: Source Address: Address Book Entry: (select).323 permit gatekeeper any h. To: Untrust) New: Enter the following.1.250 ethernet3 1.1. In this example.2.2.1.1.1. the devices in the Trust zone include the endpoint host (10.2.1.1.1.1. Both the Trust and Untrust security zones are in the trust-vr routing domain.1.323 Application Layer Gateway Service: H. You configure the security device to allow traffic between the endpoint host IP_Phone1 and the gatekeeper in the Trust zone and the endpoint host IP_Phone2 in the Untrust zone.323 permit any gatekeeper h.5) is in the Untrust zone.5) and the gatekeeper device (10. When you set a security device in NAT mode. and when it is in the Untrust zone it has a public address. Policies set policy from trust to untrust set policy from trust to untrust set policy from untrust to trust set policy from untrust to trust save any IP_Phone h. Any Destination Address: Address Book Entry: (select).

then click OK: Address Name: IP_Phone2 IP Address/Domain Name: IP/Netmask: (select). 2.1.2. Addresses Policy > Policy Elements > Addresses > List > New: Enter the following.1.1.2.255.5/32 Zone: Trust Policy > Policy Elements > Addresses > List > New: Enter the following.1.1.1.255.1/24 Select the following. then click OK: Zone Name: Untrust Static IP: (select this option when present) IP Address/Netmask: 1.1. then click OK: Interface Mode: NAT Network > Interfaces > Edit (for ethernet3): Enter the following. then click OK: Address Name: IP_Phone1 IP Address/Domain Name: IP/Netmask: (select). then click Apply: Zone Name: Trust Static IP: (select this option when present) IP Address/Netmask: 10.1.5 Netmask: 255.5/32 Zone: Untrust 3.1.1.1/24 2. then click OK: Address Name: Gatekeeper IP Address/Domain Name: IP/Netmask: (select). Interfaces Network > Interfaces > Edit (for ethernet1): Enter the following. 10. then click OK: Mapped IP: 1. Mapped IP Addresses Network > Interfaces > Edit (for ethernet3) > MIP > New: Enter the following.255 Host IP Address: 10.Concepts & Examples ScreenOS Reference Guide WebUI 1.25/32 Zone: Trust Policy > Policy Elements > Addresses > List > New: Enter the following.1.5 Host Virtual Router Name: trust-vr 6 Examples .1. 10.

To: Untrust) New: Enter the following. IP_Phone2 Service: H.25 Host Virtual Router Name: trust-vr 4.1. IP_Phone2 Destination Address: Address Book Entry: (select).0.1. To: Trust) New: Enter the following. Route Network > Routing > Destination > trust-vr New: Enter the following. IP_Phone2 Destination Address: Address Book Entry: (select). then click OK: Source Address: Address Book Entry: (select).1. MIP(1.0/0 Gateway: (select) Interface: ethernet3 Gateway IP Address: 1.1. then click OK: Source Address: Address Book Entry: (select). IP_Phone2 Service: H.323 Action: Permit Examples 7 .1.255.323 Action: Permit Policies > (From: Trust. Policies Policies > (From: Trust. then click OK: Source Address: Address Book Entry: (select).1. MIP(1.25) Service: H.1.1.1. then click OK: Source Address: Address Book Entry: (select).255 Host IP Address: 10.323 Action: Permit Policies > (From: Untrust. then click OK: Network Address/Netmask: 0. To: Trust) New: Enter the following. then click OK: Mapped IP: 1. IP_Phone1 Destination Address: Address Book Entry: (select).255. Gatekeeper Destination Address: Address Book Entry: (select).Chapter 1: H.250 5.1.0.25 Netmask: 255.323 Application Layer Gateway Network > Interfaces > Edit (for ethernet3) > MIP > New: Enter the following.323 Action: Permit Policies > (From: Untrust.5) Service: H. To: Untrust) New: Enter the following.

To do this.150 The name of the DIP pool can be DIP(id_num) for a user-defined DIP.2.1.0. This differs from most configurations. or other VoIP (Voice-over-IP) protocols. SIP.0/0 interface ethernet3 gateway 1.25/32 set address untrust IP_Phone2 2.1.1. Addresses set address trust IP_Phone1 10.1. 8 Examples .1. The following example uses DIP in an H.1/24 set interface ethernet3 zone untrust set interface ethernet3 ip 1.1.1.1.1. you can create a DIP address pool for dynamically allocating destination addresses.323 permit set policy from untrust to trust IP_Phone2 mip(1.1.323 VoIP configuration.1.0.1. or DIP(interface) when the DIP pool uses the same address as an interface IP address. Route set vrouter trust-vr route 0.1.2.1.5) h.1.323 permit save Example: Incoming Calls with NAT In this example.1.25) h. where a DIP pool provides source addresses only.1.5 host 10.1.1.1.1.1.1.1.5 set interface ethernet3 mip 1. Policies set policy from trust to untrust IP_Phone1 IP_Phone2 h.250 5.323.1. Interfaces set interface ethernet1 zone trust set interface ethernet1 ip 10.5/32 3.323 permit set policy from untrust to trust IP_Phone2 mip (1. together with the services H.323 permit set policy from trust to untrust gatekeeper IP_Phone2 h.1. Mapped IP Addresses set interface ethernet3 mip 1.1.1.1/24 Trust Zone ethernet3 1.Concepts & Examples ScreenOS Reference Guide CLI 1. you configure the security device to accept incoming calls over a NAT boundary.25 host 10. You can use such address entries as destination addresses in policies. to support incoming calls. The keyword “incoming” instructs the device to add the DIP and interface addresses to the global zone.5/32 set address trust gatekeeper 10.1/24 2.1.1.1/24 Untrust Zone Internet LAN DIP Pool ID 5 1.12 ~ 1.25 4. Figure 6: Network Address Translation—Incoming Calls ethernet1 10.

150 Port Translation: (select) In the same subnet as the interface IP or its secondary IPs: (select) Incoming NAT: (select) 3. Interfaces Network > Interfaces > Edit (for ethernet1): Enter the following.1. To: Untrust) New: Enter the following. 10. then click OK: Zone Name: Untrust Static IP: (select this option when present) IP Address/Netmask: 1. 1.1.1. Any Service: H. then click OK: Address Name: IP_Phones1 IP Address/Domain Name: IP/Netmask: (select).323 Action: Permit Examples 9 . then click OK: Source Address: Address Book Entry: (select).12 ~ 1.1. 2.1.1. then click OK: Address Name: IP_Phone2 IP Address/Domain Name: IP/Netmask: (select).1. Addresses Policy > Policy Elements > Addresses > List > New (for Trust): Enter the following. then click OK: ID: 5 IP Address Range: (select).1/24 2. IP_Phones1 Destination Address: Address Book Entry: (select).Chapter 1: H.323 Application Layer Gateway WebUI 1. then click Apply: Zone Name: Trust Static IP: (select this option when present) IP Address/Netmask: 10.1.1. Policies Policies > (From: Trust.5/32 Zone: Untrust 4. DIP with Incoming NAT Network > Interface > Edit (for ethernet3) > DIP > New: Enter the following.1/24 Enter the following.2.1.2. then click OK: Interface Mode: NAT Network > Interfaces > Edit (for ethernet3): Enter the following.5/24 Zone: Trust Policy > Policy Elements > Addresses > List > New (for Untrust): Enter the following.

1. Policies set policy from trust to untrust IP_Phones1 any h.5 -> 10.1. Figure 7: Gatekeeper in the Untrust Zone ethernet1 10.1.1/24 2.1.1.1. then click OK: Source Address: Address Book Entry: (select).12 1.1.25 Untrust Zone Internet IP_Phone2 2.2.1.2.150 incoming 3. DIP with Incoming NAT set interface ethernet3 dip 5 1. Interfaces set interface ethernet1 zone trust set interface ethernet1 ip 10.250 Gatekeeper 2.5 10 Examples . Addresses set address trust IP_Phones1 10.5/32 4. DIP(5) Service: H.2.323 Action: Permit CLI 1.1. You configure the security device to allow traffic between host IP_Phone1 in the Trust zone and host IP_Phone2 (and the gatekeeper) in the Untrust zone.1.1.1/24 NAT Mode Trust Zone LAN ethernet3 1. IP_Phone2 Destination Address: Address Book Entry: (select).2.2. To: Trust) New: Enter the following.323 nat src dip 5 permit set policy from untrust to trust IP_Phone2 dip(5) h.1.1.1.1.1/24 Gateway 1.1.1.1.5) is in the Trust zone. Both the Trust and Untrust security zones are in the trust-vr routing domain.Concepts & Examples ScreenOS Reference Guide Policies > (From: Untrust.2.2.5) are in the Untrust zone and host IP_Phone1 (10.1.5/24 set address untrust IP_Phone2 2.1.5 MIP 1.2.1.1/24 set interface ethernet3 zone untrust set interface ethernet3 ip 1.323 permit save Example: Gatekeeper in the Untrust Zone with NAT In this example. the gatekeeper device (2.5 IP_Phone1 10.2.1.1.25) and host IP_Phone2 (2.1.2.

then click OK: Interface Mode: NAT Network > Interfaces > Edit (for ethernet3): Enter the following. then click OK: Address Name: IP_Phone2 IP Address/Domain Name: IP/Netmask: (select). then click Apply: Zone Name: Trust Static IP: (select this option when present) IP Address/Netmask: 10.1. then click OK: Address Name: IP_Phone1 IP Address/Domain Name: IP/Netmask: (select).255.5 Examples 11 . Mapped IP Address Network > Interfaces > Edit (for ethernet3) > MIP > New: Enter the following.1.1.1.255.1/24 Enter the following.5/32 Zone: Untrust 3.2.5 Netmask: 255. Interfaces Network > Interfaces > Edit (for ethernet1): Enter the following. then click OK: Zone Name: Untrust Static IP: (select this option when present) IP Address/Netmask: 1. then click OK: Mapped IP: 1.1/24 2.1. then click OK: Address Name: Gatekeeper IP Address/Domain Name: IP/Netmask: (select). 2.1.2.2.1. 10.Chapter 1: H.1.1.323 Application Layer Gateway WebUI 1.25/32 Zone: Untrust Policy > Policy Elements > Addresses > List > New: Enter the following.2. Addresses Policy > Policy Elements > Addresses > List > New: Enter the following. 2.5/32 Zone: Trust Policy > Policy Elements > Addresses > List > New: Enter the following.1.255 Host IP Address: 10.

Gatekeeper Destination Address: Address Book Entry: (select). IP_Phone2 Service: H. then click OK: Source Address: Address Book Entry: (select).5) Service: H.323 Action: Permit Policies > (From: Untrust. To: Untrust) New: Enter the following. Route Network > Routing > Destination > trust-vr New: Enter the following. Addresses set address trust IP_Phone1 10.323 Action: Permit Policies > (From: Trust. Policies Policies > (From: Trust.1/24 2.2. then click OK: Network Address/Netmask: 0. To: Untrust) New: Enter the following.323 Action: Permit CLI 1. MIP(1.0/0 Gateway: (select) Interface: ethernet3 Gateway IP Address: 1. MIP(1.1.5/32 12 Examples .1.1/24 set interface ethernet3 zone untrust set interface ethernet3 ip 1.5) Service: H. then click OK: Source Address: Address Book Entry: (select).Concepts & Examples ScreenOS Reference Guide 4.1. IP_Phone1 Destination Address: Address Book Entry: (select). To: Trust) New: Enter the following.250 5. IP_Phone1 Destination Address: Address Book Entry: (select).1.2.1.2.1.1.2.1. then click OK: Source Address: Address Book Entry: (select).1.1. then click OK: Source Address: Address Book Entry: (select).25/32 set address untrust IP_Phone2 2.0. Interfaces set interface ethernet1 zone trust set interface ethernet1 ip 10.1. Gatekeeper Service: H.1.5/32 set address untrust gatekeeper 2. To: Trust) New: Enter the following.323 Action: Permit Policies > (From: Untrust.0. IP_Phone2 Destination Address: Address Book Entry: (select).

323 permit save Examples 13 .1.1.Chapter 1: H.1.5) h.323 permit set policy from untrust to trust IP_Phone2 mip(1.5) h.1.1.5 4.323 permit set policy from trust to untrust IP_Phone1 gatekeeper h.1. Route set vrouter trust-vr route 0.1.1.323 permit set policy from untrust to trust gatekeeper mip(1.0.323 Application Layer Gateway 3.1.1.250 5. Mapped IP Addresses set interface ethernet3 mip 1.5 host 10.0.0/0 interface ethernet3 gateway 1. Policies set policy from trust to untrust IP_Phone1 IP_Phone2 h.

Concepts & Examples ScreenOS Reference Guide 14 Examples .

modifying. for example. and terminating multimedia sessions over the Internet. during the session. SDP might include information such as IP addresses. times. Although SIP can use different description protocols to describe the session. SIP is also used to terminate a multimedia session. with features such as instant messaging and application-level mobility in network environments. Overview 15 . voice or video. See “Session Description Protocol Sessions” on page 20 for more information.Chapter 2 Session Initiation Protocol Application Layer Gateway This chapter describes the Session Initiation Protocol (SIP) Application Layer Gateway (ALG) and contains the following sections: “Overview” on page 15 “SIP with Network Address Translation” on page 25 “Examples” on page 32 Overview Session Initiation Protocol (SIP) is an Internet Engineering Task Force (IETF)-standard protocol for initiating. allowing and denying it based on a policy that you configure. port numbers. SIP is a predefined service in ScreenOS and uses port 5060 as the destination port. Such sessions might include conferencing. Note that the IP address and port number in the SDP header (the “c=” and “m=” fields. or multimedia. telephony. Juniper Networks security devices support SIP as a service and can screen SIP traffic. SDP provides information that a system can use to join a multimedia session. to negotiate and modify the parameters of the session. and dates. Session-description information is included in INVITE and ACK messages and indicates the multimedia type of the session. respectively) are the address and port where the client wants to receive the media streams and not the IP address and port number from which the SIP request originates (although they can be the same). SIP’s primary function is to distribute session-description information and. the Juniper Networks SIP ALG supports only Session Description Protocol (SDP).

Concepts & Examples ScreenOS Reference Guide SIP messages consist of requests from a client to a server and responses to the requests from a server to a client with the purpose of establishing a session (or a call). and Record-Route header fields are modified as shown in Table 2 on page 29. SIP Request Methods The SIP transaction model includes a number of request and response messages. and Call-ID fields as shown in Table 2 on page 29. A User Agent (UA) is an application that runs at the endpoints of the call and consists of two parts: the User Agent Client (UAC). To. Contact. which listens to the responses and notifies the user when they arrive. From. The body of an INVITE request may contain the description of the session. Route. which sends SIP requests on behalf of the user. Via. and Record-Route header fields are modified as shown in Table 2 on page 29. From. In NAT mode. ScreenOS supports the following method types and response codes: INVITE—A user sends an INVITE request to invite another user to participate in a session. Call-ID. the IP addresses in the Via. In NAT mode. In NAT mode. In NAT mode. Route. In NAT mode. when the OPTIONS request is sent from a UA outside NAT to a proxy inside NAT. and a User Agent Server (UAS). Call-ID. From. the ACK request must include it. BYE—A user sends a BYE request to abandon a session. To. session description protocols. Contact. and Record-Route header fields are modified as shown in Table 2 on page 29. If the original INVITE request did not contain the session description. A server responds with information about what methods. When the UA is inside NAT and the proxy is outside NAT. From. each of which contains a method field that denotes the purpose of the message. Call-ID. 16 Overview . the SIP ALG translates the address in the Request-URI and the IP address in the To: field to the appropriate IP address of the internal client. Route. ACK—The user from whom the INVITE originated sends an ACK request to confirm reception of the final response to the INVITE request. Route. Contact. CANCEL—A user can send a CANCEL request to cancel a pending INVITE request. the IP addresses in the Via. To. Call-ID. A BYE request from either user automatically terminates the session. A CANCEL request has no effect if the SIP server processing the INVITE had sent a final response for the INVITE before it received the CANCEL. Contact. the SIP ALG translates the From. the IP addresses in the Via. and message encoding it supports. To. the IP addresses in the Via. OPTIONS—Used by the User Agent (UA) to obtain information about the capabilities of the SIP proxy. and Record-Route header fields are modified as shown in Table 2 on page 29. Examples of UAs are SIP proxy servers and phones.

To. and Contact header fields. Contact. No translation is needed for the outgoing response. if user A in a private network refers user B. to user C. and Record-Route header fields are modified as shown in Table 2 on page 29. Notify—Sent to inform subscribers of changes in state to which the subscriber has a subscription. To. From. Call-ID. Route. 2xx. Route. The Via. 5xx. The IP addresses in the Via. the IP address in the Request-URI is changed to a private IP address if the message is coming from the external network into the internal network. the IP addresses in the Via. Incoming REGISTER messages are allowed only to a MIP or VIP address. Call-ID. the IP address in the Request-URI: header field is changed to a private IP address if the message is coming from the external network into the internal network. In NAT mode. Contact. and Record-Route header fields are modified as shown in Table 2 on page 29. 3xx. Update—Used to open pinhole for new or updated SDP information. Route. REGISTER requests are handled as follows: REGISTER requests from an external client to an internal registrar—When the SIP ALG receives the incoming REGISTER request it translates the IP address. Call-ID. the SIP ALG allocates a new IP address and port number for user C so that user C can be contacted by user B. Call-ID. Route. The IP address in the Via. 6xx Response Codes—Used to indicate the status of a transaction. Route. 4xx. Header fields are modified as shown in Table 2 on page 29. From. Overview 17 . To. From. To. A backward translation is performed for the incoming response. Via. its port mapping is stored in the ALG NAT table and is reused to perform the translation. In NAT mode. If user C is registered with a registrar. the address in the Request-URI is changed to a private IP address if the messages is coming from the external network into the internal network. Info—Used to communicate mid-session signaling information along the signaling path for the call. Refer—Used to refer the recipient (identified by the Request-URI) to a third party by the contact information provided in the request. A SIP registrar server records all the information it receives in REGISTER requests and makes this information available to any SIP server attempting to locate a user. From.. Contact. From. however. Call-ID. In NAT mode.Chapter 2: Session Initiation Protocol Application Layer Gateway REGISTER—A user sends a REGISTER request to a SIP registrar server to inform it of the current location of the user. and Record-Route header fields are modified as shown in Table 2 on page 29. In NAT mode. and Record-Route header fields are modified as shown in the table in Table 2 on page 29. Subscribe—Used to request current state and state updates from a remote node. For example. From. 1xx. To. Contact. Call-ID. in a public network. REGISTER requests from an internal client to an external registrar—When the SIP ALG receives the outgoing REGISTER request it translates the IP addresses in the To. if any. The IP addresses in Via. In NAT mode. in the Request-URI. who is also in the private network. 202. Contact. and Record-Route header fields are modified as shown in Table 2 on page 29.

Table 1: Session Initiation Protocol Responses Class Informational Response Code-Reason Phrase 100 Trying 182 Queued Response Code-Reason Phrase 180 Ringing 183 Session progress 202 Accepted 301 Moved permanently 380 Alternative service 401 Unauthorized 404 Not found 407 Proxy authentication required 410 Gone 414 Request-URL too large 480 Temporarily not available 483 Too many hops 486 Busy here Response Code-Reason Phrase 181 Call is being forwarded Success Redirection 200 OK 300 Multiple choices 305 Use proxy 302 Moved temporarily Client Error 400 Bad request 403 Forbidden 406 Not acceptable 409 Conflict 413 Request entity too large 420 Bad extension 482 Loop detected 485 Ambiguous 488 Not acceptable here 402 Payment required 405 Method not allowed 408 Request time-out 411 Length required 415 Unsupported media type 481 Call leg/transaction does not exist 484 Address incomplete 487 Request canceled Server Error 500 Server internal error 502 Service unavailable 501 Not implemented 504 Gateway time-out 603 Decline 502 Bad gateway 505 SIP version not supported 604 Does not exist anywhere Global Failure 600 Busy everywhere 606 Not acceptable 18 Overview . understood.Concepts & Examples ScreenOS Reference Guide Classes of SIP Responses SIP responses provide status information about SIP transactions and include a response code and a reason phrase. Success (200 to 299)—Action successfully received. Table 1 provides a complete list of current SIP responses. Server Error (500 to 599)—Server failed to fulfill an apparently valid request. all of which are supported on Juniper Networks security devices. continuing to process the request. Client Error (400 to 499)—Request contains bad syntax or cannot be fulfilled at this server. Redirection (300 to 399)—Further action required to complete the request. and accepted. Global Failure (600 to 699)—Request cannot be fulfilled at any server. SIP responses are grouped into the following classes: Informational (100 to 199)—Request received.

Juniper Networks security devices support SIP signaling messages on port 5060. the signaling and the media stream. For SIP messages that do not contain SDP. The Juniper Networks SIP ALG supports all SIP methods and responses (see “SIP Request Methods” on page 16 and “Classes of SIP Responses” on page 18). the security device simply lets them through. for example) and uses Application Layer protocols such as Real Time Protocol (RTP) over UDP. Overview 19 . permitting or denying it. and the security device filters SIP signaling traffic like any other type of traffic. Without fixed ports. This policy enables the security device to intercept SIP traffic and do one of the following actions: permit or deny the traffic or enable the SIP ALG to open pinholes to pass the media stream. If SDP is encrypted. NOTE: Juniper Networks security devices do not support encrypted SDP. If a security device receives a SIP message in which SDP is encrypted. You can simply create a policy that permits SIP service. however. The SIP ALG examines the SDP portion of the packet. The media stream carries the data (audio data.Chapter 2: Session Initiation Protocol Application Layer Gateway SIP Application Layer Gateway There are two types of SIP traffic. it is impossible to create a static policy to control media traffic. the SIP ALG permits it through the firewall but generates a log message informing the user that it cannot process the packet. You can allow SIP transactions to traverse the Juniper Networks firewall by creating a static policy that permits SIP service. The SIP ALG reads SIP messages and their SDP content and extracts the port-number information it needs to dynamically open pinholes and let the media stream traverse the security device. The SIP ALG monitors SIP transactions and dynamically creates and manages pinholes based on the information it extracts from these transactions. In this case. which the SIP ALG records in a pinhole table. The SIP ALG intercepts SIP messages that contain SDP and. and a parser extracts information such as IP addresses and port numbers. The SIP ALG for IPv6 supports Netscreen Redundancy Protocol (NSRP). The SIP ALG needs to open pinholes only for the SIP requests and responses that contain media information (SDP). The media stream. NOTE: We refer to a pinhole as the limited opening of a port to allow exclusive traffic. As a result. uses dynamically assigned port numbers that can change several times during the course of a call. extracts the information it requires to create pinholes. the security device invokes the SIP ALG. the media content that SDP describes cannot traverse the security device. The SIP ALG uses the IP addresses and port numbers recorded in the pinhole table to open pinholes and allow media streams to traverse the security device. SIP signaling traffic consists of request and response messages between client and server and uses transport protocols such as User Datagram Protocol (UDP) or Transmission Control Protocol (TCP). the SIP ALG cannot extract the information it needs from SDP to open pinholes. using a parser.

and a unicast IP address or domain name as the destination (connection) IP address. If the destination IP address is a unicast IP address. while the media-level information applies to a particular media stream. By default. the security device supports "IN" (for Internet) as the network type. The two fields are the following: c= for connection information This field can appear at the session or media level. which appears at the beginning of the description. It displays in this format: c=<network type><address type><connection address> Currently. the media-level information begins with the m= field. An SDP session description always contains session-level information. Of the many fields in the SDP description. but ScreenOS does not currently support multicast with SIP. Every RTP session has a corresponding Real Time Control Protocol (RTCP) session.Concepts & Examples ScreenOS Reference Guide Session Description Protocol Sessions An SDP session description is text-based and consists of a set of lines. m= for media announcement This field appears at the media level and contains the description of the media. the destination IP address can also be a multicast IP address. whenever a media stream uses RTP. the port number for RTCP is one higher than the RTP port number. It can contain session-level and media-level information. The session-level information applies to the whole session. "IP4 and IP6" as address types. the SIP ALG must reserve ports (create pinholes) for both RTP and RTCP traffic. The format list (fmt list) provides information about the Application Layer protocol that the media uses. Therefore. the SIP ALG creates pinholes using the IP address and port numbers specified in the media description field m=. NOTE: In the SDP session description. the security device supports only “audio” as the media and “RTP” as the Application Layer transport protocol. The port number indicates the destination (not the origin) of the media stream. NOTE: Generally. and might contain media-level information. two are particularly useful to the SIP ALG because they contain Transport Layer information. the security device opens ports only for RTP and RTCP. 20 Overview . It displays in this format: m=<media><port><transport><fmt list> Currently. which comes after. In this release of ScreenOS.

thus opening port 5060 for SIP signaling messages. the parser extracts that IP address. Source port: Unknown. The following lists the information the SIP ALG needs to create a pinhole. the SIP ALG parser extracts the IP address from the c= field in the session level. the SIP ALG removes the pinhole. and the SIP ALG uses it to create a pinhole for the media. The IP address comes from the c= field in the SDP session description. the SIP ALG parser verifies if there is a c= field containing an IP address in the media level. Destination port: The parser extracts the destination port number for RTP from the m= field in the media level and calculates the destination port number for RTCP using the following formula: RTP port number + one Lifetime: This value indicates the length of time (in seconds) during which a pinhole is open to allow a packet through. When the lifetime expires. The illustration assumes that the security device has a policy that permits SIP. If the session description does not contain a c= field in either level. the destination IP address can also be a multicast IP address. this indicates an error in the protocol stack. the parser determines the IP address based on the following rules (in accordance with SDP conventions): First. If there is no c= field in the media level. This information comes from the SDP session description and parameters on the security device: Protocol: UDP. Source IP: Unknown. but ScreenOS does not currently support multicast with SIP. When a packet goes through the pinhole within the lifetime period. immediately afterwards the SIP ALG removes the pinhole for the direction from which the packet came. Pinhole Creation Both pinholes for the RTP and RTCP traffic share the same destination IP address. Figure 8 describes a call setup between two SIP clients and how the SIP ALG creates pinholes to allow RTP and RTCP traffic. A packet must go through the pinhole before the lifetime expires. Destination IP: The parser extracts the destination IP address from the c= field in the media or session level. and the security device drops the packet and logs the event. If there is one. Because the c= field can appear in either the session-level or media-level portion of the SDP session description. Overview 21 .Chapter 2: Session Initiation Protocol Application Layer Gateway NOTE: Generally. and the SIP ALG uses it to create a pinhole for the media.

1:2000) 2. Per SDP.2.2.2. Client A sends the media traffic (RTP/RTCP) to Client B through pinhole 2 Pinhole 2 NOTE: The SIP ALG does not create pinholes for RTP and RTCP traffic when the destination IP address is 0.2. Each voice channel has two sessions (or two media streams).2. SIP ALG creates pinhole for 2. The SIP ALG intercepts the BYE or CANCEL request and removes all media sessions for that call. The SIP proxy forwards the Ringing response from Client B to Client A through port 5060 on the security device 8. a power failure. Doing so indicates to User B not to send any media until further notice. Settings such as the inactivity timeout apply to a group as opposed to each session. the call might go on indefinitely.1.1: 2000 3.1.0. Client A sends an ACK response destined for Client B to the SIP proxy through port 5060 on the security device 7. Client B sends a 200 OK response to the SIP proxy in reply to the INVITE request (SDP: 2. The inactivity-timeout feature helps the security device to monitor the liveliness of the call and terminate it if there is no activity for a specific period of time. 22 Overview . A call can have one or more voice channels. consuming resources on the security device. If User B sends media anyway. SIP ALG creates a pinhole for 1. one for RTP and one for RTCP.Client A sends an INVITE request destined for Client B to the SIP proxy through port 5060 on the security device (SDP 1. which indicates that the session is on hold. a user (User A) sends the other user (User B) a SIP message in which the destination IP address is 0.1.0.2: 3000 6.0. There could be reasons or problems preventing clients in a call from sending BYE or CANCEL requests. When managing the sessions.0. The SIP proxy forwards an INVITE request to Client B 4.1. The SIP proxy forwards the ACK response to Client B Pinhole 1 11. the security device drops the packets.1.2: 3000) 10. for example.1 Trust Zone Security Device SIP Proxy Untrust Zone Client B 2.2.1. Per SDP. during a telephone communication.Concepts & Examples ScreenOS Reference Guide Figure 8: SIP ALG Call Setup Client A 1.2 1. Client B sends the media traffic (RTP/RTCP) to Client A through pinhole 1 12. Client B replies to the SIP proxy with a Ringing response 5. In this case.0.0. Session Inactivity Timeout Typically a call ends when one of the clients sends a BYE or CANCEL request. for example. The SIP proxy forwards a 200 OK response from Client B to Client A through the security device 9. the security device considers the sessions in each voice channel as one group. To put a session on hold.

1. Packets are dropped for a period of 5 seconds. thus terminating the call. the security device removes all sessions for this call from its table. Example: SIP Protect Deny In this example. If either of these timeouts expires. The default setting is 120 seconds. Each time an RTP or RTCP packet occurs within a call. The sip protect deny command supports both IPv4 and IPv6 addresses. Media-inactivity timeout: This parameter indicates the maximum length of time (in seconds) a call can remain active without any media (RTP or RTCP) traffic within a group. To prevent the SIP proxy server from being overwhelmed by such requests. Each time a SIP-signaling message occurs within a call. this timeout resets. 4xx.Chapter 2: Session Initiation Protocol Application Layer Gateway There are two types of inactivity timeouts that determine the lifetime of a group: Signaling-inactivity timeout: This parameter indicates the maximum length of time (in seconds) a call can remain active without any SIP-signaling traffic. for a configurable number of seconds (the default is 3).1. SIP attack protection is configured globally.3/24 set alg sip protect deny timeout 5 save Overview 23 . The default setting is 43200 seconds (12 hours). that it initially denied.3/24) from repeat SIP requests to which it has already denied service.1. you can use the sip protect deny command to configure the security device to monitor INVITE requests and proxy server replies to them. the ALG stores the source IP address of the request and the IP address of the proxy server in a table. whether malicious or through client or server error. this timeout resets. after which the security device resumes forwarding INVITE requests from those sources.1. CLI set alg sip app-screen protect deny dst-ip 1. WebUI You must use the CLI to protect SIP proxy servers from being inundated by SIP messages. SIP Attack Protection The ability of the SIP proxy server to process calls can be affected by repeat SIP INVITE requests. you configure the security device to protect a single SIP proxy server (1. the security device checks all INVITE requests against this table and. or 5xx response code (see “Classes of SIP Responses” on page 18). discards any packets that match entries in the table. You can also configure the security device to monitor INVITE request to a specific proxy server by specifying the destination IP address. If a reply contains a 3xx. Subsequently.

In this example. you configure the signaling-inactivity timeout to 30. then click Apply: Zone: Untrust UDP Flood Protection (select) > Destination IP: Enter the following. see “UDP Flood” on page 4-53. then click the Back arrow in your browser to return to the Screen configuration page: Destination IP: 1.5 threshold 80000 save 24 Overview .1.1.Concepts & Examples ScreenOS Reference Guide Example: Signaling-Inactivity and Media-Inactivity Timeouts In this example.1.000 seconds and the media-inactivity timeout to 90 seconds. in the Untrust zone. WebUI Security > Screening > Screen: Enter the following. CLI set alg sip signaling-inactivity-timeout 30000 set alg sip media-inactivity-timeout 90 save Example: UDP Flooding Protection You can protect the security device against UDP flooding by zone and destination address. you set a threshold of 80. NOTE: This example uses a general ScreenOS command and is not necessarily SIP-specific.1.000 per second for the number of UDP packets that can be received on IP address 1.1. before the security device generates an alarm and drops subsequent packets for the remainder of that second. For more information about UDP flood protection and how to determine effective settings.5 Threshold: 80000 Add: (select) CLI set zone untrust screen udp-flood dst-ip 1.5. WebUI NOTE: You must use the CLI to set SIP-signaling and media-inactivity timeouts.1.

the SIP ALG collects information from the message header into a call table. the public IP address is converted back into the private address. and the message is routed to the appropriate host in the private subnet. which it uses to forward subsequent messages to the correct end point. SIP with Network Address Translation 25 . see “Source-Based and Destination-Based Session Limits” on page 4-30. the private IP address and port number of the client are replaced with the public IP address and port number of the Juniper Networks firewall. When an INVITE message is sent out across the firewall. which includes IP addresses and port numbers for transmission of the media. If the security device detects more than 20 connection attempts from the same IP address. For an outgoing message. For outgoing traffic. you prevent flood attacks on the SIP network from attackers in the Untrust zone by setting a maximum of 20 concurrent sessions from a single IP address. The SIP headers contain information about the caller and the receiver. The SIP body contains the Session Description Protocol (SDP) information. To. and Call-ID fields against the call table to identify the call context of the message. for example an ACK or 200 OK. The security device translates SDP information for allocating resources to send and receive the media. For more information about source-based session limits and how to determine effective settings. How IP addresses and port numbers in SIP messages are replaced depends on the direction of the message. For an incoming message. then click OK: Source IP Based Session Limit: (select) Threshold: 20 Sessions CLI set zone untrust screen limit-session source-ip-based 20 save SIP with Network Address Translation The Network Address Translation (NAT) protocol enables multiple hosts in a private subnet to share a single public IP address to access the Internet.Chapter 2: Session Initiation Protocol Application Layer Gateway Example: SIP Connection Maximum In this example. it begins dropping subsequent attempts until the number of sessions drops below the specified maximum. Using NAT with the SIP service is more complicated because SIP messages contain IP addresses in the SIP headers as well as in the SIP body. the public address of the firewall is replaced with the private address of the client. and the security device translates this information to hide it from the outside network. the ALG compares the From. NOTE: This example uses a general ScreenOS command and is not necessarily SIP-specific. If a new INVITE message arrives that matches the existing call. the ALG processes it as a REINVITE. When a new message arrives. WebUI Screening > Screen (Zone: Untrust): Enter the following. For incoming traffic. NAT replaces the private IP address of the host in the private subnet with the public IP address.

Concepts & Examples ScreenOS Reference Guide

When a message containing SDP information arrives, the ALG allocates ports and creates a NAT mapping between them and the ports in the SDP. Because the SDP requires sequential ports for the Real Time Protocol (RTP) and Real Time Control Protocol (RTCP) channels, the ALG provides consecutive even-odd ports. If it is unable to find a pair of ports it discards the SIP message.

Outgoing Calls
When a SIP call is initiated with a SIP request message from the internal to the external network, NAT replaces the IP addresses and port numbers in the SDP and creates a binding to map the IP addresses and port numbers to the Juniper Networks firewall. Via, Contact, Route, and Record-Route SIP header fields, if present, are also bound to the firewall IP address. The ALG stores these mappings for use in retransmissions and for SIP response messages. The SIP ALG then opens pinholes in the firewall to allow media through the security device on the dynamically assigned ports negotiated based on information in the SDP and the Via, Contact, and Record-Route header fields. The pinholes also allow incoming packets to reach the Contact, Via, and Record-Route IP addresses and ports. When processing return traffic, the ALG inserts the original Contact, Via, Route, and Record-Route SIP fields back into the packets.

Incoming Calls
Incoming calls are initiated from the public network to public Mapped IP (MIP) addresses or to interface IP addresses on the security device. MIPs are statically configured IP addresses that point to internal hosts; interface IP addresses are dynamically recorded by the ALG as it monitors REGISTER messages sent by internal hosts to the SIP registrar. (For more information, see “Examples” on page 32.) When the security device receives an incoming SIP packet, it sets up a session and forwards the payload of the packet to the SIP ALG. The ALG examines the SIP request message (initially an INVITE) and, based on information in the SDP, opens gates for outgoing media. When a 200 OK response message arrives, the SIP ALG performs NAT on the IP addresses and ports and opens pinholes in the outbound direction. (The opened gates have a short time-to-live, and time out if a 200 OK response message is not received quickly.) When a 200 OK response arrives, the SIP proxy examines the SDP information and reads the IP addresses and port numbers for each media session. The SIP ALG on the security device performs NAT on the addresses and port numbers, opens pinholes for outbound traffic, and refreshes the timeout for gates in the inbound direction. When the ACK arrives for the 200 OK, it also passes through the SIP ALG. If the message contains SDP information, the SIP ALG ensures that the IP addresses and port numbers are not changed from the previous INVITE—if they are, the ALG deletes old pinholes and creates new pinholes to allow media to pass through. The ALG also monitors the Via, Contact, and Record-Route SIP fields and opens new pinholes if it determines that these fields have changed.

26

SIP with Network Address Translation

Chapter 2: Session Initiation Protocol Application Layer Gateway

Forwarded Calls
A forwarded call is when, for example, user A outside the network calls user B inside the network, and user B forwards the call to user C outside the network. The SIP ALG processes the INVITE from user A as a normal incoming call. But when the ALG examines the forwarded call from B to C outside the network and notices that B and C are reached using the same interface, it does not open pinholes in the firewall, because media will flow directly between user A and user C.

Call Termination
The BYE message is used to terminate a call. When the security device receives a BYE message, it translates the header fields just as it does for any other message, But because a BYE message must be acknowledged by the receiver with a 200 OK, the ALG delays call teardown for five seconds to allow time for transmission of the 200 OK.

Call Re-INVITE Messages
Re-INVITE messages are used to add new media sessions to a call, and to removing existing media sessions. When new media sessions are added to a call, new pinholes are opened in the firewall and new address bindings created. The process is identical to the original call setup. When one or more media sessions are removed from a call, pinholes are closed and bindings released just as with a BYE message.

Call Session Timers
The SIP ALG uses the Session-Expires value to time out a session if a Re-INVITE or UPDATE message is not received. The ALG gets the Session-Expires value, if present, from the 200 OK response to the INVITE and uses this value for signaling timeout. If the ALG receives another INVITE before the session times out, it resets all timeout values to this new INVITE or to default values, and the process is repeated. As a precautionary measure, the SIP ALG uses hard timeout values to set the maximum amount of time a call can exist. This ensures that the security device is protected in the event of the following: End systems crash during a call and a BYE message is not received. Malicious users never send a BYE in an attempt to attack a SIP ALG. Poor implementations of sip proxy fail to process Record-Route and never send a BYE message. Network failures prevent a BYE message from being received.

Call Cancellation
Either party can cancel a call by sending a CANCEL message. Upon receiving a CANCEL message, the SIP ALG closes pinholes through the firewall—if any have been opened—and releases address bindings. Before releasing the resources, the ALG delays the control channel age-out for approximately five seconds to allow time for the final 200 OK to pass through. The call is terminated when the five second timeout expires, regardless of whether a 487 or non-200 response arrives.
SIP with Network Address Translation

27

Concepts & Examples ScreenOS Reference Guide

Forking
Forking enables a SIP proxy to send a single INVITE message to multiple destinations simultaneously. When the multiple 200 OK response messages arrive for the single call, the SIP ALG parses but updates call information with the first 200 OK message it receives.

SIP Messages
The SIP message format consists of a SIP header section, and the SIP body. In request messages, the first line of the header section is the request line, which includes the method type, Request-URI, and protocol version. In response messages, the first line is the status line, which contains a status code. SIP headers contain IP addresses and port numbers used for signaling. The SIP body, separated from the header section by a blank line, is reserved for session description information, which is optional. Juniper Networks security devices currently support the Session Description Protocol (SDP) only. The SIP body contains IP addresses and port numbers used to transport the media. In NAT mode, the security device translates information in the SIP headers to hide the information from the outside network. NAT is performed on SIP body information to allocate resources, that is, port numbers where the media is to be received.

SIP Headers
In the following sample SIP request message, NAT replaces the IP addresses in the header fields—shown in bold font—to hide them from the outside network.
INVITE bob@10.150.20.5 SIP/2.0 Via: SIP/2.0/UDP 10.150.20.3:5434 From: alice@10.150.20.3 To: bob@10.150.20.5 Call-ID: a12abcde@10.150.20.3 Contact: alice@10.150.20.3:5434 Route: <sip:netscreen@10.150.20.3:5060> Record-Route: <sip:netscreen@10.150.20.3:5060>

28

SIP with Network Address Translation

Table 2: Requesting Messages with NAT Message Type Inbound Request (from public to private) Fields To: From: Call-ID: Via: Request-URI: Contact: Record-Route: Route: Action Replace ALG address with local address None None None Replace ALG address with local address None None None Replace ALG address with local address None None None N/A Replace local address with ALG address Replace local address with ALG address None None Replace local address with ALG address Replace local address with ALG address Replace local address with ALG address None Replace local address with ALG address Replace local address with ALG address Replace ALG address with local address Outbound Response (from private to public) To: From: Call-ID: Via: Request-URI: Contact: Record-Route: Route: Outbound Request (from private to public) To: From: Call-ID: Via: Request-URI: Contact: Record-Route: Route: SIP with Network Address Translation 29 .Chapter 2: Session Initiation Protocol Application Layer Gateway How IP address translation is performed depends on the type and direction of the message. and whether the message is a request or response. It must also know what client initiated the call. which can be any of the following: Inbound request Outbound response Outbound request Inbound response Table 2 shows how NAT is performed in each of these cases. Note that for several of the header fields the ALG must know more than just whether the messages comes from inside or outside the network.

For example. Translation of the SDP section also allocates resources.4 m=audio 33447 RTP/AVP 0 c=IN IP4 10.33.3 m=audio 43249 RTP/AVP 0 SIP messages can contain more than one media stream. For more information. The following except from a sample SDP section shows the fields that are translated for resource allocation. are not translated. in the 200 OK response message. The concept is similar to attaching multiple files to an email message. for a total of 12 channels per call. The Via/Contact Pinhole provides port number 5060 for SIP signaling. The IP addresses in this message.150. SIP NAT Scenario In Figure 9.33. an INVITE message sent from a SIP client to a SIP server might have the following fields: c=IN IP4 10. for RTCP and RTP. ph1 sends a SIP INVITE message to ph2.123.Concepts & Examples ScreenOS Reference Guide Message Type Outbound Response (from public to private) Fields To: From: Call-ID: Via: Request-URI: Contact: Record-Route: Route: Action None Replace ALG address with local address Replace ALG address with local address Replace ALG address with local address N/A None Replace ALG address with local address Replace ALG address with local address SIP Body The SDP information in the SIP body includes IP addresses the ALG uses to create channels for the media stream.123.33.20. that is.4 m=audio 33445 RTP/AVP 0 c=IN IP4 10. o=user 2344234 55234434 IN IP4 10.4 m=audio 33449 RTP/AVP 0 Juniper Networks security devices support up to 6 SDP channels negotiated for each direction. Observe how. port numbers to send and receive the media. The SDP section of the INVITE message indicates where the caller is willing to receive media. see “Session Description Protocol Sessions” on page 20. the translations performed in the INVITE message are reversed.123.3 c=IN IP4 10.150. 30 SIP with Network Address Translation .20. Note that the Media Pinhole contains two port numbers. 52002 and 52003. Note how the IP addresses in the header fields—shown in bold font—are translated by the security device. but gates are opened to allow the media stream access to the private network. being public.

0/UDP 6.6.1 To: ph2@6.6 SIP/2.6.5.6.6.6.5.5.6.1 o=IN IPv4 5.5.6.1 To: ph2@6.1 External Network INVITE Sip: ph2@ 6.6.5.6.5.5.6.6.5.5.2 CSeq 1 INVITE Content-type: application/sdp Content-Length: 98 V=0 o=ph1 3123 1234 IP IP4 5.1 1234 Any IP Any Port 6.2 CSeq 1 INVITE Content-type: application/sdp Content-Length: 98 V=0 o=ph1 3123 1234 IP IP4 6.0 Via: SIP/2.0/UDP 5.6.5.5.5.1 45002/45003 Via/Contact Pinhole 5.6.5.6.1 52002/52003 Any IP Any Port SIP with Network Address Translation 31 .6.6.1 Internal Network 5.5.6.6.2 SIP ph2 INVITE Sip: ph2@ 6.2 6.6.6.5.1:5060 Call-ID: a1234@6.6.5.1 o=IN IPv4 6.6.1 m=audio 62002 RTP/AVP 0 Media Pinhole 5.1:5060 Call-ID: a1234@5.1 From: ph1@5.0 Via: SIP/2.6 SIP/2.6.6.Chapter 2: Session Initiation Protocol Application Layer Gateway Figure 9: SIP NAT Scenario 1 Security Device SIP ph1 5.6.5.1 5060 6.1 m=audio 52002 RTP/AVP 0 6.5.1 From: ph1@6.6.

6.6.6.2 SIP/2.0 .0 200 OK Via: SIP/2.6.5.1 To: ph2@6.6.5.6.2 SIP/2.6. ACK SIP:ph2@6.0/UDP 6.6.6.2 m=audio 62002 RTP/AVP 0 6.6.6.6.6.6.2 SIP ph2 Media Pinhole Any IP Any Port 6.0/UDP 5.0 200 OK Via: SIP/2.5.1:5060 Call-ID: a1234@5.6.6.6.6.2 c=IN IP4 6.1 To: ph2@6.6.1 External Network SIP/2. Proxy in the DMZ” on page 46 “Example: Untrust Intrazone” on page 49 “Example: Trust Intrazone” on page 53 “Example: Full-Mesh VPN for SIP” on page 55 32 Examples ..2 CSeq 1 INVITE Content-type: application/sdp Content-Length: 98 V=0 o=ph2 5454 565642 IP IP4 6.6.5.1 From: ph1@6.Concepts & Examples ScreenOS Reference Guide Figure 10: SIP NAT Scenario 2 Security Device SIP ph1 5.5.6:5060 V=0 o=ph2 5454 565642 IP IP4 6..1 Internal Network SIP/2.6.6. Examples This section contains the following sample scenarios: “Incoming SIP Call Support Using the SIP Registrar” on page 33 “Example: Incoming Call with MIP” on page 39 “Example: Proxy in the Private Zone” on page 41 “Example: Proxy in the Public Zone” on page 44 “Example: Three-Zone.2 m=audio 62002 RTP/AVP 0 5.5.6.6.6.5.6..5.6.6.1 From: ph1@5.5..6.1:1234 Call-ID: a1234@6.2 62002/62003 Via/Contact Pinhole Any IP Any Port 6.6.2 CSeq 1 INVITE Content-type: application/sdp Content-Length: 98 Contact SIP: 6.6.5.6...2 5060 ACK SIP:ph2@6.2 c=IN IP4 6.0 .2 6.

performs NAT on these addresses. NOTE: Incoming call support using Interface DIP or a DIP pool is supported for SIP and H. Examples 33 . therefore. as shown in Figure 11. the security device uses the Incoming DIP table to identify which internal host to route the INVITE message to. as shown in Figure 11. Interface DIP is adequate for handling incoming calls in a small office.Chapter 2: Session Initiation Protocol Application Layer Gateway Incoming SIP Call Support Using the SIP Registrar SIP registration provides a discovery capability by which SIP proxies and location servers are able to identify the location or locations where users want to be contacted. Then. while we recommend setting up DIP pools for larger networks or an enterprise environment. A user registers one or more contact locations by sending a REGISTER message to the registrar. The security device monitors outgoing REGISTER messages. The To: and Contact: fields in the REGISTER message contain the address-of-record URI and one or more contact URIs. security devices currently support UDP and TCP only.323 services only. and stores the information in an Incoming DIP table. when an INVITE message is received from outside the network. For incoming calls. Registration creates bindings in a location service that associates the address-of-record with the contact address or addresses. You can take advantage of SIP proxy registration service to allow incoming calls by configuring Interface DIP or DIP pools on the egress interface of the security device. Domain name resolution is also currently not supported. URIs must contain IP addresses.

6.1 CSeq 1 INVITE Contact <sip: 5.0 From: ph1@5.5.1 To: ph1@5.6.6.6.6.6.5.1 : 5555 3600 Security Device SIP ph1 5.5.6. This enables phone1 in the Trust zone to register with the proxy in the Untrust zone.5.1 5.6.2 SIP/2.1:1234> Expires: 7200 6. then create a policy permitting SIP traffic from the Untrust zone to the Trust zone and reference that DIP in the policy. see “Examples” on page 32.1 CSeq 1 INVITE Contact <sip: 5.6.1 External Network Add entry to Incoming DIP table Registrar 6.5.2 REGISTER sip:6. For an explanation of how incoming DIP works with the SIP registration service.6.6.1 To: ph1@6.6. and phone2 and the proxy server are on the ethernet3 interface in the Untrust zone.2 SIP/2.0 From: ph1@6.6.5.6. phone1 is on the ethernet1 interface in the Trust zone.6. You also create a policy that permits SIP traffic from the Trust to the Untrust zone using NAT Source. 34 Examples .5.1 CSeq 1 INVITE Contact <sip: 6.6.1:5555> Expires: 7200 200 OK From: ph1@5. You set Interface DIP on the ethernet3 interface to do NAT on incoming calls.5.1 CSeq 1 INVITE Contact <sip: 6.5.6.5.6.1 To: ph1@5.5.5.1:1234> Expires: 3600 Update Timeout value 200 OK From: ph1@6.6.6.1:5555> Expires: 3600 Example: Incoming Call (Interface DIP) In this example.5.5.5.5.1 To: ph1@6.Concepts & Examples ScreenOS Reference Guide Figure 11: Incoming SIP Incoming DIP Table 5.5.6.5.6.1 : 1234 6.2 Internal Network REGISTER sip: 6.

Interfaces Network > Interfaces > Edit (for ethernet1): Enter the following. then click OK: Zone Name: Untrust Static IP: (select this option when present) IP Address/Netmask: 1.1.1. then click OK: Interface Mode: NAT Network > Interfaces > Edit (for ethernet3): Enter the following. 10.3/24 Zone: Trust Policy > Policy Elements > Addresses > List > New: Enter the following.1.1. then click OK: Address Name: phone2 IP Address/Domain Name: IP/Netmask: (select).1.1.1.3 phone2 1.4 Proxy Server 1.Chapter 2: Session Initiation Protocol Application Layer Gateway Figure 12: Incoming Call with Interface DIP on ethernet3 Interface ethernet1 10.1/24 Interface Mode: Route 2.1/24 Trust Security Device LAN ethernet3 1. 1. then click OK: Address Name: phone1 IP Address/Domain Name: IP/Netmask: (select).1.1/24 Untrust Internet Interface DIP on ethernet 3 phone1 10.1.1.1/24 Enter the following.1. Addresses Policy > Policy Elements > Addresses > List > New: Enter the following.1. then click Apply: Zone Name: Trust Static IP: (select this option when present) IP Address/Netmask: 10.1.1.1.1.3 WebUI 1.1.1.4/24 Zone: Untrust Examples 35 .

1. Policies Policies > (From: Trust.3/24 set address untrust phone2 1. then click Return to set the advanced options and return to the basic configuration page: NAT: Source Translation: (select) (DIP on): None (Use Egress Interface IP) Policies > (From: Untrust. Any Destination Address Address Book Entry: (select).Concepts & Examples ScreenOS Reference Guide Policy > Policy Elements > Addresses > List > New: Enter the following.1. 1.1.1/24 set interface ethernet3 route 2.1. 4. To: Trust) New: Enter the following. then click OK: Source Address Address Book Entry: (select).3/24 Zone: Untrust 3. Interfaces set interface ethernet1 zone trust set interface ethernet1 ip 10. Addresses set address trust phone1 10.1.3/24 3.1. phone1 Destination Address Address Book Entry: (select). then click OK. DIP with Incoming NAT set interface ethernet3 dip interface-ip incoming set dip sticky 36 Examples .1. then click OK: Source Address Address Book Entry: (select). To: Untrust) New: Enter the following.1. then click OK: Address Name: proxy IP Address/Domain Name: IP/Netmask: (select).1/24 set interface ethernet3 zone untrust set interface ethernet3 ip 1. DIP with Incoming NAT Network > Interface > Edit (for ethernet3) > DIP > New: Select the Incoming NAT option.4/24 set address untrust proxy 1.1. any Service: SIP Action: Permit > Advanced: Enter the following.1.1.1. DIP(ethernet3) Service: SIP Action: Permit CLI 1.

and phone2 and the proxy server are in the Untrust zone. then click OK: Interface Mode: NAT Network > Interfaces > Edit (for ethernet3): Enter the following. Figure 13: Incoming Call with DIP Pool ethernet1 10.1.1. then set a policy permitting SIP traffic from the Untrust zone to the Trust zone and reference that DIP pool in the policy.1.4 Proxy Server 1.Chapter 2: Session Initiation Protocol Application Layer Gateway 4. phone1 is in the Trust zone. This enables phone1 in the Trust zone to register with the proxy in the Untrust zone.1.1.1. You also create a policy that permits SIP traffic from the Trust to the Untrust zone using NAT Source.40 > phone2 1.1. Policies set policy from trust to untrust phone1 any sip nat src permit set policy from untrust to trust any dip(ethernet3) sip permit save Example: Incoming Call (DIP Pool) This example.3 WebUI 1. For an explanation of how DIP works with the SIP registration service.20 .1. Interfaces Network > Interfaces > Edit (for ethernet1): Enter the following. then click OK: Zone Name: Untrust Static IP: (select this option when present) IP Address/Netmask: 1.1.1.1/24 Trust Security Device LAN ethernet3 1.1.1/24 Enter the following.1/24 Interface Mode: Route Examples 37 .1.1.1.1. then click Apply: Zone Name: Trust Static IP: (select this option when present) IP Address/Netmask: 10.1.1/24 Untrust Internet phone1 10. see “Examples” on page 32.3 DIP Pool on ethernet3 1. You set a DIP pool on the ethernet3 interface to do NAT on incoming calls.1.1.1.

1. then click OK: Source Address Address Book Entry: (select).1.1.Concepts & Examples ScreenOS Reference Guide 2.40 Port Translation: (select) In the same subnet as the interface IP or its secondary IPs: (select) Incoming NAT: (select) 4.1. Policies Policies > (From: Trust. Any Service: SIP Action: Permit > Advanced: Enter the following. To: Untrust) New: Enter the following.1. DIP Pool with Incoming NAT Network > Interface > Edit (for ethernet3) > DIP > New: Enter the following. 1.1.20 ~ 1. 1.1. then click OK: ID: 5 IP Address Range: (select). then click OK: Address Name: phone2 IP Address/Domain Name: IP/Netmask: (select).1. phone1 Destination Address Address Book Entry: (select).40)/port-xlate 38 Examples .4/24 Zone: Untrust Policy > Policy Elements > Addresses > List > New: Enter the following.1.1. 10.3/24 Zone: Trust Policy > Policy Elements > Addresses > List > New: Enter the following.1.1. then click Return to set the advanced options and return to the basic configuration page: NAT: Source Translation: (select) (DIP on): 5 (1. Addresses Policy > Policy Elements > Addresses > List > New: Enter the following.1.1.3/24 Zone: Untrust 3.20-1. 1. then click OK: Address Name: phone1 IP Address/Domain Name: IP/Netmask: (select). then click OK: Address Name: proxy IP Address/Domain Name: IP/Netmask: (select).

1.1/24 set interface ethernet3 route 2.20 1.1.3/24 3. phone1 is on the ethernet1 interface in the Trust zone.1/24 set interface ethernet3 zone untrust set interface ethernet3 ip 1.1.3/24 set address untrust phone2 1. then create a policy that allows SIP traffic from the Untrust zone to the Trust zone and reference that MIP in the policy.Chapter 2: Session Initiation Protocol Application Layer Gateway Policies > (From: Untrust.1. Addresses set address trust phone1 10. except that with a MIP you need one public address for each private address in the Trust zone.1. DIP Pool with Incoming NAT set interface ethernet3 dip 5 1. DIP(5) Service: SIP Action: Permit CLI 1. Policies set policy from trust to untrust phone1 any sip nat src dip 5 permit set policy from untrust to trust any dip(5) sip permit save Example: Incoming Call with MIP In this example.1. To: Trust) New: Enter the following.1.1.1.1.40 incoming set dip sticky 4.1.1. You put a MIP on the ethernet3 interface to phone1. Interfaces set interface ethernet1 zone trust set interface ethernet1 ip 10. then click OK: Source Address Address Book Entry: (select).4/24 set address untrust proxy 1. Examples 39 . You also create a policy allowing phone1 to register with the proxy server in the Untrust zone. This example is similar to the previous two examples (“Example: Incoming Call (Interface DIP)” on page 34 and “Example: Incoming Call (DIP Pool)” on page 37). Any Destination Address Address Book Entry: (select). and phone2 and the proxy server are on the ethernet3 interface in the Untrust zone.1. while with Interface DIP or a DIP pool a single interface address can serve multiple private addresses.1.

then click OK: Address Name: phone1 IP Address/Domain Name: IP/Netmask: (select).1/24 phone2 1.1.1.1.1/24 Interface Mode: Route 2.4 WebUI 1.1. then click OK: Zone: Untrust IP Address/Netmask: 1.1.1. 10. then click OK: Interface Mode: NAT Network > Interfaces > Edit (for ethernet3): Enter the following.1/24 Enter the following.1. Addresses Policy > Policy Elements > Addresses > List > New: Enter the following. Interfaces Network > Interfaces > Edit (for ethernet1): Enter the following. 1.1.4/24 Zone: Untrust 40 Examples . then click Apply: Zone: Trust Static IP: (select this option when present) IP Address/Netmask: 10.Concepts & Examples ScreenOS Reference Guide Figure 14: Incoming Call with MIP ethernet1 10.1.1.3/24 Zone: Trust Policy > Policy Elements > Addresses > List > New: Enter the following. then click OK: Address Name: phone2 IP Address/Domain Name: IP/Netmask: (select).3 Virtual Device MIP on ethernet3 1.1/24 ethernet3 1.1.1.1.1.1/24 Trust Security Device LAN Untrust Internet Proxy Server phone1 10.1.1.1.1.

255.1.1. MIP set interface ethernet3 mip 1.1. Interfaces set interface ethernet1 zone trust set interface ethernet1 ip 10.3 4.1/24 set interface ethernet3 route 2.1. You put a MIP on the ethernet3 interface to the proxy server to allow phone2 to register with the proxy.1.1.Chapter 2: Session Initiation Protocol Application Layer Gateway Policy > Policy Elements > Addresses > List > New: Enter the following.1.1.1.3/24 3.3/24 Zone: Untrust 3. MIP Network > Interfaces > Edit (for ethernet3) > MIP > New: Enter the following.3 4. and phone2 is on the ethernet3 interface in the Untrust zone.3/24 set address untrust phone2 1. any Destination Address: Address Book Entry: (select). 1. then create a policy allowing SIP traffic from the Untrust to the Trust zone and reference that MIP in the policy. Addresses set address trust phone1 10. Examples 41 .1.3 host 10. To: Trust) New: Enter the following.3) Service: SIP Action: Permit CLI 1.4/24 set address untrust proxy 1.1. Policy set policy from untrust to trust any mip(1. phone1 and the SIP proxy server are on the ethernet1 interface in the Trust (private) zone.1. MIP(1. Policy Policies > (From: Untrust.1.3) sip permit save Example: Proxy in the Private Zone In this example. You also create a policy from the Trust to the Untrust zone to allow phone1 to call out.3 Netmask: 255.1. then click OK: Source Address: Address Book Entry: (select).1.1.1. then click OK: Mapped IP: 1.1.1.255 Host IP Address: 10.1.1. then click OK: Address Name: proxy IP Address/Domain Name: IP/Netmask: (select).1.1.255.1.1/24 set interface ethernet3 zone untrust set interface ethernet3 ip 1.

Interfaces Network > Interfaces > Edit (for ethernet1): Enter the following. then click OK: Zone: Trust Static IP: (select this option when present) IP Address/Netmask: 10. Addresses Policy > Policy Elements > Addresses > List > New: Enter the following.1.4/24 Zone: Untrust Policy > Policy Elements > Addresses > List > New: Enter the following.1. 1.1.1. then click OK: Interface Mode: NAT Network > Interfaces > Edit (for ethernet3): Enter the following. 10.1. then click OK: Address Name: phone1 IP Address/Domain Name: IP/Netmask: (select).1/24 Interface Mode: Route 2. 10.1.1.1.1.1/24 Trust Security Device LAN ethernet3 1.1. then click OK: Address Name: proxy IP Address/Domain Name: IP/Netmask: (select).1. then click OK: Address Name: phone2 IP Address/Domain Name: IP/Netmask: (select).1.1.1.1.1.1.1.1/24 Enter the following.4/24 Zone: Trust 42 Examples .1.1.1.1.1/24 Untrust Internet Proxy Server 10.1.2 -> 10.4 phone1 10.4 WebUI 1.1.4 phone2 1.Concepts & Examples ScreenOS Reference Guide Figure 15: Proxy in the Private Zone ethernet1 10.3 Virtual Device MIP on ethernet3 1. then click OK: Zone: Untrust IP Address/Netmask: 1.3/24 Zone: Trust Policy > Policy Elements > Addresses > List > New: Enter the following.

1.1.255.1. then click OK: Mapped IP: 1.255. then click OK: Source Address: Address Book Entry: (select) any Destination Address: Address Book Entry: (select) phone2 Service: SIP Action: Permit > Advanced: Enter the following.1.1.1.3) > MIP > New: Enter the following.2 Netmask: 255. To: Trust) New: Enter the following. Policies Policies > (From: Trust.1/24 set interface ethernet3 zone untrust set interface ethernet3 ip 1.1.3/24 set address untrust phone2 1. To: Untrust) New: Enter the following.2) Service: SIP Action: Permit CLI 1.1.1.1.1.255 Host IP Address: 10.4/24 set address trust proxy 10. phone2 Destination Address: Address Book Entry: (select).1.Chapter 2: Session Initiation Protocol Application Layer Gateway 3.1.2 host 10.1/24 set interface ethernet3 route 2.1.4 Host Virtual Router Name: trust-vr 4.2) sip permit save Examples 43 .1. MIP set interface ethernet3 mip 1.1. then click OK: Source Address: Address Book Entry: (select).1. Interfaces set interface ethernet1 zone trust set interface ethernet1 ip 10.4 4. Addresses set address trust phone1 10.1. MIP Network > Interfaces > Edit (for loopback. then click Return to set the advanced options and return to the basic configuration page: NAT: Source Translation: (select) (DIP on): None (Use Egress Interface IP) Policies > (From: Untrust.4/24 3. MIP(1.1. Policies set policy from trust to untrust any phone2 sip nat src permit set policy from untrust to trust phone2 mip(1.1.1.1.

then create a policy permitting SIP traffic from the Untrust zone to the Trust zone and reference that DIP in the policy.1/24 ethernet3 1.1.1.1.3/24 Zone: Trust 44 Examples . Interfaces Network > Interfaces > Edit (for ethernet1): Enter the following.1.1.4 Proxy Server 1. you can use DIP or MIP on the Untrust interface.3 Interface DIP on ethernet3 phone2 1. then click Apply: Zone: Trust Static IP: (select this option when present) IP Address/Netmask: 10. then click OK: Interface Mode: NAT Network > Interfaces > Edit (for ethernet3): Enter the following. then click OK: Address Name: phone1 IP Address/Domain Name: IP/Netmask: (select). You configure Interface DIP on the Untrust interface. phone1 is on the ethernet1 interface in the Trust zone.1/24 Security Device Trust LAN Untrust Internet phone1 10.1. Addresses Policy > Policy Elements > Addresses > List > New: Enter the following.1/24 Enter the following.1.1.1.1.1. This example is similar to the previous incoming call examples (see “Example: Incoming Call (DIP Pool)” on page 37 and “Example: Incoming Call with MIP” on page 39) and. 10.1/24 Interface Mode: Route 2.1.1.Concepts & Examples ScreenOS Reference Guide Example: Proxy in the Public Zone In this example. Figure 16: Proxy in the Public Zone ethernet1 10. then click OK: Zone: Untrust IP Address/Netmask: 1.1. as with those examples. You also create a policy from Trust to Untrust to allow phone1 to register with the proxy server in the Untrust zone.3 WebUI 1.1.1. and the proxy server and phone2 are on the ethernet3 interface in the Untrust (public) zone.

DIP(ethernet3) Service: SIP Action: Permit CLI 1. Policies Policies > (From: Trust.1.4/24 Zone: Untrust Policy > Policy Elements > Addresses > List > New: Enter the following.1. Interfaces set interface ethernet1 zone trust set interface ethernet1 ip 10.4/24 set address untrust proxy 1.1.1. To: Trust) New: Enter the following.1. Addresses set address trust phone1 10.1/24 set interface ethernet3 zone untrust set interface ethernet3 ip 1.1/24 2. then click OK: Address Name: proxy IP Address/Domain Name: IP/Netmask: (select).1.3/24 set address untrust phone2 1.1. Interface DIP Network > Interface > Edit (for ethernet3) > DIP: Select the Incoming NAT check box. To: Untrust) New: Enter the following.1. 1. then click OK: Source Address: Address Book Entry: (select). then click Return to set the advanced options and return to the basic configuration page: NAT: Source Translation: (select) (DIP on): None (Use Egress Interface IP) Policies > (From: Untrust. then click OK: Source Address: Address Book Entry: (select) phone1 Destination Address: Address Book Entry: (select) Any Service: SIP Action: Permit > Advanced: Enter the following.3/24 45 Examples .1.1. 1. then click OK: Address Name: phone2 IP Address/Domain Name: IP/Netmask: (select).3/24 Zone: Untrust 3. Any Destination Address: Address Book Entry: (select).1. 4.1.Chapter 2: Session Initiation Protocol Application Layer Gateway Policy > Policy Elements > Addresses > List > New: Enter the following.1.1.

Proxy in the DMZ In this example.2. phone1 is on the ethernet1 interface in the Trust zone.1.2.1. the media flows directly between phone1 and phone2.2.3-> 10.2. Interface DIP set interface ethernet3 dip interface-ip incoming 4. you need to create bidirectional policies between each of the zones.1.1.3 Trust Proxy Server 2.1/24 ethernet2 2. with three zones.1. Figure 17: Proxy in the DMZ Untrust Internet phone2 1.3 LAN phone1 10. Policies set policy from trust to untrust phone1 any sip nat src permit set policy from untrust to trust any dip(ethernet3) sip permit save Example: Three-Zone.Concepts & Examples ScreenOS Reference Guide 3.1/24 Virtual Device MIP on ethernet2 2. and create a policy from the DMZ to the Trust zone and reference that MIP in the policy. phone2 is on the ethernet3 interface in the Untrust zone. The arrows in Figure 17 show the flow of SIP signaling traffic when phone2 in the Untrust zone places a call to phone1 in the Trust zone. In fact.1. and the proxy server is on the ethernet2 interface in the DMZ.1.2.4 ethernet3 1.1. You put a MIP on the ethernet2 interface to phone1 in the Trust zone.2.1.4 46 Examples .2/24 DMZ Security Device ethernet1 10. After the session is initiated.1.

2.1.2. MIP Network > Interfaces > Edit (for ethernet2) > MIP > New: Enter the following. then click OK: Zone Name: Untrust Static IP: (select when this option is present) IP Address/Netmask: 1.2.1.4/24 Zone: Untrust Policy > Policy Elements > Addresses > List > New: Enter the following.3/24 Zone: Trust Policy > Policy Elements > Addresses > List > New: Enter the following.2.1. 10.255.1.1.255. Address Policy > Policy Elements > Addresses > List > New: Enter the following. then click OK: Mapped IP: 2.3 47 Examples . 1.2. then click OK: Zone Name: DMZ Static IP: (select when this option is present) IP Address/Netmask: 2.1/24 Enter the following.2/24 Network > Interfaces > Edit (for ethernet3): Enter the following. then click Apply: Zone: Trust Static IP: (select when this option is present) IP Address/Netmask: 10.255 Host IP Address: 10. then click OK: Interface Mode: NAT Network > Interfaces > Edit (for ethernet2): Enter the following.2.1. 2.1.1/24 2. then click OK: Address Name: proxy IP Address/Domain Name: IP/Netmask: (select).4/24 Zone: DMZ 3.Chapter 2: Session Initiation Protocol Application Layer Gateway WebUI 1.1. then click OK: Address Name: phone1 IP Address/Domain Name: IP/Netmask: (select).3 Netmask: 255.1. then click OK: Address Name: phone2 IP Address/Domain Name: IP/Netmask: (select). Interfaces Network > Interfaces > Edit (for ethernet1): Enter the following.1.

To: Trust) New: Enter the following.2. To: Untrust) New: Enter the following.Concepts & Examples ScreenOS Reference Guide 4. proxy Service: SIP Action: Permit > Advanced: Enter the following. then click OK: Source Address: Address Book Entry: (select). phone2 Service: SIP Action: Permit Policies > (From: Untrust. phone2 Destination Address: Address Book Entry: (select). proxy Service: SIP Action: Permit Policies > (From: DMZ. Policies Policies > (From: Trust. then click OK: Source Address: Address Book Entry: (select). then click OK: Source Address: Address Book Entry: (select). To: DMZ) New: Enter the following. To: Trust) New: Enter the following. then click Return to set the advanced options and return to the basic configuration page: NAT: Source Translation: Enable (DIP on): None (Use Egress Interface IP) Policies > (From: DMZ.3) Service: SIP Action: Permit 48 Examples . MIP(2. then click OK: Source Address: Address Book Entry: (select).2. phone1 Destination Address: Address Book Entry: (select). phone1 Service: SIP Action: Permit Policies > (From: Untrust. proxy Destination Address: Address Book Entry: (select). then click OK: Source Address: Address Book Entry: (select). To: DMZ) New: Enter the following. proxy Destination Address: Address Book Entry: (select). phone2 Destination Address: Address Book Entry: (select).

3 host 10.1.4/24 set address dmz proxy 2.1. Addresses set address trust phone1 10.1.2. phone1 is on the ethernet4 interface in the Untrust zone. Because blocking is on by default in the Untrust zone. To: Untrust) New: Enter the following. phone2 is in a subnet on the ethernet3 interface in the Untrust zone. phone1 Destination Address: Address Book Entry: (select). Examples 49 . see “MIP and the Loopback Interface” on page 8-73.1. phone2 Service: SIP Action: Permit > Advanced: Enter the following. and the proxy server is on the ethernet1 interface in the Trust zone. then put a MIP on the loopback interface to the IP address of the proxy server.2.2. Policies set policy from trust to dmz phone1 proxy sip nat src permit set policy from dmz to untrust proxy phone2 sip permit set policy from untrust to trust phone2 phone1 sip permit set policy from untrust to dmz phone2 proxy sip permit set policy from dmz to trust proxy mip(2.3 4.2. Creating a loopback interface enables you to use a single MIP for the proxy server in the Trust zone.2.1. then click OK: Source Address: Address Book Entry: (select). then click Return to set the advanced options and return to the basic configuration page: NAT: Source Translation: Enable (DIP on): None (Use Egress Interface IP) CLI 1.3/24 set address untrust phone2 1.4 3. MIP set interface2 mip 2.2.Chapter 2: Session Initiation Protocol Application Layer Gateway Policies > (From: Trust. Interfaces set interface ethernet1 zone trust set interface ethernet1 ip 10.2.1.1.1/24 set interface ethernet3 route set interface ethernet2 zone dmz set interface ethernet2 ip 2. you create a loopback interface.1.2.1/24 set interface ethernet3 zone untrust set interface ethernet3 ip 1.1. add ethernet3 and ethernet4 to a loopback group. For more information about using loopback interfaces.3) sip permit set policy from trust to untrust phone1 phone2 sip nat src permit save Example: Untrust Intrazone In this example. To allow intrazone SIP traffic between the two phones in the Untrust zone.1. you must also turn off blocking to allow intrazone communication.2/24 set interface ethernet2 route 2.

1.1.5 Trust WebUI 1.4 Internet ethernet4 1.1.1/24 MIP on Loopback.1.1./24 ethernet3 1.1.1.5-> 10.4 phone2 1.1/24 50 Examples .1.5 ethernet1 10.1/24 LAN proxy 10. then click Apply: Zone: Trust Static IP: (select when this option is present) IP Address/Netmask: 10.1.1. then click OK: Interface Mode: NAT Network > Interfaces > Edit (for ethernet4): Enter the following.1.1/24 Loopback 1 1.1/24 Enter the following.1. Interfaces Network > Interfaces > Edit (for ethernet1): Enter the following.1.1.2.1.1. then click OK: Zone: Untrust Static IP: (select when this option is present) IP Address/Netmask: 1.1.Concepts & Examples ScreenOS Reference Guide Figure 18: Untrust Intrazone Untrust phone1 1.1.4.1 1.4.1.

1. Loopback Group Network > Interfaces > Edit (for ethernet3): Enter the following.1 Zone Name: Untrust Network > Interfaces > Edit (for ethernet4): Enter the following.1.2. then click OK: Address Name: proxy IP Address/Domain Name: IP/Netmask: (select). then click OK: Interface Name: loopback.Chapter 2: Session Initiation Protocol Application Layer Gateway Network > Interfaces > Edit (for ethernet3): Enter the following.2. then click OK: Address Name: phone2 IP Address/Domain Name: IP/Netmask: (select). then click OK: Address Name: phone1 IP Address/Domain Name: IP/Netmask: (select). 1.1. Addresses Policy > Policy Elements > Addresses > List > New: Enter the following.4.1 Zone Name: Untrust Examples 51 .1. 10.1.4/32 Zone: Untrust Policy > Policy Elements > Addresses > List > New: Enter the following.4/32 Zone: Untrust 3.5/32 Zone: Trust Policy > Policy Elements > Addresses > List > New: Enter the following. then click OK: Zone: Untrust Static IP: (select when this option is present) IP Address/Netmask: 1. then click OK: As member of loopback group: (select) loopback.1/24 Network > Interfaces > New Loopback IF: Enter the following.1. 1. then click OK: As member of loopback group: (select) loopback.1 Zone: Untrust (trust-vr) IP Address/Netmask: 1.1.1/24 2.

1.1/24 set interface ethernet4 route set interface loopback.1 ip 1.2. MIP(1. proxy Destination Address: Address Book Entry: (select). then click OK: Source Address: Address Book Entry: (select).1. then click Return to set the advanced options and return to the basic configuration page: NAT: Source Translation: Enable (DIP on): None (Use Egress Interface IP) Policies > (From: Untrust.1 route 52 Examples . Policies Policies > (From: Trust.1 zone untrust set interface loopback. Any Destination Address: Address Book Entry: (select).5 Netmask: 255.1/24 set interface ethernet3 zone untrust set interface ethernet3 ip 1. then click OK: Mapped IP: 1. MIP Network > Interfaces > Edit (for loopback.1.4.255. To: Untrust) New: Enter the following.4. then click OK: Source Address: Address Book Entry: (select).255 Host IP Address: 10. then click OK: Block Intra-Zone Traffic: (clear) 6.1) > MIP > New: Enter the following.1.1. To: Trust) New: Enter the following.1.1. Interfaces set interface ethernet1 zone trust set interface ethernet1 ip 10.5 Host Virtual Router Name: trust-vr 5. Any Service: SIP Action: Permit > Advanced: Enter the following.1.4.1.255.1/24 set interface ethernet3 route set interface ethernet4 zone untrust set interface ethernet4 ip 1.5) Service: SIP Action: Permit CLI 1.1. Blocking Network > Zones > Edit (for Untrust): Enter the following.Concepts & Examples ScreenOS Reference Guide 4.1/24 set interface loopback.

1 set interface ethernet4 loopback-group loopback. you configure Interface DIP on the ethernet3 interface to allow them to contact the proxy server.2. Figure 19: Trust Intrazone phone1 10.1. Addresses set address trust proxy 10.1.1/24 Interface DIP on ethernet3 WebUI 1.1.2. then click OK: Interface Mode: NAT Examples 53 .1/24 ethernet3 3. Interfaces Network > Interfaces > Edit (for ethernet1): Enter the following.1. Loopback Group set interface ethernet3 loopback-group loopback.3.4.4/32 set address untrust phone2 1.1. phone1 is on the ethernet1 interface in the Trust zone.3.5) sip permit save Example: Trust Intrazone In this example.4 Trust Security Device Untrust Internet LAN phone2 10. Blocking unset zone untrust block 6.4/32 3. MIP set interface loopback. Blocking is off by default in the Trust zone (as it is in custom zones you define). then click Apply: Zone: Trust Static IP: (select when this option is present) IP Address/Netmask: 10.1/24 Enter the following. and the proxy server is on the ethernet3 interface in the Untrust zone.2.1.1.1 mip 1.1.5 5.5 host 10.1.1.3/24 Proxy Server 3.1. phone 2 is on the ethernet2 interface in a subnet in the Trust zone.3.3. To allow both phones in the Trust zone to communicate with each other.1.1.1.4.3 ethernet1 10.1 4.Chapter 2: Session Initiation Protocol Application Layer Gateway 2.1.1.1.5/32 set address untrust phone1 1.2 ethernet2 10. Policies set policy from trust to untrust proxy any sip nat src permit set policy from untrust to trust any mip(1. then set policies to allow bidirectional SIP traffic between the Trust and the Untrust zones.

1/24 Enter the following. DIP with Incoming NAT Network > Interface > Edit (for ethernet3) > DIP > New: Enter the following.3. Addresses Policy > Policy Elements > Addresses > List > New: Enter the following. 10.3. then click OK: Address Name: phone2 IP Address/Domain Name: IP/Netmask: (select). Policies Policies > (From: Trust. 3.1.3.3. then click OK: Address Name: proxy IP Address/Domain Name: IP/Netmask: (select). Any Destination Address: Address Book Entry: (select). then click Apply: Zone: Trust Static IP: (select when this option is present) IP Address/Netmask: 10. 10.1.Concepts & Examples ScreenOS Reference Guide Network > Interfaces > Edit (for ethernet2): Enter the following. then click OK: Interface Mode: NAT Network > Interfaces > Edit (for ethernet3): Enter the following.2.3/24 Zone: Trust Policy > Policy Elements > Addresses > List > New: Enter the following. then click OK: Zone: Untrust Static IP: (select when this option is present) IP Address/Netmask: 3.4/24 Zone: Untrust 3.2/24 Zone: Trust Policy > Policy Elements > Addresses > List > New: Enter the following.3/24 2.2. proxy Service: SIP Action: Permit 54 Examples . then click OK: Incoming NAT: (select) 4. To: Untrust) New: Enter the following.1. then click OK: Source Address: Address Book Entry: (select). then click OK: Address Name: phone1 IP Address/Domain Name: IP/Netmask: (select).1.

the central office and two branch offices are linked by a full-mesh VPN. Interfaces set interface ethernet1 zone trust set interface ethernet1 ip 10. then click Return to set the advanced options and return to the basic configuration page: NAT: Source Translation: Enable (DIP on): None (Use Egress Interface IP) Policies > (From: Untrust. Addresses set address trust phone1 10.1/24 set interface ethernet2 nat set interface ethernet3 zone untrust set interface ethernet3 ip 3. phone1 is in the Trust zone at Branch Office One. The proxy server is in the Trust zone at the Central Office.4/24 3.3.3/24 set address trust phone2 10. On each device.1.2/24 set address untrust proxy 3. Policies set policy from trust to untrust any proxy sip nat src permit set policy from untrust to trust proxy dip(ethernet3) sip permit save Example: Full-Mesh VPN for SIP In this example.3.3.1.3. one to each of the other devices. to create a fully meshed network.2. To: Trust) New: Enter the following.Chapter 2: Session Initiation Protocol Application Layer Gateway > Advanced: Enter the following. then click OK: Source Address Address Book Entry: (select) proxy Destination Address Address Book Entry: (select) Any Service: SIP Action: Permit > Advanced: Enter the following.1/24 set interface ethernet2 zone trust set interface ethernet2 ip 10.2.1. and phone2 is in the Trust zone at Branch Office Two. Interface DIP set interface ethernet3 dip interface-ip incoming 4.1. Examples 55 . All interfaces connecting the devices are in their respective Untrust zones. you configure two tunnels.1. then click Return to set the advanced options: NAT: Source Translation: (select) (DIP on): None (Use Egress Interface IP) CLI 1.3/24 set interface ethernet3 route 2. Each site has a single security device.1.

2.2.2.7 Untrust eth2/2 1.2.4.3.4 Untrust eth4-5. Figure 20: Full-Mesh VPN for SIP Proxy 10.1/24 Network > Interfaces > Edit (for ethernet2/2): Enter the following.Concepts & Examples ScreenOS Reference Guide NOTE: The security devices used in this example must have at least three independently configurable interfaces available.5.2.1 interface unnumbered Central tunnel 2 7.3 interface unnumbered Branch Office Two phone2 10.1 Gateway Router To central: 1.4.6.4 To branch-2: 5.1. VPN 1 VPN 2 Branch-1 VPN 3 Branch-2 tunnel.2 Untrust eth3 2.3.1.3 Untrust eth3 3.1.3.5.1.3 WebUI (for Central) 1.7.5.3.2.1 Trust Zone Branch Office One phone1 10.1.1.1.1.1.3 tunnel.5.3.2.1.1.5 Trust eth1 10. then click Apply: Zone: Untrust Static IP: (select when this option is present) IP Address/Netmask: 1.2 interface unnumbered Trust eth1 10.2.1. Interfaces Network > Interfaces > Edit (for ethernet2/1): Enter the following.4.3.2.1/24 56 Examples .1 Gateway Router To central: 1.3 Note: The Untrust Zone for each device is not shown Central Office Trust Zone Trust eth2/8-10.7.5 Trust Zone tunnel.1 To branch: 3.3 tunnel.4.6.1.1.1 tunnel 1 6. then click Apply: Zone: Untrust Static IP: (select when this option is present) IP Address/Netmask: 1.1 Untrust eth4-4.1.1.2.3 interface unnumbered Gateway Router To branch-1: 4.1 To branch: 2.6 Untrust eth2/1: 1.1.

Chapter 2: Session Initiation Protocol Application Layer Gateway Network > Interfaces > Edit (for ethernet2/8): Enter the following.3. then click OK: Address Name: Proxy IPv4/Netmask: 10.3.2.7/24 2.6/24 Network > Interfaces > New Tunnel IF: Enter the following. then click Apply: Tunnel Interface Name: 1 Zone (VR): Untrust IP Address / Netmask: 6.2. then click OK: Gateway Name: to-branch-1 Security Level: Standard IPvc4/v6 Address/Hostname: 3.1. then click OK: Gateway Name: to-branch-2 Security Level: Standard IPvc4/v6 Address/Hostname: 2. then click Apply: Tunnel Interface Name: 2 Zone (VR): Untrust IP Address / Netmask: 7.7.1/24 Enter the following.1 VPNs > AutoKey Advanced > Gateway > New: Enter the following.1.3/32 Zone: Trust 3.3.3 Preshare Key: netscreen Outgoing Interface: ethernet2/1 VPNs > AutoKey IKE > New: Enter the following. VPN VPNs > AutoKey Advanced > Gateway > New: Enter the following.7.2 Preshare Key: netscreen Outgoing Interface: ethernet2/2 Examples 57 . then click Apply: Zone: Trust Static IP: (select when this option is present) IP Address/Netmask: 10. tunnel. then click OK: Interface mode: Route Network > Interfaces > New Tunnel IF: Enter the following.6.6.3. Address Policy > Policy Elements > Addresses > List > New: Enter the following. then click Return to return to the basic Gateway configuration page: Bind to: (select) Tunnel Interface. then click OK: VPN Name: vpn-branch-1 Advanced: Enter the following advanced settings.

interface ethernet2/1 zone untrust interface ethernet2/1 ip 1.1.6/24 interface tunnel.1 ip 6.1.1.1/24 interface ethernet2/8 route interface tunnel.1/24 interface ethernet2/2 zone untrust interface ethernet2/2 ip 1.7.3.1. tunnel.2 5.6.1/24 interface ethernet2/8 zone trust interface ethernet2/8 ip 10.2.1.3.2.1. then click OK: Source Address (select) Address Book Entry: Any-IPv4 Destination Address (select) Address Book Entry: Proxy Service: SIP Action: Permit CLI (for Central) 1. To: Untrust) New Enter the following.2 zone untrust interface tunnel. To: Trust) > New: Enter the following.2.3/32 3. Routing Network > Routing > Destination > New: Enter the following. then click Return to return to the basic Gateway configuration page: Bind to: (select) Tunnel Interface.2 4. VPN set ike gateway to-branch-1 address 3.3.6.0/24 Interface (select): tunnel.2.1.1 zone untrust interface tunnel.1 Network > Routing > Destination > New: Enter the following. then click OK: Network Address / Netmask: 10. Policies Policies > (From: Trust.1. then click OK: Source Address (select) Address Book Entry: Proxy Destination Address (select) Address Book Entry: Any-IPv4 Service: SIP Action: Permit Policies > (From: Untrust.2 main outgoing-interface ethernet2/2 preshare netscreen sec-level standard 58 Examples .Concepts & Examples ScreenOS Reference Guide VPNs > AutoKey IKE > New: Enter the following. then click OK: Network Address / Netmask: 10.0/24 Interface (select): tunnel.3. then click OK: VPN Name: vpn-branch-2 Advanced: Enter the following advanced settings.7/24 Address set address trust proxy 10.2 ip 7.7. Interfaces set set set set set set set set set set set 2.3 main outgoing-interface ethernet2/1 preshare netscreen sec-level standard set ike gateway to-branch-2 address 2.

4/24 Network > Interfaces > New Tunnel IF: Enter the following.Chapter 2: Session Initiation Protocol Application Layer Gateway set vpn vpn_branch-1 gateway to-branch-1 no-reply tunnel idletime 0 sec-level standard set vpn vpn-branch-1 id 1 bind interface tunnel.0/24 interface tunnel.1 set vpn vpn-branch-2 gateway to-branch-2 no-reply tunnel idletime 0 sec-level standard set vpn vpn-branch-2 id 2 bind interface tunnel. then click Apply: Zone: Untrust Static IP: (select when this option is present) IP Address/Netmask: 3.0/24 interface tunnel.1. then click Apply: Zone: Trust Static IP: (select when this option is present) IP Address/Netmask: 10.1.4.1.3. then click Apply: Tunnel Interface Name: 3 Zone (VR): Untrust Unnumbered (select) Interface: ethernet4 Examples 59 .1. then click Apply: Zone: Untrust Static IP: (select when this option is present) IP Address/Netmask: 4. Routing set route 10.2 4. Interfaces Network > Interfaces > Edit (for ethernet1): Enter the following.4.1. Policies set policy from untrust to trust any proxy sip permit set policy from trust to untrust proxy any sip permit save WebUI (for Branch Office 1) 1.1 5.3/24 Network > Interfaces > Edit (for ethernet4): Enter the following. then click Apply: Tunnel Interface Name: 2 Zone (VR): Untrust Unnumbered (select) Interface: ethernet3 Network > Interfaces > New Tunnel IF: Enter the following.2.1/24 Interface mode: NAT Network > Interfaces > Edit (for ethernet3): Enter the following.2 set route 10.3.

1 Preshare Key: netscreen Outgoing Interface: ethernet3 VPNs > AutoKey IKE > New: Enter the following.1.1 VPNs > AutoKey Advanced > Gateway > New: Enter the following.Concepts & Examples ScreenOS Reference Guide 2. then click OK: VPN Name: vpn-ns50 Advanced: Enter the following advanced settings.1. then click Return to return to the basic Gateway configuration page: Bind to (select): Tunnel Interface. Routing Network > Routing > Destination > New: Enter the following. tunnel. Policies Policies > (From: Trust.5.0/24 Interface (select): tunnel. then click OK: Gateway Name: to-central Security Level: Standard IPvc4/v6 Address/Hostname: 1.5 Preshare Key: netscreen Outgoing Interface: ethernet4 VPNs > AutoKey IKE > New: Enter the following.1.3/32 Zone: V1-Trust 3. Address Policy > Policy Elements > Addresses > List > New: Enter the following. then click OK: Gateway Name: to-ns50 Security Level: Standard IPvc4/v6 Address/Hostname: 5.2. then click OK: Network Address / Netmask: 10.3 4. then click Return to return to the basic Gateway configuration page: Bind to (select): Tunnel Interface.1. then click OK: VPN Name: vpn-central Advanced: Enter the following advanced settings.1 5.1. To: Untrust) > New: Enter the following.3. then click OK: Address Name: phone1 IPv4/Netmask: 10.3 Network > Routing > Destination > New: Enter the following.0/24 Interface (select): tunnel. then click OK: Network Address / Netmask: 10. then click OK: 60 Examples .2. VPN VPNs > AutoKey Advanced > Gateway > New: Enter the following. tunnel.5.

5.3 ip unnumbered interface ethernet4 2.3/32 3.2 zone untrust set interface tunnel.1. then click Apply: Zone: Trust Static IP: (select when this option is present) IP Address/Netmask: 10.3/24 set interface ethernet4 zone untrust set interface ethernet4 ip 4.1.1 set vpn vpn-ns50 gateway to-ns50 no-replay tunnel idletime 0 sec-level standard set vpn vpn-ns50 bind interface tunnel.1. Policies set policy from trust to untrust phone1 any sip permit set policy from untrust to trust any phone1 sip permit save WebUI (for Branch Office 2) 1.1.0/24 interface tunnel.2 ip unnumbered interface ethernet3 set interface tunnel.3. Routes set route 10.1 5.Chapter 2: Session Initiation Protocol Application Layer Gateway Source Address (select) Address Book Entry: phone2 Destination Address (select) Address Book Entry: Any-IPv4 Service: SIP Action: Permit Policies > (From: Untrust.4/24 set interface tunnel.1 main outgoing-interface ethernet3 preshare netscreen sec-level standard set ike gateway to-ns50 address 5.4. Interfaces set interface ethernet1 zone trust set interface ethernet1 ip 10.3.3 zone untrust set interface tunnel.1/24 Examples 61 .1.3.2.3 set route 10.1. VPN set ike gateway to-central address 1. To: Trust) > New: Enter the following.1/24 set interface ethernet1 route set interface ethernet3 zone untrust set interface ethernet3 ip 3.3 4. Interfaces Network > Interfaces > Edit (for ethernet1): Enter the following.5 main outgoing-interface ethernet4 preshare netscreen sec-level standard set vpn vpncentral gateway to-central no-replay tunnel idletime 0 sec-level standard set vpn vpncentral bind interface tunnel. then click OK: Source Address (select) Address Book Entry: Any-IPv4 Destination Address (select) Address Book Entry: phone2 Service: SIP Action: Permit CLI (for Branch Office 1) 1.1.1.0/24 interface tunnel.5. Address set address trust phone1 10.1.2.4.

1 Preshare Key: netscreen Outgoing Interface: ethernet3 VPNs > AutoKey IKE > New: Enter the following.3/32 Zone: Trust 3. then click OK: VPN Name: vpn-central Advanced: Enter the following advanced settings.4. then click OK: Gateway Name: to-central Security Level: Standard IPvc4/v6 Address/Hostname: 1.Concepts & Examples ScreenOS Reference Guide Enter the following.2.1.4. then click OK: Address Name: phone2 IPv4/Netmask: 10.2.2 VPNs > AutoKey Advanced > Gateway > New: Enter the following. then click Apply: Tunnel Interface Name: 2 Zone (VR): Untrust Unnumbered (select) Interface: ethernet3 Network > Interfaces > New Tunnel IF: Enter the following. then click Apply: Tunnel Interface Name: 3 Zone (VR): Untrust Unnumbered (select) Interface: ethernet4 2. then click OK: 62 Examples .4/24 Network > Interfaces > New Tunnel IF: Enter the following.1. tunnel. VPN VPNs > AutoKey Advanced > Gateway > New: Enter the following.2.2. Address Policy > Policy Elements > Addresses > List > New: Enter the following. then click Return to return to the basic Gateway configuration page: Bind to (select): Tunnel Interface. then click OK: Interface mode: NAT Network > Interfaces > Edit (for ethernet3): Enter the following. then click Apply: Zone: Untrust Static IP: (select when this option is present) IP Address/Netmask: 4.2/24 Network > Interfaces > Edit (for ethernet4): Enter the following. then click Apply: Zone: Untrust Static IP: (select when this option is present) IP Address/Netmask: 2.

Chapter 2: Session Initiation Protocol Application Layer Gateway Gateway Name: to-ns50 Security Level: Standard IPvc4/v6 Address/Hostname: 4. then click OK: VPN Name: vpn-ns50 Advanced: Enter the following advanced settings.2 Network > Routing > Destination > New: Enter the following. then click Return to return to the basic Gateway configuration page: Bind to (select): Tunnel Interface. Routing Network > Routing > Destination > New: Enter the following.4.4.3.4 Preshare Key: netscreen Outgoing Interface: ethernet4 VPNs > AutoKey IKE > New: Enter the following.0/24 Interface (select): tunnel.0/24 Interface (select): tunnel.1. Policies Policies > (From: Trust. then click OK: Network Address / Netmask: 10. To: Untrust) New Enter the following. then click OK: Source Address (select) Address Book Entry: Any-IPv4 Destination Address (select) Address Book Entry: phone2 Service: SIP Action: Permit Examples 63 . then click OK: Source Address (select) Address Book Entry: phone2 Destination Address (select) Address Book Entry: Any-IPv4 Service: SIP Action: Permit Policies > (From: Untrust.3 4. tunnel. then click OK: Network Address / Netmask: 10.1. To: Trust) > New: Enter the following.1.3 5.

1. Policies set policy from trust to untrust phone2 any sip permit set policy from untrust to trust any phone2 sip permit save Bandwidth Management for VoIP Services We recommend the following ways to manage bandwidth for VoIP services.2.4/24 set interface tunnel. and other types of traffic can use bandwidth not guaranteed for VoIP when VoIP traffic is not using it.3 zone untrust set interface tunnel. using the standard ScreenOS traffic shaping mechanisms: Guarantee bandwidth for VoIP traffic—The most effective way to ensure quality VoIP service. The disadvantage of this method is that non-VoIP traffic cannot use additional bandwidth even when VoIP traffic is not using it. Address set address trust phone2 10.2 set vpn vpn-ns50 gateway to-ns50 no-replay tunnel idletime 0 sec-level standard set vpn vpn-ns50 id 5 bind interface tunnel.2. Interfaces set interface ethernet1 zone trust set interface ethernet1 ip 10.0/24 interface tunnel.2.Concepts & Examples ScreenOS Reference Guide CLI (for Branch Office 2) 1.1 Main outgoing-interface ethernet3 preshare netscreen sec-level standard set ike gateway to-ns50 address 4.1.4. 64 Examples .1.2 ip unnumbered interface ethernet3 set interface tunnel.3/32 3.3.4.2 zone untrust set interface tunnel.3 ip unnumbered interface ethernet4 2.1/24 set interface ethernet3 zone untrust set interface ethernet3 ip 2.2 set route 10. is to create a policy guaranteeing the minimum bandwidth necessary for the amount of VoIP traffic you expect on the interface and set priority queuing to the highest level.1.0/24 interface tunnel.4Main outgoing-interface ethernet4 preshare netscreen sec-level standard set vpn vpncentral gateway to-central no-replay tunnel idletime 0 sec-level standard set vpn vpncentral id 4 bind interface tunnel.4. VPN set ike gateway to-central address 1. you make the remaining bandwidth available to VoIP traffic. The advantage of this strategy is that VoIP traffic can use additional bandwidth when it is available. and still allow other types of traffic on the interface.2. You would also set priority queuing to the highest level for VoIP traffic.1. Limit bandwidth for non-VoIP traffic—By setting a maximum bandwidth for non-VoIP traffic.3 5.3 4.2.4. Routes set route 10.1.2/24 set interface ethernet4 zone untrust set interface ethernet4 ip 4.

The illustration assumes you have determined you need to support at least eight VoIP calls (8 x 64 Kbps bandwidth per call. Figure 21 on page 65 shows how priority-level settings can affect guaranteed bandwidth (gbw) and maximum bandwidth (mbw) usage on an ethernet1 (2 Mbps) interface. In VPN configurations. This creates a 512 Kbps overlap of maximum bandwidth for VoIP and office-traffic services. DSCP marking enables you to preserve your priority-queuing settings downstream and to keep or change the received DSCP value set by the originating networking device upstream so that the next-hop router.Chapter 2: Session Initiation Protocol Application Layer Gateway Use priority queuing and Differentiated Services Codepoint (DSCP) marking—Guaranteeing bandwidth for VoIP traffic and limiting bandwidth for non-VoIP traffic both govern throughput on the security device. it cannot get it unless it has a higher priority than the office-traffic services. can enforce Quality of Service (QoS) in its DiffServ domain. typically the LAN or WAN edge router. Figure 21: Priority-Level Settings Guaranteed and maximum bandwidth settings Adding priority level settings VoIP gbw 512 Kbps VoIP Traffic VoIP 2 Mbps Total Bandwidth mbw 1536 Kbps mbw 1024 Kbps 2 Mbps Total Bandwidth Office Traffic Office Traffic gbw 1024 Kbps Office Traffic Examples 65 . shown by the dashed lines. The right side of Figure 21 shows what bandwidth usage looks like in the same circumstance when you give VoIP traffic a higher priority and set office traffic to a lower priority. or leaves the TOS byte as 0 so that the next-hop router can enforce the correct QoS on the encrypted traffic. For information about how DSCP works with priority levels in policies. For more information about configuring bandwidth and priority levels. You have guaranteed the remaining bandwidth to general office traffic and have set maximum bandwidth for your office traffic to include bandwidth not guaranteed to VoIP. see “Traffic Shaping” on page 176. The left side of Figure 21 shows what bandwidth usage with these settings looks like with high office-traffic usage and low VoIP traffic usage on the interface. for a total of 512 Kbps) and occasionally as many as 16 calls. the security device marks the outer header of the IP packet (if the policy is configured to do so). see “Traffic Shaping” on page 195. If VoIP traffic suddenly needs more bandwidth.

Concepts & Examples ScreenOS Reference Guide 66 Examples .

while the media gateways carry out the instructions of the call agent. Conducts MGCP signaling payload inspection. Examples of typical scenarios follow a summary of the MGCP architecture. transparent. Provides stateful processing.Chapter 3 Media Gateway Control Protocol Application Layer Gateway This chapter presents an overview of the Media Gateway Control Protocol (MGCP) Application Layer Gateway (ALG) and lists the firewall security features of the implementation. Overview 67 . The payload of the incoming MGCP signaling packet is fully inspected in accordance with RFC 3435. and Network Address Translation (NAT) mode. MGCP is a text-based Application Layer protocol used for call setup and control. Any out-of-state or out-of-transaction packet is identified and properly handled. The payload of the incoming VoIP signaling packet is fully inspected based on related RFCs and proprietary standards. Any malformed-packet attack is blocked by the ALG. This chapter includes the following sections: “Overview” on page 67 “MGCP Security” on page 68 “About MGCP” on page 68 “Examples” on page 73 Overview The Media Gateway Control Protocol (MGCP) is supported on security devices in route. MGCP is based on a master-slave call control architecture in which the media gateway controller. The MGCP ALG performs the following procedures: Conducts VoIP signaling payload inspection. The corresponding VoIP-based state machines are invoked to process the parsed information. Any malformed packet attack is blocked by the ALG. via the call agent. maintains call control intelligence.

and at the call level. application layer protocol that can be used for call setup and control. MGCP Security The MGCP ALG includes the following security features: Denial of Service (DoS) attack protection—the ALG performs stateful inspection at the UDP packet level. and media gateways carry out the instructions from the call agent. including calls in progress. the transaction level. and is replaced with the translated IP address and port number. Firewall policy enforcement between gateway and gateway controller (signaling policy). All other messages are dropped. Manages pinholes for VoIP traffic. are switched to the standby firewall in case of system failure. are processed. Per-gateway MGCP message flooding control. the IP address and port information used for media or signaling is identified by the ALG. and any needed pinhole is dynamically created and closed during call setup. and call state. MGCP packets matching the RFC 3435 message format. Entities in MGCP There are four basic entities in MGCP: “Endpoint” on page 69 “Connection” on page 69 “Call” on page 69 “Call Agent” on page 69 68 MGCP Security . Seamless switchover/failover if calls. Any malfunctioning or hacked gateway will not disrupt the whole VoIP network.Concepts & Examples ScreenOS Reference Guide Performs Network Address Translation (NAT). Firewall policy enforcement between gateways (media policy). About MGCP MGCP is a text-based. Per-gateway MGCP connection flooding control. Combined with per-gateway flooding control. The protocol is based on a master/slave call control architecture: the media gateway controller (call agent) maintains call control intelligence. damage is contained within the impacted gateway. To keep the VoIP network secure. Any embedded IP address and port information in the payload is properly translated based on the existing routing information and network topology. if necessary. transaction state.

trunk. Call ID is a hexadecimal string with a maximum length of 32 characters.net (all endpoints within the MG) Connection Connections are created on each endpoint by a MG during call setup. A connection is identified by its connection ID which is created by the MG when it is requested to create a connection. The following are two examples of call agent names: CallAgent@voipCA. might require more connections. different call agents might send MGCP commands to this endpoint. and its maximum length is 32 characters. The notified entity for an endpoint is the call agent currently controlling that endpoint. Two or more connections can have the same call ID if they belong to the same call. About MGCP 69 . A complex call.mynetwork.Chapter 3: Media Gateway Control Protocol Application Layer Gateway Endpoint A media gateway (MG) is a collection of endpoints.10. switchover and failover is achieved in MGCP. Call Agent One or more call agents (also called media gateway controllers) are supported in MGCP to enhance reliability in VoIP network. The concept of notified entity is essential in MGCP. Call ID is unique within the MGC. which is created by the MGC when establishing a new call. Call A call is identified by its call ID. An endpoint is named as below: local-endpoint-name@domain-name The following are some valid endpoint IDs: group1/Trk8@mynetwork. An endpoint can be an analog line. delete and audit a connection. However.com Several network addresses can be associated under one domain name in the Domain Name System (DNS). modify. A typical VoIP call involves two connections.com voipCA.168. An endpoint should send any MGCP command to its notified entity.8] (wild-carding) $@voiptel.net group2/Trk1/*@[192.net (any endpoint within the MG) *@voiptel. Connection ID is presented as a hexadecimal string. By keeping track of the time to live (TTL) of DNS query/response data and implementing retransmission using other alternative network addresses. or any other access point.mynetwork. for example a three-party call or conference call. The media gateway controller (MGC) can instruct media gateways to create.

] [SpecificEndPointId. its value defaults to the source address of the last successful non-audit MGCP command received for that endpoint.96.1 t=0 0 m=audio 3456 RTP/AVP 0 70 About MGCP .] [LocalConnectionDescriptor. [NotifiedEntity.0 C: A3C47F21456789F0 L: p:10.com MGCP 1. Commands The MGCP protocol defines nine commands for controlling endpoints and connections.] Mode. the command syntax. and endpoint inside. EndpointId. [ConnectionId. A command header has the following elements: A command line: command verb + transaction ID + endpointId + MGCP version. a:PCMU M: sendrecv X: 0123456789AD R: L/hd S: L/rg v=0 o=. the gateway. but could be changed by a call agent through the use of a Notified Entity parameter contained in a MGCP message.] [encapsulated EPCF]) CRCX CRCX 1205 aaln/1@gw-25. or mu-law) expected by the line [BearerInformation]) side of the endpoint.net MGCP 1.att. CreateConnection—used by a call agent to instruct the gateway to create a connection with.] [encapsulated RQNT. and examples.41. with a description of each.41.0 B: e:mu EndpointConfiguration—used by ReturnCode a call agent to inform a gateway [PackageList] of coding characteristics (a-law EndpointConfiguration (EndpointId. If the notified entity for an endpoint is empty or has not been set explicitly. Table 3 lists supported MGCP commands. Zero or more parameter lines. All commands are composed of a command header. Table 3: MGCP Commands (page 1 of 3) Command Verb Description EPCF Command Syntax Examples EPCF 2012 wxx/T2@mynet.] [SecondConnectionId.][Pac kageList] CreateConnection (CallId.Concepts & Examples ScreenOS Reference Guide The notified entity is set to a provisioned value upon startup.1 s=c=IN IP4 128. [{RemoteConnectionDescriptor | SecondEndpoindId}. ReturnCode.] [LocalConnectionOption.96.] [SecondEndPointId. Refer to RFC 2234 for a complete explanation of command syntax.25678 753849 IN IP4 128. optionally followed by session description protocol (SDP) information. composed of a parameter name followed by a parameter value.

[PackageList] Notify (EndpointID.4723891 7428910 IN IP4 128.Hardware error P: PS=1245. connection that can no longer be [NotifiedEntity.D/2.D/1. [DigitMap.63.L/hu.0 C: A3C47F21456789F0 I: FDE234C8 Example 2: MG -> MGC DLCX 9310 aaln/1@rgw-25.net MGCP 1. EndpointId.att.D/2.] [encapsulated EPCF]) Notify—used by a gateway to inform the call agent when requested event(s) or signal(s) occur.D/4. OS=62345.att.] RequestIdentifier.net MGCP 1.] [encapsulated EPCF]) DLCX DeleteConnection—used by a ReturnCode.0 C: A3C47F21456789F0 I: FDE234C8 E: 900 .] [LocalConnectionOption.D/6. [RequestedEvents.net MGCP 1. [encapsulated RQNT.25 t=0 0 m=audio 3456 RTP/AVP 0 Example 1: MGC -> MG DLCX 9210 aaln/1@rgw-25. call agent to instruct a gateway to [LocalConnectionDescriptor. DeleteConnection can also be EndpointId.96.att.att. used by a gateway to release a ConnectionId.] [Mode.0 N: ca@ca1.D/8.Chapter 3: Media Gateway Control Protocol Application Layer Gateway Table 3: MGCP Commands (page 2 of 3) Command Verb Description MDCX Command Syntax Examples MDCX 1210 aaln/1@rgw-25.att. JI=27.D/ 9.96. delete an existing connection. ObservedEvents) NTFY About MGCP 71 .D/9.D/[0-9#*T](D)))) D: (0T|00T|xx|91xxxxxxxxxx|9011x.] sustained.] change the parameters for an [PackageList] existing connection. [NotifiedEntity.net MGCP 1. E(S(L/dl). D/2. ConnectionId.D/1.T) S: T: G/ft NTFY 2002 aaln/1@rgw-25. certain event(s) or signal(s) for a [NotifiedEntity.net MGCP 1. PR=780.R(L/oc.] [encapsulated RQNT. command is used by a call agent [PackageList] to instruct a MG to monitor for NotificationRequest[(EndpointId.] [RemoteConnectionDescriptor. ReturnCode.0 N: ca-new@callagent-ca. OR=45123.att. ModifyConnection (CallId.25 s=c=IN IP4 128.D/0.] RequestIdentifier.D/6 ModifyConnection—used by a ReturnCode.net X: 0123456789AA R: L/hd(A. [PackageList] DeleteConnection (CallId. [NotifiedEntity.] [SignalRequests.] [DetectEvents.att.0 C: A3C47F21456789F0 I: FDE234C8 M: recvonly X: 0123456789AE R: L/hu S: G/rt v=0 o=. PL=10.] [encapsulated EPCF]) RQNT The NotificationRequest ReturnCode.net:5678 X: 0123456789AC O: L/hd. LA=48 RQNT 1205 aaln/1@rgw-25.] [QuarantineHandling. call agent to instruct a gateway to ConnectionParameters.63.] specific endpoint.

] [LocalConnectionDescriptor.] [NotifiedEntity.att. The response header is composed of a 3-digit response code.N. EndPointIdList.O Example 2: AUEP 1200 *@rgw-25.] [ReasonCode.] [EventStats.net MGCP 1. The response header is composed of a response line. R.] [PackageList] RestartInProgress (EndpointId.D. [CallId. each containing a parameter name letter followed by its value. requires a response code.] [MaxMGCPDatagram.att. transaction ID.] [DetectEvents.] [DigitMap. whether successful or not.] [Capabilities]} [PackageList] AuditEndpoint (EndpointId. followed by zero or more parameter lines. RestartMethod.X.0 AUCX AuditConnection—used by a call agent to collect the parameters applied to a connection.0 RM: graceful RD: 300 Response Codes Every command sent by the calling agent or gateway.net MGCP 1. ConnectionId. RequestedInfo) ReturnCode.Concepts & Examples ScreenOS Reference Guide Table 3: MGCP Commands (page 3 of 3) Command Verb Description AUEP AuditEndpoint—used by a call agent to audit the status of the endpoint. and optionally followed by commentary.] [ConnectionParameters. The response header in the following response message shows the response code 200 (successful completion). followed by ID 1204.0 I: 32F345E2 F: C. | { [RequestedEvents.] [PackageList] AuditConnection (EndpointId.] [Mode.] [BearerInformation.] [SignalRequests. The response code is in the header of the response message.] [ConnectionIdentifier.] [NotifiedEntity.] [RemoteConnectionDescriptor.att.] [LocalConnectionOptions. Command Syntax ReturnCode.L.att.LC. AUCX 3003 aaln/1@rgw-25. and the comment: OK: 72 About MGCP .N.net MGCP 1. and optionally is followed by session description information. [RestartDelay.S. [NotifiedEntity.T.M.P RSIP RestartInProgress—used by a gateway to notify a call agent that one or more endpoints are being taken out of service or placed back in service.I.] [ObservedEvents.] [RequestedIdentifier. [RequestedInfo]) ReturnCode. RSIP 5200 aaln/1@rg2-25.] [BearerMethod.0 F: A.] [RestartDelay.net MGCP 1.] [QuarantineHandling.] [ReasonCode]) Examples Example 1: AUEP 1201 aaln/1@rgw-25.

96. in this example both gateways are in the same subnet. 100 – 199: indicate a provisional response. is in each subscriber’s home. it sends all MGCP commands to its current notified entity. However. Refer to RFC 3661 for detailed information about response codes. A response to a command is sent to the source address of the command.96. Examples This section includes the following configuration scenarios: “Media Gateway in Subscribers’ Homes—Call Agent at the ISP” on page 73 “ISP-Hosted Service” on page 76 Media Gateway in Subscribers’ Homes—Call Agent at the ISP In this example (see Figure 22) you configure a security device at a Cable Service Provider to support MGCP for their network of residential subscribers.Chapter 3: Media Gateway Control Protocol Application Layer Gateway 200 1204 OK I: FDE234C8 v=0 o=.25678 753849 IN IP4 128. therefore no policy is needed for media. RTP traffic between the gateways never passes through the firewall. An integrated Access Device (IAD). 200 – 299: indicate a successful completion (final response). Examples 73 . and send back responses to corresponding network addresses.1 t=0 0 m=audio 3456 RTP/AVP 96 a=rtpmap:96 G726-32/8000 The ranges of response codes are defined as follows: 000 – 099: indicate a response acknowledgement.41. and then policies. acting as a gateway—each IAD represents a separate residence. or set-top box. The call agent is in the trust_ca zone. you configure addresses. 400 – 499: indicate a transient error (final response).41. not to the current notified entity. Although gateways frequently reside in different zones. requiring policies for media traffic. A media gateway can receive MGCP commands from various network addresses simultaneously. 500 – 599: indicate a permanent error (final response). The security device and the call agent are on the cable service provider’s premises. residential customers are in the res_cust zone.1 s=c=IN IP4 128. After creating zones—untrust_subscriber for the customers and trust_ca for the service provider.

2.2.2 IAD IAD IP Phone IP Phone IP Phone Trust Call Agent IP Phone WebUI 1. 1 call agent IP Address/Domain Name: IP/Netmask: (select). then click OK: Address Name: SubscriberSubNet Comment: Our subscribers’ network IP Address/Domain Name: IP/Netmask: (select). 10. then click OK: Zone Name: trust_ca 2.2.Concepts & Examples ScreenOS Reference Guide Figure 22: Media Gateway in Subscribers’ Home Untrust IAD IAD Security Device Ethernet 3 2.1.2.1.0/24 Cable Service Provider Network Ethernet 4 10. Zones Network > Zones > New: Enter the following.101/32 Zone: trust_ca 74 Examples .0/24 Zone: untrust-subscriber Policy > Policy Elements > Addresses > List > New: Enter the following. then click OK: Address Name: call_agent1 Comment: Our No.1.1.2. then click OK: Zone Name: untrust_subscriber Network > Zones > New: Enter the following. Addresses Policy > Policy Elements > Addresses > List > New: Enter the following.

101/32 Enter the following. then click Apply: Zone Name: trust_ca Static IP: (select this option when present) IP Address/Netmask: 10. SubscriberSubNet Destination Address Address Book Entry: (select). call_agent1 Service: MGCP-CA Action: Permit CLI 1.255.255. then click OK: Name: Pol-Subscribers-To-CA Source Address Address Book Entry: (select). 1 call agent” Examples 75 . To: trust-ca) New: Enter the following.0 “Our subscribers' network” set address trust_ca call_agent1 10. then click OK: Name: Pol-CA-To-Subscribers Source Address Address Book Entry: (select).0/24 Enter the following.1. Interfaces Network > Interfaces > Edit (for ethernet3): Enter the following.2.1. then click OK: Interface Mode: route 4.101 255. call_agent1 Destination Address Address Book Entry: (select). To: untrust_subscriber) New: Enter the following.0 255.2.2.255 “Our No. then click Apply: Zone Name: untrust_subscriber Static IP: (select this option when present) IP Address/Netmask: 2. Addresses set address untrust_subscriber SubscriberSubNet 2.2.Chapter 3: Media Gateway Control Protocol Application Layer Gateway 3. SubscriberSubNet Service: MGCP-UA Action: Permit Policies > (From: untrust_subscriber. then click OK: Interface Mode: route Network > Interfaces > Edit (for ethernet4): Enter the following.255. Zones set zone name untrust_subscriber set zone name trust_ca 2.1. Policies Policies > (From: trust-ca.1.255.

in route mode to allow them to stream media directly after call setup. You create another pair of policies to allow signaling between the call agent and the gateway in the Trust zone. Policies set policy name Pol-CA-TO-Subscribers from trust_ca to untrust_subscriber call_agent1 SubscriberSubNet mgcp-ua permit set policy name Pol-Subscribers-To-CA from untrust_subscriber to trust_ca SubscriberSubNet call_agent1 mgcp-ca permit ISP-Hosted Service In this example. To protect the IP address of the call agent in the DMZ from exposure.101) to an IP address from the pool of addresses on the ethernet6 interface. The call agent: west_ca (10. referencing the MIP that protects the call agent. you map the IP address of the call agent (10.101) is in the DMZ.2/24 set interface ethernet4 route 4. 1 call agent” set interface ethernet4 ip 10.110). San Francisco customers are in the Trust zone. 76 Examples .2. you place a MIP on ethernet6. Finally. Asia customers are in the Untrust zone.0/24 set interface ethernet3 route set interface ethernet4 zone trust_ca “Our No.2.1. putting ethernet4 and ethernet5.3. you create one policy for each direction. and supported by the gateway: sf_gw (2. which are trusted. After setting addresses for the gateways and the call agent.201).1.2.3. that is.1. in this case: 3. (see Figure 23) an ISP located on the American west coast provides MGCP service to customers in Asia and San Francisco.2.101.1. To allow MGCP signaling between the call agent in the DMZ and the gateway in the Untrust zone.3.1. and supported by the gateway: asia_gw (3. A single policy is sufficient to allow bidirectional communication between gateways in the Trust and Untrust zones.3.1. you configure the interfaces. Interfaces set interface ethernet3 zone untrust_subscriber “Our subscribers’ network” set interface ethernet3 ip 2. you create policies.Concepts & Examples ScreenOS Reference Guide 3.

2 Security Device ISP Network Eth4 .1.110 Untrust Zone Trust Zone sf_gw 2.1.101 .3. then click OK: Address Name: west_ca Comment: ca in west coast IP Address/Domain Name: IP/Netmask: (select).3.3.110/32 zone: Untrust Policy > Policy Elements > Addresses > List > New: Enter the following.2. 3.3.1.3.1.2.101/32 zone: DMZ Examples 77 .101 Eth5 .10 Eth6 .10 IP Phone asia_gw 3.2. 2.1.201 IP Phone WebUI 1. 10.1.2.101 Virtual Device MIP on Ethernet6 3.2.2.10.2.Chapter 3: Media Gateway Control Protocol Application Layer Gateway Figure 23: ISP-Hosted Service DMZ west_ca 10.201/32 zone: Trust Policy > Policy Elements > Addresses > List > New: Enter the following.3. Addresses Policy > Policy Elements > Addresses > List > New: Enter the following.3. then click OK: Address Name: asia_gw Comment: gateway in asia IP Address/Domain Name: IP/Netmask: (select).1.1.10. then click OK: Address Name: sf_gw Comment: gateway in asia IP Address/Domain Name: IP/Netmask: (select).3.3.

asia_gw Destination Address Address Book Entry: (select). then click OK: Interface Mode: NAT 3.10/24 Enter the following.255.1. then click OK: Interface Mode: route Network > Interfaces > Edit (for ethernet5): Enter the following.1. then click Apply: Zone Name: Trust Static IP: (select this option when present) IP Address/Netmask: 2.1. then click Apply: Zone Name: DMZ Static IP: (select this option when present) IP Address/Netmask: 10.Concepts & Examples ScreenOS Reference Guide 2. then click Apply: Zone Name: Untrust Static IP: (select this option when present) IP Address/Netmask: 3.101 Netmask: 255.2/24 Enter the following. west_ca Destination Address Address Book Entry: (select).255.2.10/24 Enter the following. MIP Network > Interfaces > Edit (for ethernet6) > MIP > New: Enter the following. then click OK: Mapped IP: 3.3.3. asia_gw Service: MGCP-UA Action: Permit Policies > (From: Untrust To: DMZ) New: Enter the following. Interfaces Network > Interfaces > Edit (for ethernet4): Enter the following. then click OK: Source Address Address Book Entry: (select). west_ca Service: MGCP-CA Action: Permit 78 Examples .1.255 Host IP Address: 10.3.3.2. then click OK: Interface Mode: route Network > Interfaces > Edit (for ethernet6): Enter the following.101 Host Virtual Router Name: trust-vr 4. then click OK: Source Address Address Book Entry: (select). Policies Policies > (From: DMZ To: Untrust) New: Enter the following.

101 netmask 255.Chapter 3: Media Gateway Control Protocol Application Layer Gateway Policies > (From: Trust To: DMZ) New: Enter the following. west_ca Service: MGCP-CA Action: Permit Policies > (From: DMZ To: Trust) New: Enter the following.” set address untrust asia_gw 3.1.110/32 “gateway in asia” set address dmz west_ca 10. Interfaces set interface ethernet4 ip 2.f.101 host 10.2/24 set interface ethernet5 route set interface ethernet5 zone dmz set interface ethernet6 ip 3. sf_gw Destination Address Address Book Entry: (select). asia_gw Service: MGCP-UA Action: Permit > Advanced: Enter the following.2.1. west_ca Destination Address Address Book Entry: (select). sf_gw Destination Address Address Book Entry: (select). then click Return to set the advanced options and return to the basic configuration page: NAT: Source Translation: (select) DIP on: None (Use Egress Interface IP) CLI 1.1.2.2. Addresses set address trust sf_gw 2.3.1.3.201/32 “gateway in s.255.3.3.101/32 “ca in west coast” 2. then click OK: Source Address Address Book Entry: (select). then click OK: Source Address Address Book Entry: (select). then click OK: Source Address Address Book Entry: (select).10/24 set interface ethernet6 zone untrust 3.3.255. sf_gw Service: MGCP-UA Action: Permit Policies > (From: Trust To: Untrust) New: Enter the following.3.255 vrouter trust-vr Examples 79 .10/24 set interface ethernet4 route set interface ethernet4 zone trust set interface ethernet5 ip 10.1. Mapped IP Address set interface ethernet6 mip 3.2.1.

3. Policies set policy from dmz to untrust west_ca asia_gw mgcp-ua permit set policy from untrust to dmz asia_gw mip(3.101) mgcp-ca permit set policy from trust to dmz sf_gw west_ca mgcp-ca permit set policy from dmz to trust west_ca sf_gw mgcp-ua permit set policy from trust to untrust sf_gw asia_gw mgcp-ua nat src permit 80 Examples .3.Concepts & Examples ScreenOS Reference Guide 4.

In the SCCP architecture.323 proxy. This connection is then used to establish calls coming to or from the client. transparent. The SCCP ALG supports the following: Call flow from a Skinny client. run the Skinny client and connect to a primary (and. Overview 81 . to another Skinny client. does most of the processing. if available. Examples of typical scenarios follow a summary of the SCCP architecture. through the Call Manager. Seamless failover—switches over all calls in process to the standby firewall during failure of the primary. This chapter includes the following sections: “Overview” on page 81 “SCCP Security” on page 82 “Examples” on page 87 Overview Skinny Client Control Protocol (SCCP) is supported on security devices in route. a Cisco H. known as the Call Manager. Any malformed-packet attack is blocked by the ALG. SCCP is a binary-based Application Layer protocol used for Voice-over-Internet Protocol (VoIP) call setup and control. IP phones. SCCP signaling payload inspection—fully inspects the payload of incoming SCCP signaling packets in accordance with RFC 3435. a secondary) Call Manager over TCP on port 2000 and register with the primary Call Manager. and Network Address Translation (NAT) modes. VoIP signaling payload inspection—fully inspects the payload of incoming VoIP signaling packets based on related RFCs and proprietary standards. also called End Stations. Any malformed packet attack is blocked by the ALG.Chapter 4 Skinny Client Control Protocol Application Layer Gateway This chapter presents an overview of the Skinny Client Control Protocol (SCCP) Application Layer Gateway (ALG) and lists the firewall security features of the implementation.

82 SCCP Security . Firewall policy enforcement between gateways (media policy).Concepts & Examples ScreenOS Reference Guide Stateful processing—invokes the corresponding VoIP-based state machines to process the parsed information. including calls in progress. if necessary. Packets matching the SCCP message format. the transaction level. and call state are processed. Call Manager flood control—Protects the Call Manager from being flooded with new calls either by an already compromised connected client or by a faulty device. Firewall policy enforcement between Cisco IP phones and the Call Manager (Intra-Cluster). transaction state. with the translated IP address and port number. and the call level. are switched to the standby firewall in case of system failure. Pinhole creation and management for VoIP traffic—identifies IP address and port information used for media or signaling and dynamically opens (and closes) pinholes to securely stream the media. All other messages are dropped. Per-gateway SCCP connection flooding control. Any out-of-state or out-of-transaction packet is identified and properly handled. based on the existing routing information and network topology. Network Address Translation (NAT)—translates any embedded IP address and port information in the payload. SCCP Security The SCCP ALG includes the following security features: Denial of Service (DoS) attack protection—The ALG performs stateful inspection at the UDP packet level. Firewall policy enforcement between Call Managers (Inter-Cluster). Seamless switchover/failover if calls.

in which the Call Manager knows about each SCCP client. if available). Cluster A Cluster is a collection of SCCP clients and a Call Manager. Call Manager behavior varies in each of the following cluster scenarios: Intra-Cluster.Chapter 4: Skinny Client Control Protocol Application Layer Gateway About SCCP The following sections give a brief overview of SCCP and how it works: “SCCP Components” on page 83 “SCCP Transactions” on page 84 “SCCP Messages” on page 87 SCCP Components The principle components of the SCCP VoIP architecture include the following: SCCP Client Call Manager Cluster SCCP Client The SCCP client runs on an IP phone. providing a redundant database that contains addresses. About SCCP 83 . and number formats. which uses SCCP for signaling and for making calls. There can be more than one Call Manager for backup in a cluster. and the call is between SCCP clients of the same cluster. Inter-Cluster calls using the gatekeeper for admission control and address resolution. it must first register with a Primary Call Manager (and a secondary. and initiating contact with called devices or their agents to establish logical sessions in which voice communication can flow. Its functions include defining. Transmission of media is over RTP. phone numbers. This connection is then used to establish calls to or from the client. Inter-Cluster.providing initialization. UDP. also called an End Station. In order for a Skinny client to make a call.323 for call setup. and route plans. The connection between the client and the Call Manager is over TCP on port 2000. admission and registration of devices on the network. Call Manager The Call Manager is a Cisco H. The Call Manager in the cluster knows about all SCCP clients in the cluster. monitoring and controlling SCCP groups.323 server with overall control of all devices and communication in the SCCP VoIP network. regions of numbers. and IP. in which the Call Manager needs to communicate with another Call Manager using H.

after initialization. and the TFTP server name and address. With this information. The client sends a Dynamic Host Control Protocol (DHCP) request to get an IP address. the client uses the default filename in the IP phone. 84 About SCCP . its own IP address. SCCP Transactions SCCP transactions are the processes that need to take place in order for an SCCP call to proceed. Keepalive messages keep this TCP connection open between the client and Call Manager so that the client can initiate or receive calls at any time. and other information about the IP gateway and DNS servers. If the TFTP name is not given. the MAC address of the phone. such as protocol and version. Initialization takes place on the local LAN. the client contacts the Call Manager to register. and other information. the DNS server address. The client cannot initiate or receive calls until it is registered. and with calls between an SCCP client and a phone in another administrative domain that is using H323. provided that a policy on the security device allows this. the SCCP client needs to know the IP address of the Call Manager.cnf. SCCP transactions include the following: Client Initialization Client Registration Call Setup Media Setup Client Initialization To initialize. Client Registration The SCCP client. Table 4 lists SCCP messages and indicates messages that are of interest to the security device. registers with the Call Manager over a TCP connection on well-known default port 2000.Concepts & Examples ScreenOS Reference Guide Call Manager behavior also varies with calls between an SCCP client and a phone in a Public Switched Telephone Network (PSTN).cnf (xml) from TFTP server. The client needs the TFTP server name to download the configuration file: sepmacaddr. The client registers by providing the Call Manager with its IP address. The client then downloads the configuration file . CNF files contain the IP address or addresses of the primary and secondary Cisco Call Manager.

and a policy on the security device allows the call. The Call Manager also sends the media IP address and port number of the calling party to the called party. When the call ends. media is transmitted directly between clients. At no time during this process does the Call Manager hand over call-setup function to the client. the Call Manager is informed and terminates the media streams. Media is streamed directly between clients through RTP/UDP/IP. the Call Manager sends the media setup messages to the client. After media setup. About SCCP 85 . If call setup is successful.Chapter 4: Skinny Client Control Protocol Application Layer Gateway Table 4: SCCP Registration Messages From Client RegisterMessage IPortMessage RegisterAckMessage CapabilititsRequest CapabilitiesResMessage ButtonTemplateReqMessage ButtonTemplateResMessage SoftKeyTemplateReqMessage SoftKeyTemplateResMessage LineStatReqMessage LineStatMessage x x From Call Manager Of Interest to Security Device x x x Call Setup IP phone-to-IP phone call-setup using SCCP is always handled by the Call Manager. Messages for call setup are sent to the Call Manager. Media Setup The Call Manager sends the IP address and port number of the called party to the calling party. which returns messages appropriate to the status of the call.

Concepts & Examples ScreenOS Reference Guide SCCP Control Messages and RTP Flow Figure 24 shows the SCCP control messages used to set up and tear down a simple call between Phone1 and Phone2.10.20/Port:30198) RTP/UDP (10. CnffId:0) CallState(Terminate. CID 16777333) OpenRcvChn1(PPID 16778577.10/24038) CallState(OnHook. Except for the OffHook message initiating the call from Phone1 and the OnHook message signaling the end of the call. Orig: 2002. ln 1. ln 1. CnfrId: 0) CallState(Connected. ln 1. ln 1. CID16777332) Call Manager Phone2 Callstate(RingIn.10. IP:10. Figure 24: Call Setup and Teardown Phone1 OffHook CallState(offhook. ln 1. CID16777332) CallState(Ringout. 2001->2002.10.10. CID16777332) OpenRcvChnAck1(PPID 16778561. 2001->2002. ln 1. ln 1.20/30198. CnffId:0) 86 About SCCP .10. CID 16777332) CallInfo(Outbound. CnfrId:0) StopMediaX(PPID 16778577. CID 16777332) CloseRcvChn1(PPID 16778577. CID 16777332) CallInfo(outboundcall. IP:10.10. ln 1. CnffId:0 CallState(Connected. Orig: 2002. ln 1.20/Port:30198). 2001->2002.10. CID 16777333) CallInfo(Inbound.10. 2001->2002.10/Port:24038) StartMediaX(PPID 16778561. CnfrId:0) StopMediaX(PPID 16778561.10. ln 1.10/Port:24038). ln 1. CID 16777333) CallInfo(Inbound. 2001->2002.10/24038 -> 10. CID 16777332) CallInfo(Outbound.10.10. ln 1.10.10. ln 1. ln 1.20/30198 -> 10.10.10. IP:10. CnfrnId:0 OpenRcvChnAck1(PPID 16778577. all aspects of the call are controlled by the Call Manager. Orig: 2002.10. CID16777333) StartMediaX(PPID 16778577. IP:10. CID 16777332) CloseRcvChn1(PPID 16778561. CnfrId: 0) OpenRcvChn1(PPID 16778561. CID 16777332) keypadbutton CallState(Proceed. CID16777333) OffHook CallState(OffHook. 10.

2 Message #define STATION_REGISTER_TOKEN_REQ_MESSAGE #define STATION_MEDIA_TRANSMISSION_FAILURE #define STATION_OPEN_MULTIMEDIA_RECEIVE_CHANNEL_ACK Range 0x00000029 0x0000002A 0x00000031 Table 8: Call Manager to Station Message #define STATION_OPEN_MULTIMEDIA_RECEIVE_CHANNEL #define STATION_START_MULTIMEDIA_TRANSMISSION #define STATION_STOP_MULTIMEDIA_TRANSMISSION #define STATION_CLOSE_MULTIMEDIA_RECEIVE_CHANNEL Range 0x00000131 0x00000132 0x00000133 0x00000136 Examples This section contains the following sample scenarios: “Example: Call Manager/TFTP Server in the Trust Zone” on page 88 “Example: Call Manager/TFTP Server in the Untrust Zone” on page 90 “Example: Three-Zone. Table 5: Station to Call Manager Messages Message #define STATION_REGISTER_MESSAGE #define STATION_IP_PORT_MESSAGE #define STATION_ALARM_MESSAGE #define STATION_OPEN_RECEIVE_CHANNEL_ACK Range 0x00000001 0x00000002 0x00000020 0x00000022 Table 6: Call Manager to Station Messages Message #define STATION_START_MEDIA_TRANSMISSION #define STATION_STOP_MEDIA_TRANSMISSION #define STATION_CALL_INFO_MESSAGE #define STATION_OPEN_RECEIVE_CHANNEL_ACK #define STATION_CLOSE_RECEIVE_CHANNEL Range 0x00000001 0x00000002 0x00000020 0x00000022 0x00000106 Table 7: Call Manager 4. Table 6. Call Manager/TFTP Server in the DMZ” on page 92 Examples 87 .0 Messages and Post Skinny 6.Chapter 4: Skinny Client Control Protocol Application Layer Gateway SCCP Messages Table 5. and Table 8 list the SCCP call message IDs in the four intervals allowed by the security device. Table 7.

1.1/24 Trust Security Device LAN ethernet3 1.1. then click OK: Zone: Trust Static IP: (select this option when present) IP Address/Netmask: 10.1. then click OK: Zone: Untrust IP Address/Netmask: 1.4 phone2 1.1.1.1.1/24 Untrust Internet CM/TFTP Server 10. You also create a policy from the Trust to the Untrust zone to allow phone1 to call out.Concepts & Examples ScreenOS Reference Guide “Example: Intrazone.1/24 Enter the following.1.) You then create a policy allowing SCCP traffic from the Untrust to the Trust zone and reference that MIP in the policy. phone1 and the Call Manager/TFTP Server are on the ethernet1 interface in the Trust (private) zone. Figure 25: Call Manager/TFTP Server in the Private Zone ethernet1 10. then click OK: Interface Mode: route Network > Interfaces > Edit (for ethernet3): Enter the following. and phone2 is on the ethernet3 interface in the Untrust zone.cnf) to the MIP IP address of the Call Manager.1/24 Interface Mode: route 88 Examples . Call Manager/TFTP Server in Untrust Zone” on page 99 “Example: Full-Mesh VPN for SCCP” on page 101 Example: Call Manager/TFTP Server in the Trust Zone In this example.4 phone1 10.1.1.1.1.1.3 Virtual Device MIP on ethernet3 1.4 WebUI 1.1.1. so that when phone2 boots up it can contact the TFTP Server and obtain the IP address of the Call Manager. Interfaces Network > Interfaces > Edit (for ethernet1): Enter the following.1. (We recommend that you change the IP address of the Call Manager in the TFTP Server config file (sep <mac_addr>.1.1. You put a MIP for the Call Manager/TFTP Server on the ethernet3 interface. Call Manager/TFTP Server in Trust Zone” on page 95 “Example: Intrazone.2 -> 10.1.

Policies Policies > (From: Trust. then click OK: Address Name: phone2 IP Address/Domain Name: IP/Netmask: (select).Chapter 4: Skinny Client Control Protocol Application Layer Gateway 2.1.2) Service: SCCP Examples 89 .1.4/24 Zone: Untrust Policy > Policy Elements > Addresses > List > New: Enter the following. To: Untrust) New: Enter the following.1. MIP(1. then click OK: Mapped IP: 1.4 Host Virtual Router Name: trust-vr 4. To: Trust) New: Enter the following.1.1.1. then click OK: Source Address: Address Book Entry: (select). then click OK: Address Name: phone1 IP Address/Domain Name: IP/Netmask: (select).255 Host IP Address: 10.1.2 Netmask: 255.3) > MIP > New: Enter the following. then click OK: Address Name: CM-TFTP_Server IP Address/Domain Name: IP/Netmask: (select).1.1. 1. phone2 Destination Address: Address Book Entry: (select). MIP Network > Interfaces > Edit (for loopback.3/24 Zone: Trust Policy > Policy Elements > Addresses > List > New: Enter the following.255.4/24 Zone: Trust 3.1.255. Addresses Policy > Policy Elements > Addresses > List > New: Enter the following. then click Return to set the advanced options and return to the basic configuration page: NAT: Source Translation: (select) (DIP on): None (Use Egress Interface IP) Policies > (From: Untrust.1.1. 10. 10. then click OK: Source Address: Address Book Entry: (select) any Destination Address: Address Book Entry: (select) phone2 Service: SCCP Action: Permit > Advanced: Enter the following.

1. Policies set policy from trust to untrust any phone2 sccp nat src permit set policy from untrust to trust phone2 mip(1. After configuring interfaces and addresses. This allows phone1 to register with the Call Manager/TFTP Server in the Untrust zone. Interfaces set interface ethernet1 zone trust set interface ethernet1 ip 10.1.4/24 set address trust cm-tftp_server 10.1/24 ethernet3 1.1. and phone2 and the Call Manager/TFTP Server are on the ethernet3 interface in the Untrust zone.3 phone2 1.1.2) sccp permit save NOTE: It is always more secure to specify a service explicitly.1.1.1.1.1.1.1.4 4. Addresses set address trust phone1 10.1. than to use the keyword any.1.1. MIP set interface ethernet3 mip 1.4/24 3.1.4 CM/TFTP Server 1.1/24 Trust Security Device Untrust Internet LAN phone1 10.Concepts & Examples ScreenOS Reference Guide Action: Permit CLI 1.1. phone1 is on the ethernet1 interface in the Trust zone.1. as shown in this example configuration.1.3 90 Examples . Example: Call Manager/TFTP Server in the Untrust Zone In this example.1.1.1/24 set interface ethernet3 route 2.1.1.1.3/24 set address untrust phone2 1. Figure 26: Call Manager/TFTP Server in the Untrust Zone ethernet1 10. you create policy from the Trust zone to the Untrust.1.1/24 set interface ethernet1 route set interface ethernet3 zone untrust set interface ethernet3 ip 1.2 host 10.1.1.

then click OK: Source Address Address Book Entry: (select) phone1 Destination Address Address Book Entry: (select) any Service: SCCP Action: Permit > Advanced: Enter the following. Addresses Policy > Policy Elements > Addresses > List > New: Enter the following. 10. then click OK: Zone Name: Untrust Static IP: (select this option when present) IP Address/Netmask: 1.3/24 Zone: Trust Policy > Policy Elements > Addresses > List > New: Enter the following. then click OK: Address Name: CM/TFTP Server IP Address/Domain Name: IP/Netmask: (select). then click OK: Interface Mode: route Network > Interfaces > Edit (for ethernet3): Enter the following.1. To: Untrust) New: Enter the following.1.1. then click Return to set the advanced options and return to the basic configuration page: Examples 91 . Policies Policies > (From: Trust.Chapter 4: Skinny Client Control Protocol Application Layer Gateway WebUI 1.4/24 Zone: Untrust Policy > Policy Elements > Addresses > List > New: Enter the following.1.1. 1.1.1. Interfaces Network > Interfaces > Edit (for ethernet1): Enter the following.1/24 Interface Mode: route 2. then click OK: Address Name: phone2 IP Address/Domain Name: IP/Netmask: (select). then click Apply: Zone Name: Trust Static IP: (select this option when present) IP Address/Netmask: 10.1. then click OK: Address Name: phone1 IP Address/Domain Name: IP/Netmask: (select).1.3/24 Zone: Untrust 3. 1.1/24 Enter the following.1.

1.1/24 set interface ethernet3 route 2.3/24 set address untrust phone2 1.1.1/24 set interface ethernet1 route set interface ethernet3 zone untrust set interface ethernet3 ip 1.4/24 set address untrust cm-tftp_server 1. phone2 is on the ethernet3 interface in the Untrust zone. than to use the keyword any. Interfaces set interface ethernet1 zone trust set interface ethernet1 ip 10.1. For signaling.1. and you create a policy from the Untrust zone to the DMZ to allow phone2 to communicate with the Call Manager/TFTP Server.1. and the Call Manager/TFTP Server is on the ethernet2 interface in the DMZ.3/24 3.Concepts & Examples ScreenOS Reference Guide NAT: Source Translation: (select) (DIP on): None (Use Egress Interface IP) CLI 1. the media flows directly between phone1 and phone2.1. The arrows in Figure 27 show the flow of SCCP signaling traffic when phone2 in the Untrust zone places a call to phone1 in the Trust zone. Policies set policy from trust to untrust phone1 any sccp nat src permit save NOTE: It is always more secure to specify a service explicitly.1.1. After the session is initiated. you create a policy from the Trust zone to the DMZ to allow phone1 to communicate with the Call Manager/TFTP Server. For transmission of media. as shown in this example configuration.1. Example: Three-Zone.1. Call Manager/TFTP Server in the DMZ In this example. 92 Examples . Addresses set address trust phone1 10. you create a policy from Trust to Untrust to allow phone1 and phone2 to communicate directly. phone1 is on the ethernet1 interface in the Trust zone.

1.2.1.1.1/24 DMZ Security Device LAN ethernet1 10. then click OK: Zone Name: DMZ Static IP: (select when this option is present) IP Address/Netmask: 2.1/24 Enter the following.2/24 Network > Interfaces > Edit (for ethernet3): Enter the following.4 ethernet2 2. then click OK: Zone Name: Untrust Static IP: (select when this option is present) IP Address/Netmask: 1.1.1.2.2.Chapter 4: Skinny Client Control Protocol Application Layer Gateway Figure 27: Call Manager/TFTP Server in the DMZ Untrust phone2 1.1.1. then click Apply: Zone: Trust Static IP: (select when this option is present) IP Address/Netmask: 10.1.1.1.1/24 LAN phone1 10.1.2/24 ethernet3 1.2. Interfaces Network > Interfaces > Edit (for ethernet1): Enter the following.2.1.4 Internet CM/TFTP Server 2. then click OK: Interface Mode: NAT Network > Interfaces > Edit (for ethernet2): Enter the following.2.3 Trust WebUI 1.1/24 Examples 93 .

To: DMZ) New: Enter the following. then click OK: Address Name: CM-TFTP_Server IP Address/Domain Name: IP/Netmask: (select). phone2 Destination Address: Address Book Entry: (select).1.2. 2.3/24 Zone: Trust Policy > Policy Elements > Addresses > List > New: Enter the following.1.4/24 Zone: Untrust Policy > Policy Elements > Addresses > List > New: Enter the following. phone1 Destination Address: Address Book Entry: (select). Policies Policies > (From: Trust. then click OK: Source Address: Address Book Entry: (select). Address Policy > Policy Elements > Addresses > List > New: Enter the following. To: Untrust) New: Enter the following. then click OK: Source Address: Address Book Entry: (select). CM-TFTP_Server Service: SCCP Action: Permit Policies > (From: Trust. phone1 Destination Address: Address Book Entry: (select).1. then click OK: Source Address: Address Book Entry: (select). 1. then click Return to set the advanced options and return to the basic configuration page: NAT: Source Translation: Enable (DIP on): None (Use Egress Interface IP) Policies > (From: Untrust. CM-TFTP_Server Service: SCCP Action: Permit > Advanced: Enter the following.Concepts & Examples ScreenOS Reference Guide 2. phone2 94 Examples .2. To: DMZ) New: Enter the following. then click OK: Address Name: phone1 IP Address/Domain Name: IP/Netmask: (select). then click OK: Address Name: phone2 IP Address/Domain Name: IP/Netmask: (select).4/24 Zone: DMZ 3.1. 10.

To allow intrazone SCCP traffic between the two phones in the Untrust zone. Policies set policy from trust to dmz phone1 cm-tftp_server sccp nat src permit set policy from untrust to dmz phone2 cm-tftp_server sccp permit set policy from trust to untrust phone1 phone2 sccp nat src permit save NOTE: It is always more secure to specify a service explicitly. phone2 is in a subnet on the ethernet3 interface in the Untrust zone. phone1 is on the ethernet4 interface in the Untrust zone. (For more information about using loopback interfaces.1. Example: Intrazone. you create a loopback interface.4 3. than to use the keyword any. see “MIP and the Loopback Interface” on page 8-73. then click Return to set the advanced options and return to the basic configuration page: NAT: Source Translation: Enable (DIP on): None (Use Egress Interface IP) CLI 1. Addresses set address trust phone1 10.2.1/24 set interface ethernet1 route set interface ethernet3 zone untrust set interface ethernet3 ip 1. as shown in this example configuration. Creating a loopback interface enables you to use a single MIP for the Call Manager/TFTP Server in the Trust zone.1.Chapter 4: Skinny Client Control Protocol Application Layer Gateway Service: SCCP Action: Permit > Advanced: Enter the following.1. and the Call Manager/TFTP Server is on the ethernet1 interface in the Trust zone. add ethernet3 and ethernet4 to a loopback group.2.2/24 set interface ethernet2 route 2. you unset blocking in the Untrust zone to allow intrazone communication.) And finally. then put a MIP on the loopback interface to the IP address of the Call Manager/TFTP Server.2.1. Examples 95 .2.1/24 set interface ethernet3 route set interface ethernet2 zone dmz set interface ethernet2 ip 2.1.1.3/24 set address untrust phone2 1. Call Manager/TFTP Server in Trust Zone In this example.1. because intrazone blocking is on by default.1. Interfaces set interface ethernet1 zone trust set interface ethernet1 ip 10.4/24 set address dmz cm-tftp_server 2.

4 phone2 1.4 Internet ehternet4 1.1/24 ehternet3 1.1.1.1.1/24 96 Examples . then click OK: Zone: Untrust Static IP: (select when this option is present) IP Address/Netmask: 1.1. then click OK: Interface Mode: NAT Network > Interfaces > Edit (for ethernet4): Enter the following.1.1.1.1.5 -> 10.1/24 CM/TFTP Server 10.1.1.1/24 loopback 1 1.5 ehternet1 10.1.1.1.2.1.1.5 LAN Trust WebUI 1.1.4.Concepts & Examples ScreenOS Reference Guide Figure 28: Intrazone.1.1/24 Enter the following.2.1. Call Manager/TFTP Server in Trust Zone Untrust phone1 1. Interfaces Network > Interfaces > Edit (for ethernet1): Enter the following.4. then click Apply: Zone: Trust Static IP: (select when this option is present) IP Address/Netmask: 10.1/24 Security Device MIP on loopback 1 1.

2.2. then click OK: Address Name: CM-TFTP_Server IP Address/Domain Name: IP/Netmask: (select).255.4/32 Zone: Untrust Policy > Policy Elements > Addresses > List > New: Enter the following.1 Zone Name: Untrust 4.4/32 Zone: Untrust 3. then click OK: Address Name: phone2 IP Address/Domain Name: IP/Netmask: (select).1. then click OK: Zone: Untrust Static IP: (select when this option is present) IP Address/Netmask: 1.1.1/24 Network > Interfaces > New Loopback IF: Enter the following. MIP Network > Interfaces > Edit (for loopback.1/24 2.4.1. then click OK: Address Name: phone1 IP Address/Domain Name: IP/Netmask: (select). Addresses Policy > Policy Elements > Addresses > List > New: Enter the following. then click OK: As member of loopback group: (select) loopback.1.5 Examples 97 .1 Zone: Untrust (trust-vr) IP Address/Netmask: 1. 10.1 Zone Name: Untrust Network > Interfaces > Edit (for ethernet4): Enter the following.1.5/32 Zone: Trust Policy > Policy Elements > Addresses > List > New: Enter the following.1) > MIP > New: Enter the following.4.Chapter 4: Skinny Client Control Protocol Application Layer Gateway Network > Interfaces > Edit (for ethernet3): Enter the following.255 Host IP Address: 10.5 Netmask: 255.255. 1. 1.1. then click OK: Mapped IP: 1.1.1. then click OK: As member of loopback group: (select) loopback. Loopback Group Network > Interfaces > Edit (for ethernet3): Enter the following.1.1. then click OK: Interface Name: loopback.

5/32 set address untrust phone1 1.4/32 3.1/24 set interface ethernet3 route set interface ethernet4 zone untrust set interface ethernet4 ip 1. Blocking Network > Zones > Edit (for Untrust): Enter the following.1. then click OK: Block Intra-Zone Traffic: (clear) 6.2. then click Return to set the advanced options and return to the basic configuration page: NAT: Source Translation: Enable (DIP on): None (Use Egress Interface IP) Policies > (From: Untrust.1 ip 1.1.4. CM-TFTP_Server Destination Address: Address Book Entry: (select).1.1. Addresses set address trust cm-tftp_server 10.5) Service: SCCP Action: Permit CLI 1.1 set interface ethernet4 loopback-group loopback. then click OK: Source Address: Address Book Entry: (select). Loopback Group set interface ethernet3 loopback-group loopback.1/24 set interface ethernet4 route set interface loopback.1. Any Destination Address: Address Book Entry: (select). then click OK: Source Address: Address Book Entry: (select).4/32 set address untrust phone2 1. MIP(1.1 route 2.1.1.1. To: Trust) New: Enter the following.2.1 zone untrust set interface loopback.4.1. To: Untrust) New: Enter the following. Any Service: SCCP Action: Permit > Advanced: Enter the following. Policies Policies > (From: Trust.1.1/24 set interface loopback.1/24 set interface ethernet1 route set interface ethernet3 zone untrust set interface ethernet3 ip 1.Concepts & Examples ScreenOS Reference Guide Host Virtual Router Name: trust-vr 5. Interfaces set interface ethernet1 zone trust set interface ethernet1 ip 10.1.1.1 98 Examples .

4.1.2 ethernet2 10. for greater security. and the Call Manager/TFTP Server is on the ethernet3 interface in the Untrust zone. you create a policy from Trust to Untrust to allow phone1 and phone2 to register with the Call Manager/TFTP Server in the Untrust zone. Interfaces Network > Interfaces > Edit (for ethernet1): Enter the following. Figure 29: Intrazone.1.1.1.3.1. so it is not necessary to create.1.1.3. than to use the keyword any.1.1/24 Examples 99 .3.5) sccp permit save NOTE: Although. Blocking is off by default in the Trust zone (as it is in custom zones you define). you could optionally turn blocking off.1. Policies set policy from trust to untrust cm/tftp_server any sccp nat src permit set policy from untrust to trust any mip(1. This would allow you to specify the SCCP service.1/24 ethernet3 3. MIP set interface loopback. After configuring interfaces and addresses. in this example. However.5 5.2. phone1 is on the ethernet1 interface in the Trust zone. also. Call Manager/TFTP Server in Untrust Zone In this example.2.1. you unset blocking in the Untrust zone to allow intrazone communication.1. you can accomplish the same thing by creating the following policy: set policy from untrust to untrust any any sccp permit Note.1 mip 1. phone 2 is on the ethernet2 interface in a subnet in the Trust zone.5 host 10.3 ethernet1 10.4 Trust Security Device LAN Untrust Internet phone2 10. Call Manager/TFTP Server in Trust Zone phone1 10. that it is always more secure to specify a service explicitly.4. and restrict intrazone calls to phone1 and phone2. as shown in this example configuration. then click Apply: Zone: Trust Static IP: (select when this option is present) IP Address/Netmask: 10.Chapter 4: Skinny Client Control Protocol Application Layer Gateway 4.3. Blocking unset zone untrust block 6. and create a policy from Trust to Trust.1.3/24 CM/TFTP Server 3.1/24 WebUI 1. Example: Intrazone.

Concepts & Examples ScreenOS Reference Guide Enter the following. 10. To: Untrust) New: Enter the following.4/24 Zone: Untrust 3.3.3/24 Zone: Trust Policy > Policy Elements > Addresses > List > New: Enter the following.2. then click Return to set the advanced options and return to the basic configuration page: 100 Examples . then click Apply: Zone: Trust Static IP: (select when this option is present) IP Address/Netmask: 10.3.1. then click OK: Address Name: CM/TFTP Server IP Address/Domain Name: IP/Netmask: (select). then click OK: Interface Mode: route Network > Interfaces > Edit (for ethernet3): Enter the following. then click OK: Zone: Untrust Static IP: (select when this option is present) IP Address/Netmask: 3. then click OK: Source Address: Address Book Entry: (select). 10.3. Any Destination Address: Address Book Entry: (select).1. then click OK: Interface Mode: route Network > Interfaces > Edit (for ethernet2): Enter the following. Policies Policies > (From: Trust.1.2.3/24 2. then click OK: Address Name: phone1 IP Address/Domain Name: IP/Netmask: (select).2/24 Zone: Trust Policy > Policy Elements > Addresses > List > New: Enter the following. CM/TFTP Server Service: SCCP Action: Permit > Advanced: Enter the following.3.1.1/24 Enter the following. 3. Addresses Policy > Policy Elements > Addresses > List > New: Enter the following. then click OK: Address Name: phone2 IP Address/Domain Name: IP/Netmask: (select).

2. than to use the keyword any. NOTE: The security devices used in this example must have at least three independently configurable interfaces available. and phone2 is in the Trust zone at Branch Office Two.2. Interfaces set interface ethernet1 zone trust set interface ethernet1 ip 10.1. Examples 101 .3.1.3/24 set interface ethernet3 route 2.3.1.1.3. phone1 is in the Trust zone at Branch Office One. Policies set policy from trust to untrust any cm-tftp_server sccp nat src permit save NOTE: It is always more secure to specify a service explicitly. you configure two tunnels.Chapter 4: Skinny Client Control Protocol Application Layer Gateway NAT: Source Translation: Enable (DIP on): None (Use Egress Interface IP) CLI 1. On each device.1. All interfaces connecting the devices are in their respective Untrust zones.2/24 set address untrust cm-tftp_server 3. one to each of the other devices.1/24 set interface ethernet3 zone untrust set interface ethernet3 ip 3. The Call Manager/TFTP Server is in the Trust zone at the Central Office. the central office and two branch offices are linked by a full-mesh VPN. Each site has a single security device. to create a fully meshed network.1/24 set interface ethernet2 zone trust set interface ethernet2 ip 10. Addresses set address trust phone1 10.3/24 set address trust phone2 10.3.4/24 3.1. Example: Full-Mesh VPN for SCCP In this example. as shown in this example configuration.

3 Trust eth2/8-10.1.1 Trust Zone Branch Office One phone1 10.6.6.2 Untrust eth3-2.1. Interfaces Network > Interfaces > Edit (for ethernet2/1): Enter the following.5 Trust eth1 10.3 tunnel.4 Untrust eth4-5.3 interface unnumbered Gateway Router To branch-1: 4. VPN 1 VPN 2 Branch-1 VPN 3 Branch-2 tunnel.1.2.1 To branch: 3. than to use the keyword any.2.5.3 interface unnumbered Branch Office Two phone2 10.4.2.6 Untrust eth2/1: 1. as shown in this example configuration.1/24 102 Examples . WebUI (for Central) 1.1 6.3.4.1.3.2 interface unnumbered Trust eth1 10.4.Concepts & Examples ScreenOS Reference Guide Figure 30: Full-Mesh VPN for SCCP Note: The Untrust Zone for each device is not shown Central Office Trust Zone CM/TFTP Server 10. then click Apply: Zone: Untrust Static IP: (select when this option is present) IP Address/Netmask: 1.7.7.1 interface unnumbered Central tunnel 2 7.2.5.3 NOTE: It is always more secure to explicitly specify a service.1.2.3.1.7 Untrust eth2/2-1.1 To branch: 2.1 Untrust eth4-4.2.2.1.1.1 Gateway Router To central: 1.2.3 Untrust eth3 3.1.4.3.1 Gateway Router To central: 1.5.1/24 Network > Interfaces > Edit (for ethernet2/2): Enter the following.1.4 To branch-2: 5.3.1.1.5 Trust Zone tunnel.2.1 tunnel.1. then click Apply: Zone: Untrust Static IP: (select when this option is present) IP Address/Netmask: 1.1.2.3 tunnel.3.1.1.1.5.

1. then click OK: Interface mode: route Network > Interfaces > New Tunnel IF: Enter the following.3. then click OK: Address Name: CM/TFTP Server IPv4/Netmask: 10. then click OK: VPN Name: vpn-branch-1 Advanced: Enter the following advanced settings.2. then click OK: Gateway Name: to-branch-2 Security Level: Standard IPvc4/v6 Address/Hostname: 2.3.3 Preshare Key: netscreen Outgoing Interface: ethernet2/1 VPNs > AutoKey IKE > New: Enter the following.1/24 Enter the following.2.7/24 2.6.Chapter 4: Skinny Client Control Protocol Application Layer Gateway Network > Interfaces > Edit (for ethernet2/8): Enter the following.7. then click Return to return to the basic Gateway configuration page: Bind to: (select) Tunnel Interface. tunnel.1. then click Apply: Zone: Trust Static IP: (select when this option is present) IP Address/Netmask: 10. Address Policy > Policy Elements > Addresses > List > New: Enter the following.2 Preshare Key: netscreen Outgoing Interface: ethernet2/2 Examples 103 .1 VPNs > AutoKey Advanced > Gateway > New: Enter the following.3. then click OK: Gateway Name: to-branch-1 Security Level: Standard IPvc4/v6 Address/Hostname: 3.7. VPN VPNs > AutoKey Advanced > Gateway > New: Enter the following.3. then click Apply: Tunnel Interface Name: 2 Zone (VR): Untrust IP Address / Netmask: 7. then click Apply: Tunnel Interface Name: 1 Zone (VR): Untrust IP Address / Netmask: 6.3/32 Zone: Trust 3.6.6/24 Network > Interfaces > New Tunnel IF: Enter the following.

1.1/24 interface ethernet2/8 zone trust interface ethernet2/8 ip 10.2. To: Untrust) New Enter the following.0/24 Interface (select): tunnel.1 zone untrust interface tunnel.2.1/24 interface ethernet2/2 zone untrust interface ethernet2/2 ip 1.1.1.1 Network > Routing > Destination> New: Enter the following. then click OK: VPN Name: vpn-branch-2 Advanced: Enter the following advanced settings. then click OK: Source Address (select) Address Book Entry: Any-IPv4 Destination Address (select) Address Book Entry: CM/TFTP Server Service: SCCP Action: Permit CLI (for Central) 1.2 zone untrust interface tunnel.2 4. Interfaces set set set set set set set set set set set 2.1.Concepts & Examples ScreenOS Reference Guide VPNs > AutoKey IKE > New: Enter the following. then click OK: Network Address / Netmask: 10. To: Trust) > New: Enter the following.7/24 Address set address trust cm-tftp_server 10. then click OK: Source Address (select) Address Book Entry: CM/TFTP Server Destination Address (select) Address Book Entry: Any-IPv4 Service: SCCP Action: Permit Policies > (From: Untrust.1 ip 6.0/24 Interface (select): tunnel.3.3. Policies Policies > (From: Trust. interface ethernet2/1 zone untrust interface ethernet2/1 ip 1.3/32 104 Examples .7. Routing Network > Routing > Destination > New: Enter the following.1/24 interface ethernet2/8 route interface tunnel.2 5.1.1.6.6/24 interface tunnel. then click OK: Network Address / Netmask: 10.1.6.2 ip 7.1.7. tunnel. then click Return to return to the basic Gateway configuration page: Bind to: (select) Tunnel Interface.

0/24 interface tunnel. Policies set policy from trust to untrust cm-tftp_server any sccp permit set policy from untrust to trust any cm-tftp_server sccp permit save WebUI (for Branch Office 1) 1. then click Apply: Zone: Untrust Static IP: (select when this option is present) IP Address/Netmask: 3.1.4.3.Chapter 4: Skinny Client Control Protocol Application Layer Gateway 3.3/24 Network > Interfaces > Edit (for ethernet4): Enter the following.2 main outgoing-interface ethernet2/2 preshare netscreen sec-level standard set vpn vpn_branch-1 gateway to-branch-1 no-reply tunnel idletime 0 sec-level standard set vpn vpn-branch-1 id 1 bind interface tunnel. Routing set route 10.2.3.1.4/24 Network > Interfaces > New Tunnel IF: Enter the following. then click Apply: Tunnel Interface Name: 2 Zone (VR): Untrust Unnumbered (select) Interface: ethernet3 Network > Interfaces > New Tunnel IF: Enter the following.1/24 Interface mode: route Network > Interfaces > Edit (for ethernet3): Enter the following. VPN set ike gateway to-branch-1 address 3.2.0/24 interface tunnel.1. then click Apply: Zone: Trust Static IP: (select when this option is present) IP Address/Netmask: 10.2 set route 10.1.1 5. Interfaces Network > Interfaces > Edit (for ethernet1): Enter the following.3 main outgoing-interface ethernet2/1 preshare netscreen sec-level standard set ike gateway to-branch-2 address 2. then click Apply: Zone: Untrust Static IP: (select when this option is present) IP Address/Netmask: 4.2 4.1 set vpn vpn-branch-2 gateway to-branch-2 no-reply tunnel idletime 0 sec-level standard set vpn vpn-branch-2 id 2 bind interface tunnel.4.3. then click Apply: Tunnel Interface Name: 3 Zone (VR): Untrust Unnumbered (select) Interface: ethernet4 Examples 105 .2.1.3.

2.3 Network > Routing > Destination > New: Enter the following.Concepts & Examples ScreenOS Reference Guide 2. then click OK: VPN Name: vpn-central Advanced: Enter the following advanced settings.1.0/24 Interface (select): tunnel. tunnel. VPN VPNs > AutoKey Advanced > Gateway > New: Enter the following.1 106 Examples .5 Preshare Key: netscreen Outgoing Interface: ethernet4 VPNs > AutoKey IKE > New: Enter the following.1. then click OK: Address Name: phone1 IPv4/Netmask: 10.1. then click OK: Network Address / Netmask: 10. then click OK: Network Address / Netmask: 10.3. Routing Network > Routing > Destination> New: Enter the following. then click OK: Gateway Name: to-central Security Level: Standard IPvc4/v6 Address/Hostname: 1. then click Return to return to the basic Gateway configuration page: Bind to (select): Tunnel Interface.1 VPNs > AutoKey Advanced > Gateway > New: Enter the following.2. then click OK: Gateway Name: to-ns50 Security Level: Standard IPvc4/v6 Address/Hostname: 5.1.0/24 Interface (select): tunnel. Address Policy > Policy Elements > Addresses > List > New: Enter the following.3/32 Zone: V1-Trust 3. then click OK: VPN Name: vpn-ns50 Advanced: Enter the following advanced settings. then click Return to return to the basic Gateway configuration page: Bind to (select): Tunnel Interface.1. tunnel.3 4.1 Preshare Key: netscreen Outgoing Interface: ethernet3 VPNs > AutoKey IKE > New: Enter the following.5.5.

3/24 set interface ethernet4 zone untrust set interface ethernet4 ip 4.5.5.3 4.3.3/32 3.3 zone untrust set interface tunnel.1 main outgoing-interface ethernet3 preshare netscreen sec-level standard set ike gateway to-ns50 address 5.5 main outgoing-interface ethernet4 preshare netscreen sec-level standard set vpn vpncentral gateway to-central no-replay tunnel idletime 0 sec-level standard set vpn vpncentral bind interface tunnel. Policies set policy from trust to untrust phone1 any sccp permit set policy from untrust to trust any phone1 sccp permit save Examples 107 .1.3.0/24 interface tunnel.1.3 set route 10.1.1. Interfaces set interface ethernet1 zone trust set interface ethernet1 ip 10. VPN set ike gateway to-central address 1.Chapter 4: Skinny Client Control Protocol Application Layer Gateway 5.1 5. then click OK: Source Address (select) Address Book Entry: Any-IPv4 Destination Address (select) Address Book Entry: phone2 Service: SCCP Action: Permit CLI (for Branch Office 1) 1. Address set address trust phone1 10.1.1.2 zone untrust set interface tunnel.1 set vpn vpn-ns50 gateway to-ns50 no-replay tunnel idletime 0 sec-level standard set vpn vpn-ns50 bind interface tunnel.1.0/24 interface tunnel.3 ip unnumbered interface ethernet4 2.1.2. then click OK: Source Address (select) Address Book Entry: phone2 Destination Address (select) Address Book Entry: Any-IPv4 Service: SCCP Action: Permit Policies > (From: Untrust.4.4. To: Trust) > New: Enter the following. Routes set route 10.4/24 set interface tunnel. Policies Policies > (From: Trust. To: Untrust) > New: Enter the following.2 ip unnumbered interface ethernet3 set interface tunnel.1/24 set interface ethernet1 route set interface ethernet3 zone untrust set interface ethernet3 ip 3.3.

Concepts & Examples ScreenOS Reference Guide

WebUI (for Branch Office 2)
1. Interfaces

Network > Interfaces > Edit (for ethernet1): Enter the following, then click Apply:
Zone: Trust Static IP: (select when this option is present) IP Address/Netmask: 10.1.2.1/24 Enter the following, then click OK: Interface mode: route

Network > Interfaces > Edit (for ethernet3): Enter the following, then click Apply:
Zone: Untrust Static IP: (select when this option is present) IP Address/Netmask: 2.2.2.2/24

Network > Interfaces > Edit (for ethernet4): Enter the following, then click Apply:
Zone: Untrust Static IP: (select when this option is present) IP Address/Netmask: 4.4.4.4/24

Network > Interfaces > New Tunnel IF: Enter the following, then click Apply:
Tunnel Interface Name: 2 Zone (VR): Untrust Unnumbered (select) Interface: ethernet3

Network > Interfaces > New Tunnel IF: Enter the following, then click Apply:
Tunnel Interface Name: 3 Zone (VR): Untrust Unnumbered (select) Interface: ethernet4
2. Address

Policy > Policy Elements > Addresses > List > New: Enter the following, then click OK:
Address Name: phone2 IPv4/Netmask: 10.1.2.3/32 Zone: Trust
3. VPN

VPNs > AutoKey Advanced > Gateway > New: Enter the following, then click OK:
Gateway Name: to-central Security Level: Standard IPvc4/v6 Address/Hostname: 1.1.2.1 Preshare Key: netscreen Outgoing Interface: ethernet3

108

Examples

Chapter 4: Skinny Client Control Protocol Application Layer Gateway

VPNs > AutoKey IKE > New: Enter the following, then click OK:
VPN Name: vpn-central

Advanced: Enter the following advanced settings, then click Return to return to the basic Gateway configuration page:
Bind to (select): Tunnel Interface, tunnel.2

VPNs > AutoKey Advanced > Gateway > New: Enter the following, then click OK:
Gateway Name: to-ns50 Security Level: Standard IPvc4/v6 Address/Hostname: 4.4.4.4 Preshare Key: netscreen Outgoing Interface: ethernet4

VPNs > AutoKey IKE > New: Enter the following, then click OK:
VPN Name: vpn-ns50

Advanced: Enter the following advanced settings, then click Return to return to the basic Gateway configuration page:
Bind to (select): Tunnel Interface, tunnel.3
4. Routing

Network > Routing > Destination > New: Enter the following, then click OK:
Network Address / Netmask: 10.1.3.0/24 Interface (select): tunnel.2

Network > Routing > Destination > New: Enter the following, then click OK:
Network Address / Netmask: 10.1.1.0/24 Interface (select): tunnel.3
5. Policies

Policies > (From: Trust, To: Untrust) New Enter the following, then click OK:
Source Address (select) Address Book Entry: phone2 Destination Address (select) Address Book Entry: Any-IPv4 Service: SCCP Action: Permit

Policies > (From: Untrust, To: Trust) > New: Enter the following, then click OK:
Source Address (select) Address Book Entry: Any-IPv4 Destination Address (select) Address Book Entry: phone2 Service: SCCP Action: Permit

Examples

109

Concepts & Examples ScreenOS Reference Guide

CLI (for Branch Office 2)
1. Interfaces

set interface ethernet1 zone trust set interface ethernet1 ip 10.1.2.1/24 set interface ethernet1 route set interface ethernet3 zone untrust set interface ethernet3 ip 2.2.2.2/24 set interface ethernet4 zone untrust set interface ethernet4 ip 4.4.4.4/24 set interface tunnel.2 zone untrust set interface tunnel.2 ip unnumbered interface ethernet3 set interface tunnel.3 zone untrust set interface tunnel.3 ip unnumbered interface ethernet4
2. Address

set address trust phone1 10.1.2.3/32
3. VPN

set ike gateway to-central address 1.1.1.1 Main outgoing-interface ethernet3 preshare netscreen sec-level standard set ike gateway to-ns50 address 4.4.4.4 Main outgoing-interface ethernet4 preshare netscreen sec-level standard set vpn vpncentral gateway to-central no-replay tunnel idletime 0 sec-level standard set vpn vpncentral id 4 bind interface tunnel.2 set vpn vpn-ns50 gateway to-ns50 no-replay tunnel idletime 0 sec-level standard set vpn vpn-ns50 id 5 bind interface tunnel.3
4. Routes

set route 10.1.3.0/24 interface tunnel.1 set route 10.1.2.0/24 interface tunnel.3
5. Policies

set policy from trust to untrust phone2 any sccp permit set policy from untrust to trust any phone2 sccp permit save

110

Examples

Chapter 5

Apple iChat Application Layer Gateway
This chapter describes the Apple iChat application and provides examples for configuring the AppleiChat Application Layer Gateway (ALG) on a Juniper Networks security device. It contains the following sections: “Overview” on page 111 “Configuring the AppleiChat ALG” on page 112 “Configuration Examples” on page 113

Overview
Apple iChat is an Instant Messaging (IM) application that lets you chat with other iChat, Mac, or AOL Instant Messenger (AIM) users over the Internet using text, audio, or video. ScreenOS currently supports iChat applications up to version 3.15. The iChat application uses standard ports to send data to its servers and clients. The AppleiChat ALG provides support for iChat applications by opening pinholes on Juniper Networks security device, thereby allowing the text, audio, and video calls to pass through the security device. Without the AppleiChat ALG, the ports are blocked and need to be opened manually, which exposes the network to attack on these ports. Table 9 shows the standard ports iChat uses for various services.
Table 9: Standard iChat Service Ports Port Number
5190 5678 5060 16384 16403

Service Name
AOL SNATMAP server Session Initiation Protocol (SIP) Real-Time Transport Protocol (RTP) /Real-Time Control Protocol (RTCP)

Protocol
TCP UDP UDP/TCP UDP

Used For
iChat and AOL instant messenger, file transfer Determining the external Internet addresses of hosts. Initiating audio/video (AV) chat invitations. iChat audio RTP/RTCP video RTP/RTCP

Overview

111

html?artnum=106439 The iChat service uses the AOL and SIP protocols for its audio/video operations. The number of iChat sessions that the security device can handle is limited to the maximum number of Network Address Translation (NAT) cookies available for that particular security device. The SIP ALG creates pinholes for audio/video sessions. see http://docs. SIP is used for setting audio/video sessions between IM clients after they successfully negotiate ports.info. When this timer expires. It uses the AIM protocol to connect to servers. The call-answer-time is the duration of time for which the security device opens the pinholes for establishing iChat audio/video session. SIP is a predefined service in ScreenOS and uses port 5060 as the destination port. NOTE: The NAT cookies available for a security device are shared by other ALGs like H.html?artnum=93208 Configuring the AppleiChat ALG You configure the AppleiChat ALG with the WebUI or the CLI.info. see http://docs. the security device creates separate sessions for AOL and SIP.apple. NOTE: The ALG does not open all ports when you enable the AppleiChat ALG on the security device. WebUI Security>ALG>Apple iChat. Select the following. the device closes the pinholes.Concepts & Examples ScreenOS Reference Guide For a list of well-known ports. The default value of call-answer-time is 32 seconds. You can view the maximum number of NAT cookies available for a particular device using the following CLI command: get nat cookie For information about running iChat in NAT mode. the security device opens pinholes for the configured call-answer-time to establish the iChat audio/video session. ALG opens pinholes only for the ports that are exchanged during iChat signaling messages. During iChat operation.323 and P2P ALG.com/article. 112 Configuring the AppleiChat ALG .com/article. then click Apply: AppleiChat Enable (select) CLI set alg appleichat enable When you enable the AppleiChat ALG functionality. The range for configuring the call-answer-time is 20 to 90 seconds.apple.

Select the following. By default.Chapter 5: Apple iChat Application Layer Gateway To configure a call-answer-time of 30 seconds: WebUI Security>ALG>AppleiChat. The MSS value depends on the network configuration of the receiver. another iChat user on a public network. another iChat user is on a public network. WebUI Security>ALG>AppleiChat. The fragmented packet is reassembled at the ALG for address translation. There is a NAT between the private and the public network. then click Apply: Call-Answer-Time: 30 CLI set alg appleichat call-answer-time 30 The iChat application fragments the packets it sends to the receiver based on the maximum segment size (MSS) of the receiver. one iChat user is on a private network. then click Apply: Re-Assembly Enable (select) CLI set alg appleichat reassembly enable Configuration Examples This section includes the following configuration scenarios: One iChat user on a private network. Figure 31: AppleiChat Scenario 1—Users on Public and Private Networks Trust zone Ethernet Ethernet NAT iChat UserB iChat Server Untrust zone iChat UserA Juniper Networks Security Device Configuration Examples 113 . the reassembly option is disabled. a device can receive as a single unfragmented frame. You can enable reassembly with the WebUI or the CLI. and the iChat server is on public network. Enter the following. in bytes. The MSS is the maximum amount of data. and an iChat server on a public network An intra-zone call between two iChat users within a private network Users across different firewalls Scenario 1: Private–Public Network In Figure 31.

To: Untrust) New: Enter the following. then click OK: Source Address Address Book Entry: (select). iChatserver_IP_range Service: (select) AppleiChat Action: Permit > Advanced: Enter the following. then click Return to set the advanced options and return to the basic configuration page: NAT: Source Translation: (select) (DIP on): (select) Policies > (From: Trust. then click OK: Source Address Address Book Entry: (select). WebUI 1. then click OK: Source Address Address Book Entry: (select). iChat UserA Destination Address Address Book Entry: (select). we recommend that the user put "ANY" in the destination address field of the policy. ANY Service: (select) AppleiChat Action: Permit > Advanced: Enter the following. ANY Service: (select) AppleiChat Action: Permit > Advanced: Enter the following. To: Untrust) New: Enter the following. iChat UserA Destination Address Address Book Entry: (select). Configuration for File Transfer from iChat UserA to iChat UserB in NAT Mode Policies > (From: Trust. then click Return to set the advanced options and return to the basic configuration page: NAT: Source Translation: (select) (DIP on): (select) 114 Configuration Examples .Concepts & Examples ScreenOS Reference Guide NOTE: Because the administrator does not know the IP address details initially. iChat UserB Destination Address Address Book Entry: (select). then click Return to set the advanced options and return to the basic configuration page: NAT: Source Translation: (select) (DIP on): (select) 2. Configuration for Logging into the Server in NAT Mode Policies > (From: Trust. To: Untrust) New: Enter the following.

then click OK: Source Address Address Book Entry: (select). iChat UserB Service: (select) AppleiChat Action: Permit > Advanced: Enter the following. then click Return to set the advanced options and return to the basic configuration page: NAT: Source Translation: (select) (DIP on): (select) 4. Configuration for Making Audio/Video Calls from iChat UserB in Route Mode Policies > (From: Trust. iChat UserB Service: (select) AppleiChat Action: Permit 5. then click OK: Source Address Address Book Entry: (select). Configuration for Making Audio/Video Calls from iChat UserB in NAT Mode Policies > (From: Trust. then click OK: Source Address Address Book Entry: (select). iChat UserA Destination Address Address Book Entry: (select).Chapter 5: Apple iChat Application Layer Gateway 3. iChatserver_IP_range Service: (select) AppleiChat Action: Permit > Advanced: Enter the following. To: Untrust) New: Enter the following. iChatserver_IP_range Service: (select) AppleiChat Action: Permit Policies > (From: Trust. then click Return to set the advanced options and return to the basic configuration page: NAT: Source Translation: (select) (DIP on): (select) Policies > (From: Trust. Configuration for Making Audio/Video Calls from iChat UserA in NAT Mode Policies > (From: Trust. To: Untrust) New: Enter the following. iChat UserA Destination Address Address Book Entry: (select). iChat UserA Destination Address Address Book Entry: (select). To: Untrust) New: Enter the following. then click OK: Source Address Address Book Entry: (select). iChat UserA Destination Address 115 Configuration Examples . To: Untrust) New: Enter the following. then click OK: Source Address Address Book Entry: (select). To: Untrust) New: Enter the following. iChat UserA Destination Address Address Book Entry: (select).

then click OK: Source Address Address Book Entry: (select). iChat UserA Destination Address Address Book Entry: (select). Configuration for Logging into the Server in NAT Mode set policy from trust to untrust "ichatUserA" "ANY" apple-ichat nat src permit OR set policy from trust to untrust "ichatUserA" "iChatserver_IP_range" apple-ichat nat src permit NOTE: Policies for route/transparent mode are same except the "nat src" option in policy. iChat UserA Destination Address Address Book Entry: (select). Configuration for Making Audio/Video Calls from iChat UserA in Route Mode Policies > (From: Trust.Concepts & Examples ScreenOS Reference Guide Address Book Entry: (select). iChat UserA Destination Address Address Book Entry: (select). To: Untrust) New: Enter the following. then click Return to set the advanced options and return to the basic configuration page: NAT: Source Translation: (select) (DIP on): (select) Policies > (From: Trust. iChatserver_IP_range Service: (select) AppleiChat Action: Permit > Advanced: Enter the following. iChat UserB Service: (select) AppleiChat Action: Permit > Advanced: Enter the following. 116 Configuration Examples . To: Untrust) New: Enter the following. then click Return to set the advanced options and return to the basic configuration page: NAT: Source Translation: (select) (DIP on): (select) 6. To: Untrust) New: Enter the following. iChat UserB Service: (select) AppleiChat Action: Permit CLI 1. then click OK: Source Address Address Book Entry: (select). then click OK: Source Address Address Book Entry: (select). iChatserver_IP_range Service: (select) AppleiChat Action: Permit Policies > (From: Trust.

Configuration for Making Audio/Video Calls from iChat UserB in NAT Mode set policy from trust to untrust "ichatUserA" "ANY" apple-ichat nat src permit OR set policy from trust to untrust "ichatUserA" "iChatserver_IP_range" apple-ichat nat src permit set policy from trust to untrust "iChatUserA" "iChatUserB" apple-ichat nat src permit 4. Configuration for Making Audio/Video Calls from iChat UserB in Route Mode set policy from trust to untrust "ichatUserA" "ANY" apple-ichat permit OR set policy from trust to untrust "ichatUserA" "iChatserver_IP_range" apple-ichat permit set policy from trust to untrust "iChatUserA" "iChatuserB" apple-ichat permit 5. There is a NAT between the private and the public networks. Configuration for File Transfer from iChat UserA to iChat UserB in NAT Mode set policy from trust to untrust "ichatUserA" "ANY" apple-ichat nat src permit OR set policy from trust to untrust "ichatUserA" "iChatserver_IP_range" apple-ichat nat src permit set policy from trust to untrust "ichatUserB" "ANY" apple-ichat nat src permit OR set policy from trust to untrust "ichatUserB" "iChatserver_IP_range" apple-ichat nat src permit 3. Configuration for Making Audio/Video Calls from iChat UserA in NAT Mode set policy from trust to untrust "ichatUserA" "ANY" apple-ichat nat src permit OR set policy from trust to untrust "ichatUserA" "iChatserver_IP_range" apple-ichat nat src permit set policy from trust to untrust "ichatuserA" "iChatUserB" apple-ichat nat src permit 6. Configuration for Making Audio/Video Calls from iChat UserA in Route Mode set policy from trust to untrust "ichatUserA" "ANY" permit OR set policy from trust to untrust "ichatUserA" "iChatserver_IP_range" apple-ichat permit set policy from trust to untrust "ichatuserA" "iChatUserB" apple-ichat permit Scenario 2: Intrazone Call Within Private Network In the example shown in Figure 32. Configuration Examples 117 . The iChat server is in public network.Chapter 5: Apple iChat Application Layer Gateway 2. iChat userA and iChat userB are in the same network and behind a firewall.

iChat UserA Destination Address Address Book Entry: (select). To: Untrust) New: Enter the following. then click OK: Source Address Address Book Entry: (select). To: Untrust) New: Enter the following. then click OK: Source Address Address Book Entry: (select). Configuring iChat userA to Log In iChat server in NAT Mode Policies > (From: Trust. iChatserver_IP_range Service: (select) AppleiChat Action: Permit > Advanced: Enter the following. Configuration for File Transfer from iChat UserA to iChat UserB Policies > (From: Trust. iChat UserA Destination Address Address Book Entry: (select). then click OK: Source Address Address Book Entry: (select). then click Return to set the advanced options and return to the basic configuration page: NAT: Source Translation: (select) (DIP on): (select) Policies > (From: Trust. ANY Service: (select) AppleiChat Action: Permit 118 Configuration Examples . iChat UserB Destination Address Address Book Entry: (select). then click Return to set the advanced options and return to the basic configuration page: NAT: Source Translation: (select) (DIP on): (select) 2.Concepts & Examples ScreenOS Reference Guide Figure 32: AppleiChat Scenario 2—Intrazone Call Within a Private Network Trust zone Ethernet iChat UserA Juniper Networks Security Device iChat UserB iChat Server NAT Ethernet Untrust zone WebUI 1. To: Untrust) New: Enter the following. any Service: AppleiChat Action: Permit > Advanced: Enter the following.

Chapter 5: Apple iChat Application Layer Gateway > Advanced: Enter the following. To: Untrust) New: Enter the following. iChat UserB Destination Address Address Book Entry: (select). then click Return to set the advanced options and return to the basic configuration page: NAT: Source Translation: (select) (DIP on): (select) 3. Configuration for Making Audio/Video Calls from iChat UserB in NAT Mode Policies > (From: Trust. Configuration for Making Audio/Video Calls from iChat UserA in NAT Mode Policies > (From: Trust. To: Untrust) New: Enter the following. ANY Service: (select) AppleiChat Action: Permit > Advanced: Enter the following. Configuration for Making Audio/Video Calls from iChat UserA in Route Mode Policies > (From: Trust. ichatServer Service: (select) AppleiChat Action: Permit 5. then click OK: Source Address Address Book Entry: (select). iChat UserA Destination Address Address Book Entry: (select). then click Return to set the advanced options and return to the basic configuration page: NAT: Source Translation: (select) (DIP on): (select) 4. then click OK: Source Address Address Book Entry: (select). iChat UserA Destination Address Address Book Entry: (select). then click Return to set the advanced options and return to the basic configuration page: NAT: Source Translation: (select) (DIP on): (select) 6. iChat UserB Destination Address Address Book Entry: (select). iChatServer Configuration Examples 119 . iChatServer Service: (select) AppleiChat Action: Permit > Advanced: Enter the following. then click OK: Source Address Address Book Entry: (select). then click OK: Source Address Address Book Entry: (select). To: Untrust) New: Enter the following. To: Untrust) New: Enter the following. Configuration for Making Audio/Video Calls from iChat UserB in Route Mode Policies > (From: Trust.

Configuration for File Transfer Between UserA and UserB set policy from trust to untrust "ichatUserA" "ANY" apple-ichat nat src permit OR set policy from trust to untrust "ichatUserA" "iChatServer_IP_range" apple-ichat nat src permit set policy from trust to untrust "ichatUserB" "ANY" apple-ichat nat src permit OR set policy from trust to untrust "ichatUserB" "iChatServer_IP_range" apple-ichat nat src permit 3.Concepts & Examples ScreenOS Reference Guide Service: (select) AppleiChat Action: Permit CLI 1. Configuration for Making Audio/Video Calls from iChat UserB in NAT Mode set policy from trust to untrust "ichatUserB" "iChatserver_IP_range" apple-ichat nat src permit 6. Configuration for Making Audio/Video Calls from iChat UserA in Route Mode set policy from trust to untrust "ichatUserA" "iChatserver_IP_range" apple-ichat permit 5. Configuration for Making Audio/Video Calls from iChat UserA in NAT Mode set policy from trust to untrust "ichatUserA" "ANY" apple-ichat nat src permit OR set policy from trust to untrust "ichatUserA" "iChatserver_IP_range" apple-ichat nat src permit 4. Configuring iChat UserA to Log Into iChat Server in NAT Mode set policy from trust to untrust "ichatUserA" "ANY" apple-ichat nat src permit OR set policy from trust to untrust "ichatUserA" "iChatServer_IP_range" apple-ichat nat src permit 2. Configuration for Making Audio/Video Calls from iChat UserB in Route Mode set policy from trust to untrust "ichatUserB" "iChatserver_IP_range" apple-ichat permit Scenario 3: Users Across Different Networks In Figure 33. The iChat server is on a public network. There is NAT between private networks and the public network. 120 Configuration Examples . iChat userA is on a private network and iChat userB and userC are on another private network.

Chapter 5: Apple iChat Application Layer Gateway Figure 33: AppleiChat Scenario 3—Users Across Different Networks Ethernet NAT iChat User A Trust zones Device A Ethernet Untrust zone Ethernet iChat User B Device B iChat User C NAT iChat Server WebUI 1. Configuration on Firewall 1 for Login from iChat UserA in NAT Mode Policies > (From: Trust. then click Return to set the advanced options and return to the basic configuration page: NAT: Source Translation: (select) (DIP on): (select) Configuration Examples 121 . To: Untrust) New: Enter the following. any Service: (select) AppleiChat Action: Permit > Advanced: Enter the following. To: Untrust) New: Enter the following. Configuration on Firewall 1 for File Transfer from iChat UserA to iChat UserB in NAT Mode Policies > (From: Trust. then click OK: Source Address Address Book Entry: (select). iChat UserA Destination Address Address Book Entry: (select). then click OK: Source Address Address Book Entry: (select). iChat UserA Destination Address Address Book Entry: (select). then click Return to set the advanced options and return to the basic configuration page: NAT: Source Translation: (select) (DIP on): (select) 2. iChatserver_IP_range Service: (select) AppleiChat Action: Permit > Advanced: Enter the following.

To: Untrust) New: Enter the following.Concepts & Examples ScreenOS Reference Guide 3. then click Return to set the advanced options and return to the basic configuration page: NAT: Source Translation: (select) (DIP on): (select) 4. then click OK: Source Address Address Book Entry: (select). To: Untrust) New: Enter the following. Configuration on Firewall 2 for Making Audio/Video Calls from iChat UserB in NAT Mode Policies > (From: Trust. iChat UserA Destination Address Address Book Entry: (select). iChatserver_IP_range Service:(select) AppleiChat Action: Permit 5. To: Untrust) New: Enter the following. iChatserver_IP_range Service: (select) AppleiChat Action: Permit > Advanced: Enter the following. Configuration on Firewall 1 for Making Audio/Video Calls from iChat UserA in Route Mode Policies > (From: Trust. Configuration on Firewall 1 for Making Audio/Video Calls from iChat UserA in NAT Mode Policies > (From: Trust. iChat server Service: (select) AppleiChat Action: Permit > Advanced: Enter the following. iChat UserA Destination Address Address Book Entry: (select). iChat UserB Service: (select) AppleiChat Action: Permit > Advanced: Enter the following. then click Return to set the advanced options and return to the basic configuration page: 122 Configuration Examples . iChat UserA Destination Address Address Book Entry: (select). To: Untrust) New: Enter the following. then click OK: Source Address Address Book Entry: (select). then click OK: Source Address Address Book Entry: (select). iChat UserB Destination Address Address Book Entry: (select). then click Return to set the advanced options and return to the basic configuration page: NAT: Source Translation: (select) (DIP on): (select) Policies > (From: Trust. then click OK: Source Address Address Book Entry: (select).

iChatserver_IP_range Service:(select) AppleiChat Action: Permit Policies > (From: Trust. To: Untrust) New: Enter the following. then click OK: Source Address Address Book Entry: (select). then click OK: Source Address Address Book Entry: (select). iChatserver_IP_range Service:(select) AppleiChat Action: Permit CLI 1. iChat UserB Destination Address Address Book Entry: (select). Configuration on Firewall 1 for Login from iChat UserA in NAT Mode set policy from trust to untrust "ichatUserA" "ANY" apple-ichat nat src permit OR set policy from trust to untrust "ichatUserA" "iChatServer_IP_range" apple-ichat nat src permit 2. iChat UserB Destination Address Address Book Entry: (select). iChat UserB Destination Address Address Book Entry: (select). To: Untrust) New: Enter the following. To: Untrust) New: Enter the following. ichatUserA_public Service: (select) AppleiChat Action: Permit > Advanced: Enter the following.Chapter 5: Apple iChat Application Layer Gateway NAT: Source Translation: (select) (DIP on): (select) Policies > (From: Trust. then click Return to set the advanced options and return to the basic configuration page: NAT: Source Translation: (select) (DIP on): (select) 6. Configuration on Firewall 2 for Making Audio/Video Calls from iChat UserB in Route Mode Policies > (From: Trust. Configuration on Firewall 1 for File Transfer from iChat UserA to iChat UserB in NAT Mode set policy from trust to untrust "ichatUserA" "ANY" apple-ichat nat src permit OR set policy from trust to untrust "ichatUserA" "iChatServer_IP_range" apple-ichat nat src permit Configuration Examples 123 . then click OK: Source Address Address Book Entry: (select).

Configuration on Firewall 1 for Making Audio/Video calls from iChat UserA in NAT mode set policy from trust to untrust "ichatUserA" "ANY" apple-ichat nat src permit OR set policy from trust to untrust "ichatUserA" "iChatserver_IP_range" apple-ichat nat src permit set policy from trust to untrust "iChatuserA" "iChatuserB_public" apple-ichat nat src permit 4. Configuration on Firewall 2 for Making Audio/Video Calls from iChat UserB in NAT Mode set policy from trust to untrust "ichatUserB" "ANY" apple-ichat nat src permit OR set policy from trust to untrust "ichatUserB" "iChatserver_IP_range" apple-ichat nat src permit set policy from trust to untrust "iChatUserB" "ichatUserA_public" apple-ichat nat src permit 6. Configuration on Firewall 2 for Making Audio/Video Calls from iChat UserB in Route Mode set policy from trust to untrust "ichatUserB" "ANY" apple-ichat permit OR set policy from trust to untrust "ichatUserB" "iChatserver_IP_range" apple-ichat permit set policy from trust to untrust ""iChatUserB" ichatUserA_public" apple-ichat permit 124 Configuration Examples .Concepts & Examples ScreenOS Reference Guide 3. Configuration on Firewall 1 for Making Audio/Video calls from iChat UserA in Route Mode set policy from trust to untrust "ichatUserA" "ANY" apple-ichat permit OR set policy from trust to untrust "ichatUserA" "iChatserver_IP_range" apple-ichat permit set policy from trust to untrust "iChatUserA" "iChatuserB_public" apple-ichat permit 5.

.........................................................18 RTCP ..............................................................................................2 multimedia sessions................................................. with MIP ........................ Apple iChat ALG ................................ 30 defined ..................................................................................15 pinholes ..................................15 V voice-over IP bandwidth management ...................................53 untrust intrazone .............................................................................25...................................................16 Index IX-I .................................................. 101 SIP timeouts inactivity .......................2 I iChat ALG ...................................................................2 S SDP ........................................ 24 C call-answer-time.................23................................................................................................................................. 24 session inactivity .............2 RCF ...............22 signaling inactivity .............20 messages ..........................................37 DIP...................................................22 media inactivity .......................................Index A ALGs ..............................19 request methods ............................................................................................................34 incoming.......................................................2 Apple iChat ALG ......................................................................................16 multimedia sessions ..................49................................... 22 connection information ........................................................113 Registration Confirm (RCF) messages . using a ..........................21 R reassembly................41........... using full-mesh .....................................................64 P pinholes ...................................................... using incoming .......................111 M messages GCF ...............44 Trust intrazone ........................................20 SDP ....25 DIP pool.............19 to 20 signaling ......................................................................................................................................................................15 media announcements ...................... 88 proxy in public zone ...........19 SIP NAT call setup .........................................15 SIP NAT ........................112 reassembly ........................................................................................ 95 VPN.......................................................................................65 SIP ALG .......................19 Apple iChat.......19 to 20 service book..................................23.....46 proxy in private zone .....................................33 DIP..20 defined ...............................................................25 alternate gatekeepers ..... SIP ...............................................112 G Gatekeeper Confirm (GCF) messages ....19.......................................................................................55........... using interface ....................................111 call-answer-time .....20 RTP ..............................................................111 SIP ......................................................... Apple iChat ALG .......................................113 response codes ....................... 39 proxy in DMZ .37.......................................................... service groups (WebUI) ............................

Concepts & Examples ScreenOS Reference Guide IX-II Index .

Sign up to vote on this title
UsefulNot useful