Mailing List Archive: nsp: juniper

ScreenOS and VoIP and NAT

Index | Next | Previous | View Threaded

ivannetw at gmail

Nov 12, 2009, 9:38 PM

Post #1 of 8 (2074 views)
Permalink

ScreenOS and VoIP and NAT

Hey,

I have a query on NAT interaction for VoIP protocols. I'll attempt
some ascii art....

10.0.0.0/8
192.168.1.0/30
Internal subnet
Internal LAN<------------------------------->Netscreen<----------------------------------->Cisco<------------------------->Partner
LAN
|

|
|

|
SIP & Phones

SIP & Phones

No the inter-agency subnet of 192.168.1.0.30 is used for link
addressing and there is agreement to use other private addressing for
services, such as VoIP... For example the subnet 192.168.100.0/24 is
used by the Netscreen and 192.168.200.0/24 for the Cisco. So on the
Cisco side they hide the SIP and RTP VoIP traffic behind a single
address of 192.168.200.100 and I need to do the same on the Netscreen
and hide the traffic behind a single IP 192.168.100.100.

I can do a MIP for the SIP proxy, as it is a one to one correlation,
but how do I hide multiple IPs behind a single IP that isnt in the
Netscreen interface subnet?

Is there a way to do a ANY to a single IP that is not in the egress
interface range?

thanks
Ivan
_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp

ivannetw at gmail

Nov 15, 2009, 2:38 PM

Post #2 of 8 (2030 views)
Permalink

Re: ScreenOS and VoIP and NAT [In reply to]

No responses, so I guessing it's not feasible or no screenos ninjas around?

>From this I see you can configure a one to one MIP that isn't in the
interface IP subnet, but I want to NAT "any" source address on a
particluar flow to a single IP that isn't in the egress interface
subnet

"Before ScreenOS 6.1, MIPs could be in a different network from the
interface’s IP only on an interface in the Untrust zone. (This is an
important caveat, but it is the only caveat regarding MIPs.) You can
configure a MIP that is in the same network with its interface on any
interface in any zone. MIPs are most often used on the Untrust zone.
If you need to perform destination translation to an IP that is not in
the same network as the ingress interface, use a policy NAT-DST
translation KB11910 - [Inbound direction] How to configure Destination
Network Address Translation (NAT-Dst) in combination with a DIP if the
reverse connection is desired as well: KB11901 - [Outbound direction]
How to configure Source Network Address Translation (NAT-src) and
source Port Address Translation (PAT)."

http://kb.juniper.net/KB12835

On Fri, Nov 13, 2009 at 4:38 PM, Ivan c <ivannetw [at] gmail> wrote:
> Hey,
>
> I have a query on NAT interaction for VoIP protocols. I'll attempt
> some ascii art....
>
> 10.0.0.0/8
> 192.168.1.0/30
> Internal subnet
> Internal LAN<------------------------------->Netscreen<----------------------------------->Cisco<------------------------->Partner
> LAN
> |
>
> |
> |
>
> |
> SIP & Phones
>
> SIP & Phones
>
> No the inter-agency subnet of 192.168.1.0.30 is used for link
> addressing and there is agreement to use other private addressing for
> services, such as VoIP... For example the subnet 192.168.100.0/24 is
> used by the Netscreen and 192.168.200.0/24 for the Cisco. So on the
> Cisco side they hide the SIP and RTP VoIP traffic behind a single
> address of 192.168.200.100 and I need to do the same on the Netscreen
> and hide the traffic behind a single IP 192.168.100.100.
>
> I can do a MIP for the SIP proxy, as it is a one to one correlation,
> but how do I hide multiple IPs behind a single IP that isnt in the
> Netscreen interface subnet?
>
> Is there a way to do a ANY to a single IP that is not in the egress
> interface range?
>
>
> thanks
> Ivan
>
_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp

ivannetw at gmail

Nov 22, 2009, 9:14 PM

Post #3 of 8 (1979 views)
Permalink

Re: ScreenOS and VoIP and NAT [In reply to]

hi Tony, thanks for replying.

The problem I have is that we use a Alcatel voip system and every
handset needs to talk directly rather being proxy-ed....

So I have a SIP server and the voip handset on my side and a partner
has a sip and handsets on there side. The "Recipe 8.2. Configure Hide
NAT with VoIP" in the screenos cookbook works fine for trust to
untrust, but the problem I have is the partner inititated voice
traffic.

The interface DIP wont work as it doesn't know what to NAT the
incoming traffic to.....

thanks for any help
Ivan

On Tue, Nov 17, 2009 at 5:33 PM, Tony Frank <tony.frank [at] ericsson> wrote:
> Hi Ivan,
>
>> Is there a way to do a ANY to a single IP that is not in the egress interface range?
>
> Have you looked at extended interface DIP?
> See "Using DIP in a Different Subnet" in C&E volume 2, ScreenOS 6.1.0 and probably later as well.
>
> You could also look at using a loopback interface and applying the MIP/DIP there.
>
> Regards,
> Tony
>
_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp

ivannetw at gmail

Nov 22, 2009, 9:24 PM

Post #4 of 8 (1983 views)
Permalink

Re: ScreenOS and VoIP and NAT [In reply to]

I am open to any ideas on how to treat the VoIP traffic that is
initiated from the untrust side......

So from trust to untrust I set the DIP

set int e0/1 dip interface-ip incoming

then the ruleset

set policy from Trust to Untrust any any SIP nat permit

The recipe has the untrust to trust as

set policy from Untrust to Trust any DIP(ethernet0/0) SIP permit

Note sure how the netscreen knows what to NAT the incoming traffic
for... The cookbook states

"You can see the two flows for outbound and inbound calls, with the
second row being an inbound call. Notice that although hide NAT was
configured (all phones hide behind the same IP of 1.1.1.100) the
firewall translates to the correct internal phone, in this case
192.168.1.1."

On Mon, Nov 23, 2009 at 4:14 PM, Ivan c <ivannetw [at] gmail> wrote:
> hi Tony, thanks for replying.
>
> The problem I have is that we use a Alcatel voip system and every
> handset needs to talk directly rather being proxy-ed....
>
> So I have a SIP server and the voip handset on my side and a partner
> has a sip and handsets on there side. The "Recipe 8.2. Configure Hide
> NAT with VoIP" in the screenos cookbook works fine for trust to
> untrust, but the problem I have is the partner inititated voice
> traffic.
>
> The interface DIP wont work as it doesn't know what to NAT the
> incoming traffic to.....
>
> thanks for any help
> Ivan
>
> On Tue, Nov 17, 2009 at 5:33 PM, Tony Frank <tony.frank [at] ericsson> wrote:
>> Hi Ivan,
>>
>>> Is there a way to do a ANY to a single IP that is not in the egress interface range?
>>
>> Have you looked at extended interface DIP?
>> See "Using DIP in a Different Subnet" in C&E volume 2, ScreenOS 6.1.0 and probably later as well.
>>
>> You could also look at using a loopback interface and applying the MIP/DIP there.
>>
>> Regards,
>> Tony
>>
>
_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp

tony.frank at ericsson

Nov 22, 2009, 9:51 PM

Post #5 of 8 (1974 views)
Permalink

Re: ScreenOS and VoIP and NAT [In reply to]

Personally I've mainly worked in the server to server scenario, handsets are usually hidden behind a SBG or a proxy.

Are you using the SIP alg ?
In that case the netscreen will open 'pinhole' for incoming RTP based on inspection of the SIP messages passing through.
SIP messages will be modified in flight with NAT to map the internal IP to the interface IP and vice-versa.

The main concern in that case will be SIP traffic initiated from remote side, coming to a single interface IP and knowing which handset to forward to.

Are incoming calls handset to SIP server, or direct handset to handset?
Do you actually talk SIP handset to handset, or just RTP handset to handset?

-----Original Message-----
From: Ivan c [mailto:ivannetw [at] gmail]
Sent: Monday, 23 November 2009 16:25
To: Tony Frank; juniper-nsp [at] puck
Subject: Re: [j-nsp] ScreenOS and VoIP and NAT

I am open to any ideas on how to treat the VoIP traffic that is initiated from the untrust side......

So from trust to untrust I set the DIP

set int e0/1 dip interface-ip incoming

then the ruleset

set policy from Trust to Untrust any any SIP nat permit

The recipe has the untrust to trust as

set policy from Untrust to Trust any DIP(ethernet0/0) SIP permit

Note sure how the netscreen knows what to NAT the incoming traffic for... The cookbook states

"You can see the two flows for outbound and inbound calls, with the second row being an inbound call. Notice that although hide NAT was configured (all phones hide behind the same IP of 1.1.1.100) the firewall translates to the correct internal phone, in this case 192.168.1.1."

_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp

ivannetw at gmail

Nov 22, 2009, 10:35 PM

Post #6 of 8 (1979 views)
Permalink

Re: ScreenOS and VoIP and NAT [In reply to]

it is all direct, the alcatel omni handles the SIP, and then hands off
to the phones, which talk direct RTP....

I am using the SIP ALG, and have set it up per the cookbook recipe....
But I still can't understand how the firewall would know how to NAT
the incoming traffic, first to the SIP server and then to each
handset....

The debug error for the SIP transaction is

flow_first_inline_vector: in <ethernet3/4>, out <N/A>

The trust to untrust SIP dip works fine.... But the incoming SIP/RTP
traffic is the issue......

On Mon, Nov 23, 2009 at 4:51 PM, Tony Frank <tony.frank [at] ericsson> wrote:
> Personally I've mainly worked in the server to server scenario, handsets are usually hidden behind a SBG or a proxy.
>
> Are you using the SIP alg ?
> In that case the netscreen will open 'pinhole' for incoming RTP based on inspection of the SIP messages passing through.
> SIP messages will be modified in flight with NAT to map the internal IP to the interface IP and vice-versa.
>
> The main concern in that case will be SIP traffic initiated from remote side, coming to a single interface IP and knowing which handset to forward to.
>
> Are incoming calls handset to SIP server, or direct handset to handset?
> Do you actually talk SIP handset to handset, or just RTP handset to handset?
>
>
> -----Original Message-----
> From: Ivan c [mailto:ivannetw [at] gmail]
> Sent: Monday, 23 November 2009 16:25
> To: Tony Frank; juniper-nsp [at] puck
> Subject: Re: [j-nsp] ScreenOS and VoIP and NAT
>
> I am open to any ideas on how to treat the VoIP traffic that is initiated from the untrust side......
>
> So from trust to untrust I set the DIP
>
> set int e0/1 dip interface-ip incoming
>
> then the ruleset
>
> set policy from Trust to Untrust any any SIP nat permit
>
> The recipe has the untrust to trust as
>
> set policy from Untrust to Trust any DIP(ethernet0/0) SIP permit
>
> Note sure how the netscreen knows what to NAT the incoming traffic for... The cookbook states
>
> "You can see the two flows for outbound and inbound calls, with the second row being an inbound call. Notice that although hide NAT was configured (all phones hide behind the same IP of 1.1.1.100) the firewall translates to the correct internal phone, in this case 192.168.1.1."
>
>
_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp

tony.frank at ericsson

Nov 23, 2009, 2:51 PM

Post #7 of 8 (1966 views)
Permalink

Re: ScreenOS and VoIP and NAT [In reply to]

Hi Ivan,

> it is all direct, the alcatel omni handles the SIP, and then hands off to the phones, which talk direct RTP....
> But I still can't understand how the firewall would know how to NAT the incoming traffic, first to the SIP server and then to each handset....

Have you read through the description for SIP with NAT, incoming calls covered on page 26?

http://www.juniper.net/techpubs/software/screenos/screenos6.1.0/ce_v6.pdf

The examples from page 33 onwards do seem to describe your scenario, unless I am missing something obvious?

Regards,
Tony
_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp

ivannetw at gmail

Nov 23, 2009, 4:33 PM

Post #8 of 8 (1958 views)
Permalink

Re: ScreenOS and VoIP and NAT [In reply to]

thanks Tony, I have read those examples. In the eg. the phone on one
side is a SIP client/server and on the other side there is a SIP proxy
and handset.

My scenario is different as I have a alcatel omni box which talks SIP
to the remote cisco call manager, and then hands off the RTP stream to
the handset which talks direct.

When I iniatiate a call to the remote end the recipes work from the
cookbook, but when the remote end iniates a call its a no go. I can
see it in the SIP trace, the netscreen sees the SIP, but it does not
know what to NAT the incoming stream to...

I think the issue is that I am trying to use the netscreen as a SBC or
proxy type device which obviously it isnt designed for.

On Tue, Nov 24, 2009 at 9:51 AM, Tony Frank <tony.frank [at] ericsson> wrote:
> Hi Ivan,
>
>> it is all direct, the alcatel omni handles the SIP, and then hands off to the phones, which talk direct RTP....
>> But I still can't understand how the firewall would know how to NAT the incoming traffic, first to the SIP server and then to each handset....
>
> Have you read through the description for SIP with NAT, incoming calls covered on page 26?
>
> http://www.juniper.net/techpubs/software/screenos/screenos6.1.0/ce_v6.pdf
>
> The examples from page 33 onwards do seem to describe your scenario, unless I am missing something obvious?
>
> Regards,
> Tony
_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads