Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

Description:


For the Juniper SRX series firewalls there are two steps to take. First we want to disable the SIP ALG and then since the Juniper won't automatically NAT properly, we need to add our IP's to a trusted list. 

Step By Step:


 SIP ALG

To disable SIP ALG, run these commands:
#edit
# set security alg sip disable
# commit

Running this command will show if this works:
#run show security alg status

You should see this:
ALG Status :
DNS : Enabled
FTP : Enabled
H323 : Enabled
MGCP : Enabled
MSRPC : Enabled
PPTP : Enabled
RSH : Enabled
RTSP : Enabled
SCCP : Enabled
SIP : Disabled
SQL : Enabled
SUNRPC : Enabled
TALK : Enabled
TFTP : Enabled
IKE-ESP : Disabled

To setup our IP's we need this config:

[edit security address-book]
+   EXT_AB {
+       address SIP_1 54.148.70.218/32;
+       address SIP_2 54.148.57.6/32;
+       address SIP_3 52.11.88.63/32;
+       address SIP_4 54.149.90.30/32;
+       attach {
+           zone untrust;
+       }
+   }
[edit security]
+   alg {
+       sip disable;
+   }
[edit security policies from-zone untrust to-zone trust]
+     policy Audian_SIP_Permit {
+         description Phones;
+         match {
+             source-address [ SIP_1 SIP_2 SIP_3 SIP_4 ];
+             destination-address any;
+             application [ Audian_SIP5060_5082 Audian_SIP11000 Audian_SIP_RTP16384_32768 ];
+         }
+         ## Warning: missing mandatory statement(s): 'then'
+     }
[edit]
+  applications {
+      application Audian_SIP5060_5082 {
+          protocol udp;
+          destination-port 5060-5082;
+      }
+      application Audian_SIP11000 {
+          protocol udp;
+          destination-port 11000;
+      }
+      application Audian_SIP_RTP16384_32768 {
+          protocol udp;
+          destination-port 16384-32768;
+      }
+  }
  • No labels