Enabling Managed Devices Using Incoming Dip - Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING SCREENOS DEVICES GUIDE REV 01 Manual

Related
Documentation

Enabling Managed Devices Using Incoming DIP

Copyright © 2010, Juniper Networks, Inc.
Create a Global DIP to reference the DIP pool on each device. You use a Global DIP
37.
when configuring NAT in a firewall rule; the Global DIP references the DIP pool for an
individual device, enabling you to use one object (the Global DIP object) to represent
multiple DIP pools in a single rule.
In the navigation tree, select Object Manager > NAT Objects > DIP.
Click the Add icon to display the new Global DIP dialog box. Configure the Global
DIP and then click OK:
Configure two firewall rules, one which uses the Global DIP object for NAT translation.
38.
Example: Enabling Multiple Hosts Using Port Address Translation (NSM Procedure)
on page 68
Interface Network Address Translation Using DIPs on page 67
Use an incoming DIP to enable the managed device to handle incoming Session Initiation
Protocol (SIP) calls. SIP is an Internet Engineering Task Force (IETF)-standard protocol
for initiating, modifying, and terminating multimedia sessions (such as conferencing,
telephony, or multimedia) over the Internet. SIP is used to distribute the session
description, to negotiate and modify the parameters of an existing session, and to
terminate a multimedia session.
NOTE: SIP is a predefined service that uses port 5060 as the destination
port. To specify the SIP service in the Service column of a firewall rule, you
must select the predefined service group VoIP, which includes the H.323 and
SIP service objects.
To use SIP, a caller must register with the registrar before SIP proxies and location servers
can identify where the caller wants to be contacted. A caller can register one or more
contact locations by sending a REGISTER message to the registrar. The REGISTER
message contains the address-of-record URI and one or more contact URIs. When the
registrar receives the message, it creates bindings in a location service that associates
the address-of-record with the contact addresses.
The security device monitors outgoing REGISTER messages from SIP users, performs
NAT on these addresses, and stores the information in an incoming DIP table. When the
device receives an INVITE message from the external network, it uses the incoming DIP
table to identify which internal host to route the INVITE message to.
To enable the device to perform NAT on incoming SIP calls, you must configure an
interface DIP or DIP pool on the egress interface of the device. A single interface DIP is
adequate for handling incoming calls in a small office; a DIP pool is recommended for
larger networks or an enterprise environment.
Chapter 3: Network Settings
73