Permit SIP traffic through Juniper SRX with the help of SIP ALG

Have you ever wondered how to allow traffic from providers PBX to your PBX without creating additional firewall policy with dynamic port ranges for RTP stream?

Well here comes SIP ALG into play. SIP ALG recognizes SIP traffic and opens pinhole into firewall to allow RTP stream from one PBX to another for the duration of the session/call. There is no need for additional firewall policy for RTP stream if the SIP ALG is used.

This kind of setup will work only if both PBX-es have support for RFC 3581.

On Juniper SRX firewalls SIP ALG is enabled by default. To check SIP ALG status, enter command “show security alg status”.

SIP ALG Status

In this example additional IP address 1.1.1.100 was provided from ISP and it is assigned a static NAT mapping to IP address 192.168.1.100. IP address 1.1.1.100 will be used for SIP and RTP traffic.

SIP firewall diagram

[edit security nat static]
set rule-set rs1 from zone untrust
set rule-set rs1 rule r1 match destination-address 1.1.1.100/32
set rule-set rs1 rule r1 then static-nat prefix 192.168.1.100/32

[edit security nat]
set proxy-arp interface ge-0/0/0.0 address 1.1.1.100/32
[edit security]
set zones security-zone trust address-book address LocalPBX 192.168.1.100/32
[edit security]
set zones security-zone untrust address-book address ProviderPBX 2.2.2.200/32
[edit security policies from-zone untrust to-zone trust]
set policy PBX-Access-SIP match source-address ProviderPBX destination-address LocalPBX application junos-sip
set policy PBX-Access-SIP then permit