Have you ever wondered how to allow traffic from providers PBX to your PBX without creating additional firewall policy with dynamic port ranges for RTP stream?
Well here comes SIP ALG into play. SIP ALG recognizes SIP traffic and opens pinhole into firewall to allow RTP stream from one PBX to another for the duration of the session/call. There is no need for additional firewall policy for RTP stream if the SIP ALG is used.
This kind of setup will work only if both PBX-es have support for RFC 3581.
On Juniper SRX firewalls SIP ALG is enabled by default. To check SIP ALG status, enter command “show security alg status”.
In this example additional IP address 18.104.22.168 was provided from ISP and it is assigned a static NAT mapping to IP address 192.168.1.100. IP address 22.214.171.124 will be used for SIP and RTP traffic.
[edit security nat static]
set rule-set rs1 from zone untrust
set rule-set rs1 rule r1 match destination-address 126.96.36.199/32
set rule-set rs1 rule r1 then static-nat prefix 192.168.1.100/32