In previous post I mentioned how can SIP ALG be of benefit on Juniper SRX firewalls. But in some cases where phone clients do not support RFC 3581 and SIP ALG is enabled, SRX firewall will drop the traffic. When SIP ALG is enabled, it is applied globally. Basically it is on or off for “whole” firewall.
In this example Private PBX is located in LAN A subnet and phone clients are located in LAN B subnet. SIP ALG is enabled on SRX firewall and it is used for communication between Provider PBX and Private PBX.
For the communication between phone clients and Private PBX, SIP ALG is disabled within firewall policy.
set application DisableSIP_ALG term t1 alg ignore
set application DisableSIP_ALG term t1 protocol udp
set zones security-zone LAN-A address-book address PrivatePBX 192.168.1.100/32
set zones security-zone LAN-B address-book address LAN-B-NET 172.30.1.0/24
[edit security policies from-zone LAN-A to-zone LAN-B]
set policy PBX-to-LAN-B-DisableSIPALG match source-address PrivatePBX
set policy PBX-to-LAN-B-DisableSIPALG match destination-address LAN-B-NET
set policy PBX-to-LAN-B-DisableSIPALG match application DisableSIP_ALG
set policy PBX-to-LAN-B-DisableSIPALG then permit
[edit security policies from-zone LAN-B to-zone LAN-A]
set policy LAN-B-to-PBX-DisableSIPALG match source-address LAN-B-NET
set policy LAN-B-to-PBX-DisableSIPALG match destination-address PrivatePBX
set policy LAN-B-to-PBX-DisableSIPALG match application DisableSIP_ALG
set policy LAN-B-to-PBX-DisableSIPALG then permit