SupportDocumentationSecurityProducts RecommendUSGConfiguration & CommissioningConfiguration Examples

HiSecEngine USG12000 Typical Configuration Examples

CLI: Example for Configuring SIP ALG

CLI: Example for Configuring SIP ALG

Networking Requirements

As shown in Figure 14-3, a SIP server is deployed on the enterprise intranet. When going online, each SIP client needs to send a register message to the SIP servers. The register messages are carried through SIP.

DeviceA is deployed between the SIP clients and SIP server to encrypt SIP messages and implement NAT ALG.

Figure 14-3 Networking diagram for configuring SIP over TLS ALG

In this example, interface 1 and interface 2 represent 10GE1/0/1 and 10GE1/0/2, respectively.


Item

Data

Description

10GE1/0/1

IP address: 10.2.0.1

Security zone: Trust

This interface is connected to the server and resides on the same network segment as the server.

10GE1/0/2

IP address: 1.1.1.1

Security zone: Untrust

This interface is connected to the clients and resides on the same network segment as the clients.

SIP server

10.2.0.2/24

Deploy the server in the DMZ.

Configuration Roadmap

  1. Configure IP addresses for interfaces and assign the interfaces to security zones.
  2. Configure a security policy for communication between SIP clients and the SIP server.
  3. Configure destination NAT so that the intranet SIP server can provide services externally (public address: 1.1.1.10).
  4. Configure ALG to properly forward SIP messages.

Procedure

  1. Configure IP addresses for interfaces and assign the interfaces to security zones.

    <HUAWEI> system-view
[HUAWEI] sysname DeviceA
[DeviceA] interface 10ge 1/0/1
[DeviceA-10GE1/0/1] undo portswitch
[DeviceA-10GE1/0/1] ip address 10.2.0.1 24
[DeviceA-10GE1/0/1] quit
[DeviceA] interface 10ge 1/0/2
[DeviceA-10GE1/0/2] undo portswitch
[DeviceA-10GE1/0/2] ip address 1.1.1.1 24
[DeviceA-10GE1/0/2] quit
[DeviceA] firewall zone trust
[DeviceA-zone-trust] add interface 10ge 1/0/1
[DeviceA-zone-trust] quit
[DeviceA] firewall zone untrust
[DeviceA-zone-untrust] add interface 10ge 1/0/2
[DeviceA-zone-untrust] quit

  2. Configure a security policy to allow SIP clients to send messages to the SIP server.

    [DeviceA] security-policy
[DeviceA-policy-security] rule name policy_sec1
[Device-policy-security-rule-policy_sec1] source-zone untrust
[DeviceA-policy-security-rule-policy_sec1] destination-zone trust
[DeviceA-policy-security-rule-policy_sec1] source-address 1.1.1.0 24
[DeviceA-policy-security-rule-policy_sec1] destination-address 10.2.0.2 32
[DeviceA-policy-security-rule-policy_sec1] service sip
[DeviceA-policy-security-rule-policy_sec1] action permit
[DeviceA-policy-security-rule-policy_sec1] quit

  3. Configure destination NAT so that the intranet SIP server can provide services externally (public address: 1.1.1.10).

    [DeviceA] nat-policy
[DeviceA-policy-nat] rule name policy_nat1
[DeviceA-policy-nat-rule-policy_nat1] source-zone untrust
[DeviceA-policy-nat-rule-policy_nat1] destination-zone trust
[DeviceA-policy-nat-rule-policy_nat1] service sip
[DeviceA-policy-nat-rule-policy_nat1] destination-address 1.1.1.10 32
[DeviceA-policy-nat-rule-policy_nat1] action destination-nat static address-to-address address 10.2.0.2 5060
[DeviceA-policy-nat-rule-policy_nat1] quit
[DeviceA-policy-nat] quit

  4. Configure ALG to properly forward SIP messages.

    [DeviceA] firewall interzone trust untrust
[DeviceA-interzone-trust-untrust] detect sip
[DeviceA-interzone-trust-untrust] quit

Verification

  • Client A and Client B register successfully on the server.

  • Run the display firewall session table command on DeviceA to check the session table.
    <DeviceA> display firewall session table
Current Total Sessions : 2
 sip VPN:public --> public 1.1.1.2:2107+ ->1.1.1.10:5060[10.2.0.2:5060]
 sip VPN:public --> public 1.1.1.3:4936+ ->1.1.1.10:5060[10.2.0.2:5060]

Configuration Scripts

The following lists the related script of this configuration example.

#
 sysname DeviceA
#
interface 10GE1/0/1
 ip address 10.2.0.1 255.255.255.0
#
interface 10GE1/0/2
 ip address 1.1.1.1 255.255.255.0
#
firewall zone trust
 set priority 85     
 add interface 10GE1/0/1
#
 firewall zone untrust
 set priority 5 
 add interface 10GE1/0/2
#
firewall interzone trust untrust
 detect sip
#
security-policy
 rule name policy_sec1
  source-zone untrust
  destination-zone trust
  source-address 1.1.1.0 mask 255.255.255.0
  destination-address 10.2.0.2 mask 255.255.255.255
  service sip
  action permit
#
nat-policy  
  rule name policy_nat1 
    source-zone untrust 
    destination-zone trust  
    destination-address 1.1.1.10 mask 255.255.255.255 
    service sip
    action destination-nat static address-to-address address 10.2.0.2 5060 
#
return
Translation
Favorite
Download
Update Date:2024-08-27
Document ID:EDOC1100396797
Views:28100
Downloads:206
Average rating:0.0Points

Related Documents

Digital Signature File

digtal sigature tool