Top.Mail.Ru
 
Статьи

Настройка маршрутизатора Juniper для работы с 3CX

Согласно рекомендация 3CX для полноценной работы PBX за NAT требуется осуществить forwarding ряда портов. Эти порты:

  • TCP and UDP 5060 - sip
  • TCP 5090 - tunnel
  • UDP 9000-9049 - transport.
  • Согласно рекомендациям должен быть выключен SIP ALG.

ссылка на рекомендации: http://www.3cx.com/blog/voip-howto/firewall-configuration-overview/

В случае с SRX серией маршрутизаторов я сделал это вот так:

Предполагается, что PBX находится в trust зоне. Версия JunOS 11.4R7.5, модель SRX 220.

Выключаем SIP ALG

set security alg sip disable;

Настраиваем сам NAT:

set security nat destination pool 3cx_5060 address [localPBXip]/32
set security nat destination pool 3cx_5060 address port 5060
set security nat destination pool 3cx_5090 address [localPBXip]/32
set security nat destination pool 3cx_5090 address port 5090
set security nat destination pool 3cx_9000 address [localPBXip]/32
set security nat destination pool 3cx_9000 address port 9000
set security nat destination pool 3cx_9001 address [localPBXip]/32
set security nat destination pool 3cx_9001 address port 9001
set security nat destination pool 3cx_9002 address [localPBXip]/32
set security nat destination pool 3cx_9002 address port 9002
set security nat destination pool 3cx_9003 address [localPBXip]/32
set security nat destination pool 3cx_9003 address port 9003
set security nat destination pool 3cx_9004 address [localPBXip]/32
set security nat destination pool 3cx_9004 address port 9004
set security nat destination pool 3cx_9005 address [localPBXip]/32
set security nat destination pool 3cx_9005 address port 9005
set security nat destination pool 3cx_9006 address [localPBXip]/32
set security nat destination pool 3cx_9006 address port 9006
set security nat destination pool 3cx_9007 address [localPBXip]/32
set security nat destination pool 3cx_9007 address port 9007
set security nat destination pool 3cx_9008 address [localPBXip]/32
set security nat destination pool 3cx_9008 address port 9008
set security nat destination pool 3cx_9009 address [localPBXip]/32
set security nat destination pool 3cx_9009 address port 9009
set security nat destination pool 3cx_9010 address [localPBXip]/32
set security nat destination pool 3cx_9010 address port 9011
set security nat destination pool 3cx_9011 address [localPBXip]/32
set security nat destination pool 3cx_9011 address port 9011
set security nat destination pool 3cx_9012 address [localPBXip]/32
set security nat destination pool 3cx_9012 address port 9012
set security nat destination pool 3cx_9013 address [localPBXip]/32
set security nat destination pool 3cx_9013 address port 9013
set security nat destination pool 3cx_9014 address [localPBXip]/32
set security nat destination pool 3cx_9014 address port 9014
set security nat destination pool 3cx_9015 address [localPBXip]/32
set security nat destination pool 3cx_9015 address port 9015
set security nat destination pool 3cx_9016 address [localPBXip]/32
set security nat destination pool 3cx_9016 address port 9016
set security nat destination pool 3cx_9017 address [localPBXip]/32
set security nat destination pool 3cx_9017 address port 9017
set security nat destination pool 3cx_9018 address [localPBXip]/32
set security nat destination pool 3cx_9018 address port 9018
set security nat destination pool 3cx_9019 address [localPBXip]/32
set security nat destination pool 3cx_9019 address port 9019
set security nat destination pool 3cx_9020 address [localPBXip]/32
set security nat destination pool 3cx_9020 address port 9020
set security nat destination pool 3cx_9021 address [localPBXip]/32
set security nat destination pool 3cx_9021 address port 9021
set security nat destination pool 3cx_9022 address [localPBXip]/32
set security nat destination pool 3cx_9022 address port 9022
set security nat destination pool 3cx_9023 address [localPBXip]/32
set security nat destination pool 3cx_9023 address port 9023
set security nat destination pool 3cx_9024 address [localPBXip]/32
set security nat destination pool 3cx_9024 address port 9024
set security nat destination pool 3cx_9025 address [localPBXip]/32
set security nat destination pool 3cx_9025 address port 9025
set security nat destination pool 3cx_9026 address [localPBXip]/32
set security nat destination pool 3cx_9026 address port 9026
set security nat destination pool 3cx_9027 address [localPBXip]/32
set security nat destination pool 3cx_9027 address port 9027
set security nat destination pool 3cx_9028 address [localPBXip]/32
set security nat destination pool 3cx_9028 address port 9028
set security nat destination pool 3cx_9029 address [localPBXip]/32
set security nat destination pool 3cx_9029 address port 9029
set security nat destination pool 3cx_9030 address [localPBXip]/32
set security nat destination pool 3cx_9030 address port 9030
set security nat destination pool 3cx_9031 address [localPBXip]/32
set security nat destination pool 3cx_9031 address port 9031
set security nat destination pool 3cx_9032
address [localPBXip]/32
set security nat destination pool 3cx_9032
address port 9032
set security nat destination pool 3cx_9033 address [localPBXip]/32
set security nat destination pool 3cx_9033 address port 9033
set security nat destination pool 3cx_9034 address [localPBXip]/32
set security nat destination pool 3cx_9034 address port 9034
set security nat destination pool 3cx_9035 address [localPBXip]/32
set security nat destination pool 3cx_9035 address port 9035
set security nat destination pool 3cx_9036 address [localPBXip]/32
set security nat destination pool 3cx_9036 address port 9036
set security nat destination pool 3cx_9037 address [localPBXip]/32
set security nat destination pool 3cx_9037 address port 9037
set security nat destination pool 3cx_9038 address [localPBXip]/32
set security nat destination pool 3cx_9038 address port 9038
set security nat destination pool 3cx_9039 address [localPBXip]/32
set security nat destination pool 3cx_9039 address port 9039
set security nat destination pool 3cx_9040 address [localPBXip]/32
set security nat destination pool 3cx_9040 address port 9040
set security nat destination pool 3cx_9041 address [localPBXip]/32
set security nat destination pool 3cx_9041 address port 9041
set security nat destination pool 3cx_9042 address [localPBXip]/32
set security nat destination pool 3cx_9042 address port 9042
set security nat destination pool 3cx_9043 address [localPBXip]/32
set security nat destination pool 3cx_9043 address port 9043
set security nat destination pool 3cx_9044 address [localPBXip]/32
set security nat destination pool 3cx_9044 address port 9044
set security nat destination pool 3cx_9045 address [localPBXip]/32
set security nat destination pool 3cx_9045 address port 9045
set security nat destination pool 3cx_9046 address [localPBXip]/32
set security nat destination pool 3cx_9046 address port 9046
set security nat destination pool 3cx_9047 address [localPBXip]/32
set security nat destination pool 3cx_9047 address port 9047
set security nat destination pool 3cx_9048 address [localPBXip]/32
set security nat destination pool 3cx_9048 address port 9048
set security nat destination pool 3cx_9049 address [localPBXip]/32
set security nat destination pool 3cx_9049 address port 9049
set security nat destination rule-set NAT from zone untrust
set security nat destination rule-set NAT rule 3cx_5060 match destination-address [outsideJuniperIP]/32
set security nat destination rule-set NAT rule 3cx_5060 match destination-port 5060
set security nat destination rule-set NAT rule 3cx_5060 then destination-nat pool 3cx_5060
set security nat destination rule-set NAT rule 3cx_5090 match destination-address [outsideJuniperIP]/32
set security nat destination rule-set NAT rule 3cx_5090 match destination-port 5090
set security nat destination rule-set NAT rule 3cx_5090 then destination-nat pool 3cx_5090
set security nat destination rule-set NAT rule 3cx_9000 match destination-address [outsideJuniperIP]/32
set security nat destination rule-set NAT rule 3cx_9000 match destination-port 9000
set security nat destination rule-set NAT rule 3cx_9000 then destination-nat pool 3cx_9000
set security nat destination rule-set NAT rule 3cx_9001 match destination-address [outsideJuniperIP]/32
set security nat destination rule-set NAT rule 3cx_9001 match destination-port 9001
set security nat destination rule-set NAT rule 3cx_9001 then destination-nat pool 3cx_9001
set security nat destination rule-set NAT rule 3cx_9002 match destination-address [outsideJuniperIP]/32
set security nat destination rule-set NAT rule 3cx_9002 match destination-port 9002
set security nat destination rule-set NAT rule 3cx_9002 then destination-nat pool 3cx_9002
set security nat destination rule-set NAT rule 3cx_9003 match destination-address [outsideJuniperIP]/32
set security nat destination rule-set NAT rule 3cx_9003 match destination-port 9003
set security nat destination rule-set NAT rule 3cx_9003 then destination-nat pool 3cx_9003
set security nat destination rule-set NAT rule 3cx_9004 match destination-address [outsideJuniperIP]/32
set security nat destination rule-set NAT rule 3cx_9004 match destination-port 9004
set security nat destination rule-set NAT rule 3cx_9004 then destination-nat pool 3cx_9004
set security nat destination rule-set NAT rule 3cx_9005 match destination-address [outsideJuniperIP]/32
set security nat destination rule-set NAT rule 3cx_9005 match destination-port 9005
set security nat destination rule-set NAT rule 3cx_9005 then destination-nat pool 3cx_9005
set security nat destination rule-set NAT rule 3cx_9006 match destination-address [outsideJuniperIP]/32
set security nat destination rule-set NAT rule 3cx_9006 match destination-port 9006
set security nat destination rule-set NAT rule 3cx_9006 then destination-nat pool 3cx_9006
set security nat destination rule-set NAT rule 3cx_9007 match destination-address [outsideJuniperIP]/32
set security nat destination rule-set NAT rule 3cx_9007 match destination-port 9007
set security nat destination rule-set NAT rule 3cx_9007 then destination-nat pool 3cx_9007
set security nat destination rule-set NAT rule 3cx_9008 match destination-address [outsideJuniperIP]/32
set security nat destination rule-set NAT rule 3cx_9008 match destination-port 9008
set security nat destination rule-set NAT rule 3cx_9008 then destination-nat pool 3cx_9008
set security nat destination rule-set NAT rule 3cx_9009 match destination-address [outsideJuniperIP]/32
set security nat destination rule-set NAT rule 3cx_9009 match destination-port 9009
set security nat destination rule-set NAT rule 3cx_9009 then destination-nat pool 3cx_9009
set security nat destination rule-set NAT rule 3cx_9010 match destination-address [outsideJuniperIP]/32
set security nat destination rule-set NAT rule 3cx_9010 match destination-port 9010
set security nat destination rule-set NAT rule 3cx_9010 then destination-nat pool 3cx_9010
set security nat destination rule-set NAT rule 3cx_9011 match destination-address [outsideJuniperIP]/32
set security nat destination rule-set NAT rule 3cx_9011 match destination-port 9011
set security nat destination rule-set NAT rule 3cx_9011 then destination-nat pool 3cx_9011
set security nat destination rule-set NAT rule 3cx_9012 match destination-address [outsideJuniperIP]/32
set security nat destination rule-set NAT rule 3cx_9012 match destination-port 9012
set security nat destination rule-set NAT rule 3cx_9012 then destination-nat pool 3cx_9012
set security nat destination rule-set NAT rule 3cx_9013 match destination-address [outsideJuniperIP]/32
set security nat destination rule-set NAT rule 3cx_9013 match destination-port 9013
set security nat destination rule-set NAT rule 3cx_9013 then destination-nat pool 3cx_9013
set security nat destination rule-set NAT rule 3cx_9014 match destination-address [outsideJuniperIP]/32
set security nat destination rule-set NAT rule 3cx_9014 match destination-port 9014
set security nat destination rule-set NAT rule 3cx_9014 then destination-nat pool 3cx_9014
set security nat destination rule-set NAT rule 3cx_9015 match destination-address [outsideJuniperIP]/32
set security nat destination rule-set NAT rule 3cx_9015 match destination-port 9015
set security nat destination rule-set NAT rule 3cx_9015 then destination-nat pool 3cx_9015
set security nat destination rule-set NAT rule 3cx_9016 match destination-address [outsideJuniperIP]/32
set security nat destination rule-set NAT rule 3cx_9016 match destination-port 9016
set security nat destination rule-set NAT rule 3cx_9016 then destination-nat pool 3cx_9016
set security nat destination rule-set NAT rule 3cx_9017 match destination-address [outsideJuniperIP]/32
set security nat destination rule-set NAT rule 3cx_9017 match destination-port 9017
set security nat destination rule-set NAT rule 3cx_9017 then destination-nat pool 3cx_9017
set security nat destination rule-set NAT rule 3cx_9018 match destination-address [outsideJuniperIP]/32
set security nat destination rule-set NAT rule 3cx_9018 match destination-port 9018
set security nat destination rule-set NAT rule 3cx_9018 then destination-nat pool 3cx_9018
set security nat destination rule-set NAT rule 3cx_9019 match destination-address [outsideJuniperIP]/32
set security nat destination rule-set NAT rule 3cx_9019 match destination-port 9019
set security nat destination rule-set NAT rule 3cx_9019 then destination-nat pool 3cx_9019
set security nat destination rule-set NAT rule 3cx_9020 match destination-address [outsideJuniperIP]/32
set security nat destination rule-set NAT rule 3cx_9020 match destination-port 9020
set security nat destination rule-set NAT rule 3cx_9020 then destination-nat pool 3cx_9020
set security nat destination rule-set NAT rule 3cx_9021 match destination-address [outsideJuniperIP]/32
set security nat destination rule-set NAT rule 3cx_9021 match destination-port 9021
set security nat destination rule-set NAT rule 3cx_9021 then destination-nat pool 3cx_9021
set security nat destination rule-set NAT rule 3cx_9022 match destination-address [outsideJuniperIP]/32
set security nat destination rule-set NAT rule 3cx_9022 match destination-port 9022
set security nat destination rule-set NAT rule 3cx_9022 then destination-nat pool 3cx_9022
set security nat destination rule-set NAT rule 3cx_9023 match destination-address [outsideJuniperIP]/32
set security nat destination rule-set NAT rule 3cx_9023 match destination-port 9023
set security nat destination rule-set NAT rule 3cx_9023 then destination-nat pool 3cx_9023
set security nat destination rule-set NAT rule 3cx_9024 match destination-address [outsideJuniperIP]/32
set security nat destination rule-set NAT rule 3cx_9024 match destination-port 9024
set security nat destination rule-set NAT rule 3cx_9024 then destination-nat pool 3cx_9024
set security nat destination rule-set NAT rule 3cx_9025 match destination-address [outsideJuniperIP]/32
set security nat destination rule-set NAT rule 3cx_9025 match destination-port 9025
set security nat destination rule-set NAT rule 3cx_9025 then destination-nat pool 3cx_9025
set security nat destination rule-set NAT rule 3cx_9026 match destination-address [outsideJuniperIP]/32
set security nat destination rule-set NAT rule 3cx_9026 match destination-port 9026
set security nat destination rule-set NAT rule 3cx_9026 then destination-nat pool 3cx_9026
set security nat destination rule-set NAT rule 3cx_9027 match destination-address [outsideJuniperIP]/32
set security nat destination rule-set NAT rule 3cx_9027 match destination-port 9027
set security nat destination rule-set NAT rule 3cx_9027 then destination-nat pool 3cx_9027
set security nat destination rule-set NAT rule 3cx_9028 match destination-address [outsideJuniperIP]/32
set security nat destination rule-set NAT rule 3cx_9028 match destination-port 9028
set security nat destination rule-set NAT rule 3cx_9028 then destination-nat pool 3cx_9028
set security nat destination rule-set NAT rule 3cx_9029 match destination-address [outsideJuniperIP]/32
set security nat destination rule-set NAT rule 3cx_9029 match destination-port 9029
set security nat destination rule-set NAT rule 3cx_9029 then destination-nat pool 3cx_9029
set security nat destination rule-set NAT rule 3cx_9030 match destination-address [outsideJuniperIP]/32
set security nat destination rule-set NAT rule 3cx_9030 match destination-port 9030
set security nat destination rule-set NAT rule 3cx_9030 then destination-nat pool 3cx_9030
set security nat destination rule-set NAT rule 3cx_9031 match destination-address [outsideJuniperIP]/32
set security nat destination rule-set NAT rule 3cx_9031 match destination-port 9031
set security nat destination rule-set NAT rule 3cx_9031 then destination-nat pool 3cx_9031
set security nat destination rule-set NAT rule 3cx_9032
match destination-address [outsideJuniperIP]/32
set security nat destination rule-set NAT rule 3cx_9032
match destination-port 9032
set security nat destination rule-set NAT rule 3cx_9032
then destination-nat pool 3cx_9032
set security nat destination rule-set NAT rule 3cx_9033 match destination-address [outsideJuniperIP]/32
set security nat destination rule-set NAT rule 3cx_9033 match destination-port 9033
set security nat destination rule-set NAT rule 3cx_9033 then destination-nat pool 3cx_9033
set security nat destination rule-set NAT rule 3cx_9034 match destination-address [outsideJuniperIP]/32
set security nat destination rule-set NAT rule 3cx_9034 match destination-port 9034
set security nat destination rule-set NAT rule 3cx_9034 then destination-nat pool 3cx_9034 set security nat destination rule-set NAT rule 3cx_9035 match destination-address [outsideJuniperIP]/32
set security nat destination rule-set NAT rule 3cx_9035 match destination-port 9035
set security nat destination rule-set NAT rule 3cx_9035 then destination-nat pool 3cx_9035
set security nat destination rule-set NAT rule 3cx_9036 match destination-address [outsideJuniperIP]/32
set security nat destination rule-set NAT rule 3cx_9036 match destination-port 9036
set security nat destination rule-set NAT rule 3cx_9036 then destination-nat pool 3cx_9036
set security nat destination rule-set NAT rule 3cx_9037 match destination-address [outsideJuniperIP]/32
set security nat destination rule-set NAT rule 3cx_9037 match destination-port 9037
set security nat destination rule-set NAT rule 3cx_9037 then destination-nat pool 3cx_9037
set security nat destination rule-set NAT rule 3cx_9038 match destination-address [outsideJuniperIP]/32
set security nat destination rule-set NAT rule 3cx_9038 match destination-port 9038
set security nat destination rule-set NAT rule 3cx_9038 then destination-nat pool 3cx_9038
set security nat destination rule-set NAT rule 3cx_9039 match destination-address [outsideJuniperIP]/32
set security nat destination rule-set NAT rule 3cx_9039 match destination-port 9039
set security nat destination rule-set NAT rule 3cx_9039 then destination-nat pool 3cx_9039
set security nat destination rule-set NAT rule 3cx_9040 match destination-address [outsideJuniperIP]/32
set security nat destination rule-set NAT rule 3cx_9040 match destination-port 9040
set security nat destination rule-set NAT rule 3cx_9040 then destination-nat pool 3cx_9040
set security nat destination rule-set NAT rule 3cx_9041 match destination-address [outsideJuniperIP]/32
set security nat destination rule-set NAT rule 3cx_9041 match destination-port 9041
set security nat destination rule-set NAT rule 3cx_9041 then destination-nat pool 3cx_9041
set security nat destination rule-set NAT rule 3cx_9042 match destination-address [outsideJuniperIP]/32
set security nat destination rule-set NAT rule 3cx_9042 match destination-port 9042
set security nat destination rule-set NAT rule 3cx_9042 then destination-nat pool 3cx_9042
set security nat destination rule-set NAT rule 3cx_9043 match destination-address [outsideJuniperIP]/32
set security nat destination rule-set NAT rule 3cx_9043 match destination-port 9043
set security nat destination rule-set NAT rule 3cx_9043 then destination-nat pool 3cx_9043
set security nat destination rule-set NAT rule 3cx_9044 match destination-address [outsideJuniperIP]/32
set security nat destination rule-set NAT rule 3cx_9044 match destination-port 9044
set security nat destination rule-set NAT rule 3cx_9044 then destination-nat pool 3cx_9044
set security nat destination rule-set NAT rule 3cx_9045 match destination-address [outsideJuniperIP]/32
set security nat destination rule-set NAT rule 3cx_9045 match destination-port 9045
set security nat destination rule-set NAT rule 3cx_9045 then destination-nat pool 3cx_9045
set security nat destination rule-set NAT rule 3cx_9046 match destination-address [outsideJuniperIP]/32
set security nat destination rule-set NAT rule 3cx_9046 match destination-port 9046
set security nat destination rule-set NAT rule 3cx_9046 then destination-nat pool 3cx_9046
set security nat destination rule-set NAT rule 3cx_9047 match destination-address [outsideJuniperIP]/32
set security nat destination rule-set NAT rule 3cx_9047 match destination-port 9047
set security nat destination rule-set NAT rule 3cx_9047 then destination-nat pool 3cx_9047
set security nat destination rule-set NAT rule 3cx_9048 match destination-address [outsideJuniperIP]/32
set security nat destination rule-set NAT rule 3cx_9048 match destination-port 9048
set security nat destination rule-set NAT rule 3cx_9048 then destination-nat pool 3cx_9048
set security nat destination rule-set NAT rule 3cx_9049 match destination-address [outsideJuniperIP]/32
set security nat destination rule-set NAT rule 3cx_9049 match destination-port 9049
set security nat destination rule-set NAT rule 3cx_9049 then destination-nat pool 3cx_9049

Настраиваем разрешения для пропуска из untrust зоны


Добавляем в адрес бук адрес нашего сервера PBX:s
et security zones security-zone trust address-book address 3cx [localPBXip]/32

Прописываем разрешения:

set security policies from-zone untrust to-zone trust policy 3cx_access match source-address any</br>
set security policies from-zone untrust to-zone trust policy 3cx_access match destination-address 3cx</br>
set security policies from-zone untrust to-zone trust policy 3cx_access match application 3cx-app-set</br>
set security policies from-zone untrust to-zone trust policy 3cx_access then permit</br>

Cтоль длительная и объёмная процедура связана с двумя вещами:

  • В рамках destination NAT у Juniper невозможно применение port range, и мы вынуждены прописывать такое количество pool. Можете попробовать реализовать этот же механизм в рамках source NAT, в нём как раз, port range существует.
  • У applications также отсутствует понятие port range, что приводит к таким огромным листингам конфигурации.