You can configure the ME Engine to perform address translation on behalf of an enterprise firewall device. To do so, configure the parameters of the near-side-nat object to match the settings of your firewall and your media and SIP ports.
The ME uses network address translation (NAT) to change its private, backend address(es) to a public, routable address. NAT is defined in RFC 1631, The IP Network Address Translator. NAT ensures that internal private network addresses are rewritten so that they appear to come from the designated external network address. The ME modifies outgoing packets so that the return address is a valid Internet host (the firewall). The firewall then changes the destination address on incoming packets to the ME private address. This process protects the private addresses from public view. In addition, because the private address is not routable, any returning packets would not reach their destination. NAT provides a routable address through which the ME can maintain SIP and media connections.
The ME works with the firewall as follows:
You configure your firewall appropriately.
Configure the ME to match the firewall settings for IP addresses and ports.
Configure the ME ip sip and ip media-ports ports to recognize the ports specified in this object.
When the ME detects a packet coming from the firewall over the UDP or TCP listening port, it performs address translation where the ME changes the source address on outgoing packets from its own internal IP to the firewall public-facing address (set with the public-ip property).
See the following chapters for related information:
Configuring Session Initiation Protocol Objects
Configuring Media Ports Object
Creates or edits a firewall configuration that allows the ME to perform address replacement for packets originating from the ME and destined for the Internet. By configuring the IP address of the public-facing interface on the enterprise firewall, the ME can produce a contact header that replaces its own, private IP address with the public-facing address of the firewall to allow completion of SIP calls.
When configuring the ME for address replacement, you must mirror the port forwarding of the firewall. The ports that you configure within this object indicate to the ME when it should do address replacement. For example, if you have configured the UDP port at 5060, when the ME receives a packet from the firewall device using port 5060, it will replace its private IP address with the configured public address in its response.
Enter a name for the firewall configuration when opening this object.
You typically configure UDP port 5060 and TCP ports 5060 and 5061 for SIP traffic. Be certain that the port numbers you enter here are the same as those you configured in the ip sip object.
In addition, you may configure the NAT pool addresses within this object, typically UDP ports 20000 through 30000. Be certain that the port numbers you enter here are the same as those you configured in the ip media-ports object.
Finally, the port numbers and IP address that you specify must match the configuration on your external firewall device.
config cluster box number interface ethX ip name near-side-nat name config cluster box number interface ethX vlan number ip name near-side-nat name config box interface ethX ip name near-side-nat name config box interface ethX vlan number ip name near-side-nat name
admin: Sets the administrative state of the external firewall configuration on the system, either enabled (active) or disabled. When disabled, you can still configure the firewall parameters, but the system will not do the address replacement necessary (if it is situated behind a near-side firewall).
Default: enabled
Values: enabled | disabled
Example: set admin disabled
public-ip: Sets the public-side address of the firewall positioned between the system and the Internet. The system will replace its own private, internal network address with the firewall public-facing IP address. You must supply a globally unique, routable value.
Default: There is no default setting
Example: set public-ip 1.2.3.4
udp-range<starting-port><count>: Specifies the UDP port number(s) that the system is listening for packets from the firewall device on. When the system receives a packet from the specified firewall port, it executes an address replacement of its own private address with the firewall public address in its response.
The typical SIP port is 5060; the typical media pool range is 20000 through 30000. Make sure that your UDP port configuration matches both the firewall configuration and the ip sip and ip media-ports object configurations.
If no UDP port is specified, the system has no port to listen for, and therefore, no address replacement occurs.
Default: There is no default setting
Example: set udp-range 5060
tcp-range<starting-port><count>: Specifies the TCP port numbers that the system is listening for packets from the firewall device on. When the system receives a packet from the specified firewall port, it executes an address replacement of its own private address with the firewall public address in its response.
The typical SIP port is 5060 and 5061. Make sure that your TCP port configuration matches both the firewall configuration and the ip sip object configuration.
If no TCP port is specified, the system has no port to listen for, and therefore, no address replacement occurs.
Default: There is no default setting
Example: set tcp 5060 2