ScreenOS Firewalls (NOT SRX)
Reply
Contributor
72monsta
Posts: 17
Registered: ‎10-09-2009
0

SSG static arp query

Hi,

I have a customer who is trying to set up VOIP for their homeworkers:

This is the current set up:

Homeworker----SA-----DZM-ZONE---SSG--u/t------VOIP provider

I have policies in place permitting the traffic from the DMZ-zone to the VOIP provider
and vice versa so the call set up is sent through the box through the SSG and hitting the VOIP provider ok.

The problem is that the VOIP provider access is controlled with a list of MAC addresses (as the homeworkers IPs
are assigned by the SA and so change each time). This works fine for the office users who connect from the office
LAN via the SSG, but the source MAC of the homeworkers IP is always the MAC of the SA and not the actual homeusers laptops the call set up request is dropped.

Any idea how I can get this working? (enabling the MAC of the SA on the VOIP server is not an option)

Would it be possible to get around this by  configuring a static ARP for the MAC of the homeusers laptops on the SSG?

Thanks,

Marc

Recognized Expert
rasmus
Posts: 378
Registered: ‎02-28-2010
0

Re: SSG static arp query

Before commenting, what is SA by the way ... can you post its config ...

regards
Hafiz Muhammad Farooq
JNCIE-SEC, JNCIP-SEC, JNCIS-SEC, JNCIS-FWV
JNCIS-SP, JNCIS-SA, JNCIA-JUNOS
IBM Qradar Deployment Professional

[Please mark it as Accepted Solution if it works, Kudos if you like]

Contributor
72monsta
Posts: 17
Registered: ‎10-09-2009
0

Re: SSG static arp query

Hi,

 

Thanks for the reply.

 

It is a 2500, unfortunately I cannot provide the config for it  (the support set up is a little convoluted) we support the SSG but not the SA and my customer will not give me the SA config...

 

I know it is difficult to offer a solution without full access to the setup, but do you think  - based on the limited info available - the solution I am thinking of would work?

 

Thanks,

 

Marc

Contributor
72monsta
Posts: 17
Registered: ‎10-09-2009
0

Re: SSG static arp query

Hi,

 

Based on the info so far, do you think static mac would work here?

 

Thanks

 

Marc

Contributor
72monsta
Posts: 17
Registered: ‎10-09-2009
0

Re: SSG static arp query

Anyone??

 

cheers

Super Contributor
Spud
Posts: 131
Registered: ‎02-08-2008
0

Re: SSG static arp query

I can't see how using static ARP on the SSG would help here.

 

Really, the VoIP provider should use a better method than the source MAC address for differentiating handsets/users. I'm not a VoIP expert so I can't make a suggestion here, unfortunately.

 

Failing this, another option may be to reconfigure the SA to assign specific IP addresses to specific users, rather than assigning a random free IP from a pool (which I'm assuming is what happens now). Then the VoIP provider might be able to use the source IP address instead of the MAC address to determine handset users.

 

 

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.