So,
It was pretty easy. The only thing I don't get about the netscreen is that NAT seems to be very complicated and not too user friendly. Of course, this is an enterprise class firewall so there is probably more to it and easier than I think.
Anyway,
I have found a resolution. Basically I purchased an extra IP from my ISP and added a MIP. The following instructions are how I set it up.
1. Get additional IP from ISP. This has to be a seperate and dedicated IP and cannot be the same IP you use as your untrust interface IP.
2. Edit untrust interface - go to network -> Interfaces -> edit your untrust interface.
3. Add MIP to untrust interface -
- After completing steps above select MIP next to the Properties: tag at the top of the page.
- Select New.
- Under Mapped IP enter in the new IP your ISP has given you.
- Enter your PBX or phone in the Host IP section.
- Make sure your netmask is 255.255.255.255. Y
- our Host Virtual Router Name must be your trust interface, even if your PBX or phone is in the DMZ.
- Click OK.
4. Create a policy allowing SIP to your PBX or your Phone.
- Select Policy
- Select Policies
- From Untrust
- To Trust
- Select New
- Name: SIP NAT
- Source Address: Any
- Destination Address: Select in the drop down the MIP you just created.
- Service: SIP
- Application: None
- Make sure WEB Filtering is unchecked
- Action: Permit
- Tunnel VPN: None
- Modify matching bidirectional VPN policy: Unchecked
- L2TP: None
- Logging: Your call
- at Session Beginning: Your call
- Session-limit: Unchcecked
- Counter: 0
- Alarm without drop: Unchecked.
- No Advanced options.
- Click okay
5. You should turn off SIP ALG. Not sure why it doesn't work with it on, but it doesn't. Depending on what version of the firmware depends on where this is at. I have version 6.2.0r9.0 (Firewall+VPN).
- Select Security in the left hand menu.
- Select ALG
- Uncheck SIP
- Click Apply
Badda Bing Badda Boom, you should be working. Thanks again for the previous help!