В случае с SRX серией маршрутизаторов я сделал это вот так:
Предполагается, что PBX находится в trust зоне. Версия JunOS 11.4R7.5, модель SRX 220.
Выключаем SIP ALG
set security alg sip disable;
Настраиваем сам NAT:
set security nat destination pool 3cx_5060 address [localPBXip]/32 set security nat destination pool 3cx_5060 address port 5060 set security nat destination pool 3cx_5090 address [localPBXip]/32 set security nat destination pool 3cx_5090 address port 5090 set security nat destination pool 3cx_9000 address [localPBXip]/32 set security nat destination pool 3cx_9000 address port 9000 set security nat destination pool 3cx_9001 address [localPBXip]/32 set security nat destination pool 3cx_9001 address port 9001 set security nat destination pool 3cx_9002 address [localPBXip]/32 set security nat destination pool 3cx_9002 address port 9002 set security nat destination pool 3cx_9003 address [localPBXip]/32 set security nat destination pool 3cx_9003 address port 9003 set security nat destination pool 3cx_9004 address [localPBXip]/32 set security nat destination pool 3cx_9004 address port 9004 set security nat destination pool 3cx_9005 address [localPBXip]/32 set security nat destination pool 3cx_9005 address port 9005 set security nat destination pool 3cx_9006 address [localPBXip]/32 set security nat destination pool 3cx_9006 address port 9006 set security nat destination pool 3cx_9007 address [localPBXip]/32 set security nat destination pool 3cx_9007 address port 9007 set security nat destination pool 3cx_9008 address [localPBXip]/32 set security nat destination pool 3cx_9008 address port 9008 set security nat destination pool 3cx_9009 address [localPBXip]/32 set security nat destination pool 3cx_9009 address port 9009 set security nat destination pool 3cx_9010 address [localPBXip]/32 set security nat destination pool 3cx_9010 address port 9011 set security nat destination pool 3cx_9011 address [localPBXip]/32 set security nat destination pool 3cx_9011 address port 9011 set security nat destination pool 3cx_9012 address [localPBXip]/32 set security nat destination pool 3cx_9012 address port 9012 set security nat destination pool 3cx_9013 address [localPBXip]/32 set security nat destination pool 3cx_9013 address port 9013 set security nat destination pool 3cx_9014 address [localPBXip]/32 set security nat destination pool 3cx_9014 address port 9014 set security nat destination pool 3cx_9015 address [localPBXip]/32 set security nat destination pool 3cx_9015 address port 9015 set security nat destination pool 3cx_9016 address [localPBXip]/32 set security nat destination pool 3cx_9016 address port 9016 set security nat destination pool 3cx_9017 address [localPBXip]/32 set security nat destination pool 3cx_9017 address port 9017 set security nat destination pool 3cx_9018 address [localPBXip]/32 set security nat destination pool 3cx_9018 address port 9018 set security nat destination pool 3cx_9019 address [localPBXip]/32 set security nat destination pool 3cx_9019 address port 9019 set security nat destination pool 3cx_9020 address [localPBXip]/32 set security nat destination pool 3cx_9020 address port 9020 set security nat destination pool 3cx_9021 address [localPBXip]/32 set security nat destination pool 3cx_9021 address port 9021 set security nat destination pool 3cx_9022 address [localPBXip]/32 set security nat destination pool 3cx_9022 address port 9022 set security nat destination pool 3cx_9023 address [localPBXip]/32 set security nat destination pool 3cx_9023 address port 9023 set security nat destination pool 3cx_9024 address [localPBXip]/32 set security nat destination pool 3cx_9024 address port 9024 set security nat destination pool 3cx_9025 address [localPBXip]/32 set security nat destination pool 3cx_9025 address port 9025 set security nat destination pool 3cx_9026 address [localPBXip]/32 set security nat destination pool 3cx_9026 address port 9026 set security nat destination pool 3cx_9027 address [localPBXip]/32 set security nat destination pool 3cx_9027 address port 9027 set security nat destination pool 3cx_9028 address [localPBXip]/32 set security nat destination pool 3cx_9028 address port 9028 set security nat destination pool 3cx_9029 address [localPBXip]/32 set security nat destination pool 3cx_9029 address port 9029 set security nat destination pool 3cx_9030 address [localPBXip]/32 set security nat destination pool 3cx_9030 address port 9030 set security nat destination pool 3cx_9031 address [localPBXip]/32 set security nat destination pool 3cx_9031 address port 9031 set security nat destination pool 3cx_9032 address [localPBXip]/32 set security nat destination pool 3cx_9032 address port 9032 set security nat destination pool 3cx_9033 address [localPBXip]/32 set security nat destination pool 3cx_9033 address port 9033 set security nat destination pool 3cx_9034 address [localPBXip]/32 set security nat destination pool 3cx_9034 address port 9034 set security nat destination pool 3cx_9035 address [localPBXip]/32 set security nat destination pool 3cx_9035 address port 9035 set security nat destination pool 3cx_9036 address [localPBXip]/32 set security nat destination pool 3cx_9036 address port 9036 set security nat destination pool 3cx_9037 address [localPBXip]/32 set security nat destination pool 3cx_9037 address port 9037 set security nat destination pool 3cx_9038 address [localPBXip]/32 set security nat destination pool 3cx_9038 address port 9038 set security nat destination pool 3cx_9039 address [localPBXip]/32 set security nat destination pool 3cx_9039 address port 9039 set security nat destination pool 3cx_9040 address [localPBXip]/32 set security nat destination pool 3cx_9040 address port 9040 set security nat destination pool 3cx_9041 address [localPBXip]/32 set security nat destination pool 3cx_9041 address port 9041 set security nat destination pool 3cx_9042 address [localPBXip]/32 set security nat destination pool 3cx_9042 address port 9042 set security nat destination pool 3cx_9043 address [localPBXip]/32 set security nat destination pool 3cx_9043 address port 9043 set security nat destination pool 3cx_9044 address [localPBXip]/32 set security nat destination pool 3cx_9044 address port 9044 set security nat destination pool 3cx_9045 address [localPBXip]/32 set security nat destination pool 3cx_9045 address port 9045 set security nat destination pool 3cx_9046 address [localPBXip]/32 set security nat destination pool 3cx_9046 address port 9046 set security nat destination pool 3cx_9047 address [localPBXip]/32 set security nat destination pool 3cx_9047 address port 9047 set security nat destination pool 3cx_9048 address [localPBXip]/32 set security nat destination pool 3cx_9048 address port 9048 set security nat destination pool 3cx_9049 address [localPBXip]/32 set security nat destination pool 3cx_9049 address port 9049 set security nat destination rule-set NAT from zone untrust set security nat destination rule-set NAT rule 3cx_5060 match destination-address [outsideJuniperIP]/32 set security nat destination rule-set NAT rule 3cx_5060 match destination-port 5060 set security nat destination rule-set NAT rule 3cx_5060 then destination-nat pool 3cx_5060 set security nat destination rule-set NAT rule 3cx_5090 match destination-address [outsideJuniperIP]/32 set security nat destination rule-set NAT rule 3cx_5090 match destination-port 5090 set security nat destination rule-set NAT rule 3cx_5090 then destination-nat pool 3cx_5090 set security nat destination rule-set NAT rule 3cx_9000 match destination-address [outsideJuniperIP]/32 set security nat destination rule-set NAT rule 3cx_9000 match destination-port 9000 set security nat destination rule-set NAT rule 3cx_9000 then destination-nat pool 3cx_9000 set security nat destination rule-set NAT rule 3cx_9001 match destination-address [outsideJuniperIP]/32 set security nat destination rule-set NAT rule 3cx_9001 match destination-port 9001 set security nat destination rule-set NAT rule 3cx_9001 then destination-nat pool 3cx_9001 set security nat destination rule-set NAT rule 3cx_9002 match destination-address [outsideJuniperIP]/32 set security nat destination rule-set NAT rule 3cx_9002 match destination-port 9002 set security nat destination rule-set NAT rule 3cx_9002 then destination-nat pool 3cx_9002 set security nat destination rule-set NAT rule 3cx_9003 match destination-address [outsideJuniperIP]/32 set security nat destination rule-set NAT rule 3cx_9003 match destination-port 9003 set security nat destination rule-set NAT rule 3cx_9003 then destination-nat pool 3cx_9003 set security nat destination rule-set NAT rule 3cx_9004 match destination-address [outsideJuniperIP]/32 set security nat destination rule-set NAT rule 3cx_9004 match destination-port 9004 set security nat destination rule-set NAT rule 3cx_9004 then destination-nat pool 3cx_9004 set security nat destination rule-set NAT rule 3cx_9005 match destination-address [outsideJuniperIP]/32 set security nat destination rule-set NAT rule 3cx_9005 match destination-port 9005 set security nat destination rule-set NAT rule 3cx_9005 then destination-nat pool 3cx_9005 set security nat destination rule-set NAT rule 3cx_9006 match destination-address [outsideJuniperIP]/32 set security nat destination rule-set NAT rule 3cx_9006 match destination-port 9006 set security nat destination rule-set NAT rule 3cx_9006 then destination-nat pool 3cx_9006 set security nat destination rule-set NAT rule 3cx_9007 match destination-address [outsideJuniperIP]/32 set security nat destination rule-set NAT rule 3cx_9007 match destination-port 9007 set security nat destination rule-set NAT rule 3cx_9007 then destination-nat pool 3cx_9007 set security nat destination rule-set NAT rule 3cx_9008 match destination-address [outsideJuniperIP]/32 set security nat destination rule-set NAT rule 3cx_9008 match destination-port 9008 set security nat destination rule-set NAT rule 3cx_9008 then destination-nat pool 3cx_9008 set security nat destination rule-set NAT rule 3cx_9009 match destination-address [outsideJuniperIP]/32 set security nat destination rule-set NAT rule 3cx_9009 match destination-port 9009 set security nat destination rule-set NAT rule 3cx_9009 then destination-nat pool 3cx_9009 set security nat destination rule-set NAT rule 3cx_9010 match destination-address [outsideJuniperIP]/32 set security nat destination rule-set NAT rule 3cx_9010 match destination-port 9010 set security nat destination rule-set NAT rule 3cx_9010 then destination-nat pool 3cx_9010 set security nat destination rule-set NAT rule 3cx_9011 match destination-address [outsideJuniperIP]/32 set security nat destination rule-set NAT rule 3cx_9011 match destination-port 9011 set security nat destination rule-set NAT rule 3cx_9011 then destination-nat pool 3cx_9011 set security nat destination rule-set NAT rule 3cx_9012 match destination-address [outsideJuniperIP]/32 set security nat destination rule-set NAT rule 3cx_9012 match destination-port 9012 set security nat destination rule-set NAT rule 3cx_9012 then destination-nat pool 3cx_9012 set security nat destination rule-set NAT rule 3cx_9013 match destination-address [outsideJuniperIP]/32 set security nat destination rule-set NAT rule 3cx_9013 match destination-port 9013 set security nat destination rule-set NAT rule 3cx_9013 then destination-nat pool 3cx_9013 set security nat destination rule-set NAT rule 3cx_9014 match destination-address [outsideJuniperIP]/32 set security nat destination rule-set NAT rule 3cx_9014 match destination-port 9014 set security nat destination rule-set NAT rule 3cx_9014 then destination-nat pool 3cx_9014 set security nat destination rule-set NAT rule 3cx_9015 match destination-address [outsideJuniperIP]/32 set security nat destination rule-set NAT rule 3cx_9015 match destination-port 9015 set security nat destination rule-set NAT rule 3cx_9015 then destination-nat pool 3cx_9015 set security nat destination rule-set NAT rule 3cx_9016 match destination-address [outsideJuniperIP]/32 set security nat destination rule-set NAT rule 3cx_9016 match destination-port 9016 set security nat destination rule-set NAT rule 3cx_9016 then destination-nat pool 3cx_9016 set security nat destination rule-set NAT rule 3cx_9017 match destination-address [outsideJuniperIP]/32 set security nat destination rule-set NAT rule 3cx_9017 match destination-port 9017 set security nat destination rule-set NAT rule 3cx_9017 then destination-nat pool 3cx_9017 set security nat destination rule-set NAT rule 3cx_9018 match destination-address [outsideJuniperIP]/32 set security nat destination rule-set NAT rule 3cx_9018 match destination-port 9018 set security nat destination rule-set NAT rule 3cx_9018 then destination-nat pool 3cx_9018 set security nat destination rule-set NAT rule 3cx_9019 match destination-address [outsideJuniperIP]/32 set security nat destination rule-set NAT rule 3cx_9019 match destination-port 9019 set security nat destination rule-set NAT rule 3cx_9019 then destination-nat pool 3cx_9019 set security nat destination rule-set NAT rule 3cx_9020 match destination-address [outsideJuniperIP]/32 set security nat destination rule-set NAT rule 3cx_9020 match destination-port 9020 set security nat destination rule-set NAT rule 3cx_9020 then destination-nat pool 3cx_9020 set security nat destination rule-set NAT rule 3cx_9021 match destination-address [outsideJuniperIP]/32 set security nat destination rule-set NAT rule 3cx_9021 match destination-port 9021 set security nat destination rule-set NAT rule 3cx_9021 then destination-nat pool 3cx_9021 set security nat destination rule-set NAT rule 3cx_9022 match destination-address [outsideJuniperIP]/32 set security nat destination rule-set NAT rule 3cx_9022 match destination-port 9022 set security nat destination rule-set NAT rule 3cx_9022 then destination-nat pool 3cx_9022 set security nat destination rule-set NAT rule 3cx_9023 match destination-address [outsideJuniperIP]/32 set security nat destination rule-set NAT rule 3cx_9023 match destination-port 9023 set security nat destination rule-set NAT rule 3cx_9023 then destination-nat pool 3cx_9023 set security nat destination rule-set NAT rule 3cx_9024 match destination-address [outsideJuniperIP]/32 set security nat destination rule-set NAT rule 3cx_9024 match destination-port 9024 set security nat destination rule-set NAT rule 3cx_9024 then destination-nat pool 3cx_9024 set security nat destination rule-set NAT rule 3cx_9025 match destination-address [outsideJuniperIP]/32 set security nat destination rule-set NAT rule 3cx_9025 match destination-port 9025 set security nat destination rule-set NAT rule 3cx_9025 then destination-nat pool 3cx_9025 set security nat destination rule-set NAT rule 3cx_9026 match destination-address [outsideJuniperIP]/32 set security nat destination rule-set NAT rule 3cx_9026 match destination-port 9026 set security nat destination rule-set NAT rule 3cx_9026 then destination-nat pool 3cx_9026 set security nat destination rule-set NAT rule 3cx_9027 match destination-address [outsideJuniperIP]/32 set security nat destination rule-set NAT rule 3cx_9027 match destination-port 9027 set security nat destination rule-set NAT rule 3cx_9027 then destination-nat pool 3cx_9027 set security nat destination rule-set NAT rule 3cx_9028 match destination-address [outsideJuniperIP]/32 set security nat destination rule-set NAT rule 3cx_9028 match destination-port 9028 set security nat destination rule-set NAT rule 3cx_9028 then destination-nat pool 3cx_9028 set security nat destination rule-set NAT rule 3cx_9029 match destination-address [outsideJuniperIP]/32 set security nat destination rule-set NAT rule 3cx_9029 match destination-port 9029 set security nat destination rule-set NAT rule 3cx_9029 then destination-nat pool 3cx_9029 set security nat destination rule-set NAT rule 3cx_9030 match destination-address [outsideJuniperIP]/32 set security nat destination rule-set NAT rule 3cx_9030 match destination-port 9030 set security nat destination rule-set NAT rule 3cx_9030 then destination-nat pool 3cx_9030 set security nat destination rule-set NAT rule 3cx_9031 match destination-address [outsideJuniperIP]/32 set security nat destination rule-set NAT rule 3cx_9031 match destination-port 9031 set security nat destination rule-set NAT rule 3cx_9031 then destination-nat pool 3cx_9031 set security nat destination rule-set NAT rule 3cx_9032 match destination-address [outsideJuniperIP]/32 set security nat destination rule-set NAT rule 3cx_9032 match destination-port 9032 set security nat destination rule-set NAT rule 3cx_9032 then destination-nat pool 3cx_9032 set security nat destination rule-set NAT rule 3cx_9033 match destination-address [outsideJuniperIP]/32 set security nat destination rule-set NAT rule 3cx_9033 match destination-port 9033 set security nat destination rule-set NAT rule 3cx_9033 then destination-nat pool 3cx_9033 set security nat destination rule-set NAT rule 3cx_9034 match destination-address [outsideJuniperIP]/32 set security nat destination rule-set NAT rule 3cx_9034 match destination-port 9034 set security nat destination rule-set NAT rule 3cx_9034 then destination-nat pool 3cx_9034 set security nat destination rule-set NAT rule 3cx_9035 match destination-address [outsideJuniperIP]/32 set security nat destination rule-set NAT rule 3cx_9035 match destination-port 9035 set security nat destination rule-set NAT rule 3cx_9035 then destination-nat pool 3cx_9035 set security nat destination rule-set NAT rule 3cx_9036 match destination-address [outsideJuniperIP]/32 set security nat destination rule-set NAT rule 3cx_9036 match destination-port 9036 set security nat destination rule-set NAT rule 3cx_9036 then destination-nat pool 3cx_9036 set security nat destination rule-set NAT rule 3cx_9037 match destination-address [outsideJuniperIP]/32 set security nat destination rule-set NAT rule 3cx_9037 match destination-port 9037 set security nat destination rule-set NAT rule 3cx_9037 then destination-nat pool 3cx_9037 set security nat destination rule-set NAT rule 3cx_9038 match destination-address [outsideJuniperIP]/32 set security nat destination rule-set NAT rule 3cx_9038 match destination-port 9038 set security nat destination rule-set NAT rule 3cx_9038 then destination-nat pool 3cx_9038 set security nat destination rule-set NAT rule 3cx_9039 match destination-address [outsideJuniperIP]/32 set security nat destination rule-set NAT rule 3cx_9039 match destination-port 9039 set security nat destination rule-set NAT rule 3cx_9039 then destination-nat pool 3cx_9039 set security nat destination rule-set NAT rule 3cx_9040 match destination-address [outsideJuniperIP]/32 set security nat destination rule-set NAT rule 3cx_9040 match destination-port 9040 set security nat destination rule-set NAT rule 3cx_9040 then destination-nat pool 3cx_9040 set security nat destination rule-set NAT rule 3cx_9041 match destination-address [outsideJuniperIP]/32 set security nat destination rule-set NAT rule 3cx_9041 match destination-port 9041 set security nat destination rule-set NAT rule 3cx_9041 then destination-nat pool 3cx_9041 set security nat destination rule-set NAT rule 3cx_9042 match destination-address [outsideJuniperIP]/32 set security nat destination rule-set NAT rule 3cx_9042 match destination-port 9042 set security nat destination rule-set NAT rule 3cx_9042 then destination-nat pool 3cx_9042 set security nat destination rule-set NAT rule 3cx_9043 match destination-address [outsideJuniperIP]/32 set security nat destination rule-set NAT rule 3cx_9043 match destination-port 9043 set security nat destination rule-set NAT rule 3cx_9043 then destination-nat pool 3cx_9043 set security nat destination rule-set NAT rule 3cx_9044 match destination-address [outsideJuniperIP]/32 set security nat destination rule-set NAT rule 3cx_9044 match destination-port 9044 set security nat destination rule-set NAT rule 3cx_9044 then destination-nat pool 3cx_9044 set security nat destination rule-set NAT rule 3cx_9045 match destination-address [outsideJuniperIP]/32 set security nat destination rule-set NAT rule 3cx_9045 match destination-port 9045 set security nat destination rule-set NAT rule 3cx_9045 then destination-nat pool 3cx_9045 set security nat destination rule-set NAT rule 3cx_9046 match destination-address [outsideJuniperIP]/32 set security nat destination rule-set NAT rule 3cx_9046 match destination-port 9046 set security nat destination rule-set NAT rule 3cx_9046 then destination-nat pool 3cx_9046 set security nat destination rule-set NAT rule 3cx_9047 match destination-address [outsideJuniperIP]/32 set security nat destination rule-set NAT rule 3cx_9047 match destination-port 9047 set security nat destination rule-set NAT rule 3cx_9047 then destination-nat pool 3cx_9047 set security nat destination rule-set NAT rule 3cx_9048 match destination-address [outsideJuniperIP]/32 set security nat destination rule-set NAT rule 3cx_9048 match destination-port 9048 set security nat destination rule-set NAT rule 3cx_9048 then destination-nat pool 3cx_9048 set security nat destination rule-set NAT rule 3cx_9049 match destination-address [outsideJuniperIP]/32 set security nat destination rule-set NAT rule 3cx_9049 match destination-port 9049 set security nat destination rule-set NAT rule 3cx_9049 then destination-nat pool 3cx_9049
Настраиваем разрешения для пропуска из untrust зоны
Добавляем в адрес бук адрес нашего сервера PBX:s et security zones security-zone trust address-book address 3cx [localPBXip]/32
Прописываем разрешения:
set security policies from-zone untrust to-zone trust policy 3cx_access match source-address any</br> set security policies from-zone untrust to-zone trust policy 3cx_access match destination-address 3cx</br> set security policies from-zone untrust to-zone trust policy 3cx_access match application 3cx-app-set</br> set security policies from-zone untrust to-zone trust policy 3cx_access then permit</br>
Cтоль длительная и объёмная процедура связана с двумя вещами:
В рамках destination NAT у Juniper невозможно применение port range, и мы вынуждены прописывать такое количество pool. Можете попробовать реализовать этот же механизм в рамках source NAT, в нём как раз, port range существует.
У applications также отсутствует понятие port range, что приводит к таким огромным листингам конфигурации.