The sip connection requires opening return ports automatically for the reverse direction of flow which Junos refers to as ALG - application layer gateways. You apply these to the policy for the phone policy instead of the "any" rule and the SRX knows to allow for the full bi-directional protocol.
example:
set security policies from-zone private to-zone public policy outgoing match source-address phone
set security policies from-zone private to-zone public policy outgoing match destination-address pbx
set security policies from-zone private to-zone public policy outgoing match application junos-sip
set security policies from-zone private to-zone public policy outgoing then permit
Using the session command you can verify the traffic is permitted and hitting the desired policy using the ip address of the phone as x and pbx as y.
show security flow session source-address x.x.x.x/32 destination-address y.y.y.y/32
------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home------------------------------
Original Message:
Sent: 01-14-2021 17:01
From: Unknown User
Subject: How to allow SIP port from SRX 650
Hello
The SIP port tcp 5060 now allowed through two zones in SRX650 even i create security policy with "any" application, and that not make the cisco phone that using SIP to not register.
Appreciate your support
Thanks