Tag Archives: fortigate SIP NAT scenario: source address translation (source NAT)

SIP NAT scenario: source address translation (source NAT)

SIP NAT scenario: source address translation (source NAT)

The following figures show a source address translation scenario involving two SIP phones on different networks, separated by a FortiGate unit. In the scenario, SIP Phone A sends an INVITE request to SIP Phone B and SIP Phone B replies with a 200 OK response and then the two phones start media streams with each other.

To simplify the diagrams, some SIP messages are not included (for example, the Ringing and ACK response messages) and some SIP header lines and SDP profile lines have been removed from the SIP messages.

 

SIP source NAT scenario part 1: INVITE request sent from Phone A to Phone B

Internal

10.31.101.100

WAN1

172.20.120.122

SIP Phone A (PhoneA@10.31.101.20)

FortiGate unit

in NAT/Route mode

SIP Phone B (PhoneB@172.20.120.30)

 

Phone A sends an INVITE request to Phone B

(SDP 10.31.101.20:4000).

INVITE sip:PhoneB@172.20.120.30 SIP/2.0

Via: SIP/2.0/UDP 10.31.101.20:5060

From: PhoneA <sip:PhoneA@10.31.101.20> To: PhoneB <sip:PhoneB@172.20.120.30> Call-ID: 314159@10.31.101.20

CSeq: 1 INVITE

Contact: sip:PhoneA@10.31.101.20 v=0

o=PhoneA 5462346 332134 IN IP4 10.31.101.20 c=IN IP4 10.31.101.20

m=audio 49170 RTP 0 3

SIP ALG creates Pinhole 1. Accepts traffic on WAN1 with destination address:port numbers

172.20.120.122:49170 and 49171

The SIP ALG performs source NAT on the INVITE request and forwards it to Phone B.

INVITE sip:PhoneB@172.20.120.30 SIP/2.0

Via: SIP/2.0/UDP 172.20.120.122:5060

From: PhoneA <sip:PhoneA@172.20.120.122> To: PhoneB <sip:PhoneB@172.20.120.30>

Call-ID: 314159@172.20.120.122

CSeq: 1 INVITE

Contact: sip:PhoneA@172.20.120.122 v=0

o=PhoneA 5462346 332134 IN IP4 172.20.120.122 c=IN IP4 172.20.120.122

m=audio 49170 RTP 0 3

 

For the replies to SIP packets sent by Phone A to be routable on Phone Bs network, the FortiGate unit uses source NAT to change their source address to the address of the WAN1 interface. The SIP ALG makes similar changes the source addresses in the SIP headers and SDP profile. For example, the original INVITE request from Phone A includes the address of Phone A (10.31.101.20) in the from header line. After the INVITE request passes through the FortiGate unit, the address of Phone A in the From SIP header line is translated to 172.20.120.122, the address of the FortiGate unit WAN1 interface. As a result, Phone B will reply to SIP messages from Phone A using the WAN1 interface IP address.

The FortiGate unit also opens a pinhole so that it can accept media sessions sent to the WAN1 IP address using the port number in the m= line of the INVITE request and forward them to Phone A after translating the destination address to the IP address of Phone A.

Phone B sends the 200 OK response to the INVITE message to the WAN1 interface. The SDP profile includes the port number that Phone B wants to use for its media stream. The FortiGate unit forwards 200 OK response to Phone A after translating the addresses in the SIP and SDP lines back to the IP address of Phone A. The SIP ALG also opens a pinhole on the Internal interface that accepts media stream sessions from Phone A with destination address set to the IP address of Phone B and using the port that Phone B added to the SDP m= line.

 

SIP source NAT scenario part 2: 200 OK returned and media streams established

Internal

10.31.101.100

WAN1

172.20.120.122

SIP Phone A (PhoneA@10.31.101.20)

FortiGate unit

in NAT/Route mode

SIP Phone B (PhoneB@172.20.120.30)

Phone B sends a 200 OK response to

Phone A (SDP: 172.20.120.30:3456).

 

SIP/2.0 200 OK

Via: SIP/2.0/UDP 172.20.120.122:5060

From: PhoneA <sip:PhoneA@172.20.120.122> To: PhoneB <sip:PhoneB@172.20.120.30>

Call-ID: 314159@172.20.120.122

CSeq: 1 INVITE

Contact: sip:PhoneB@172.20.120.30 v=0

o=PhoneB 124333 67895 IN IP4 172.20.120.30 c=IN IP4 172.20.120.30

m=audio 3456 RTP 0

SIP ALG creates Pinhole 2. Accepts traffic on Internal with destination address:port numbers 172.20.120.30: 3456 and 3457..

The SIP ALG performs source NAT on the 200 OK response and forwards it to Phone A.

SIP/2.0 200 OK

Via: SIP/2.0/UDP 10.31.101.20:5060

From: PhoneA <sip:PhoneA@10.31.101.20> To: PhoneB <sip:PhoneB@172.20.120.30> Call-ID: 314159@10.31.101.20

CSeq: 1 INVITE

Contact: sip:PhoneB@172.20.120.30 v=0

o=PhoneB 124333 67895 IN IP4 172.20.120.30 c=IN IP4 172.20.120.30

m=audio 3456 RTP 0

Phone B sends RTP and RTCP media sessions to Phone A through pinhole 1. Destination address:port number 172.20.120.122:49170

and 49171.

 

Pinhole 1

Phone A sends RTP and RTCP media sessions to Phone B through pinhole 2. Destination address:port number 172.20.120.30:3456 and 3457.

Pinhole 2


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!