How the SIP ALG translates IP addresses in SIP headers

Leave a reply

How the SIP ALG translates IP addresses in SIP headers

The SIP ALG applies NAT to SIP sessions by translating the IP addresses contained in SIP headers. For example, the following SIP message contains most of the SIP fields that contain addresses that need to be translated:

INVITE PhoneB@172.20.120.30 SIP/2.0

Via: SIP/2.0/UDP 172.20.120.50:5434

From: PhoneA@10.31.101.20

To: PhoneB@172.20.120.30

Call-ID: a12abcde@172.20.120.50

Contact: PhoneA@10.31.101.20:5434

Route: <sip:example@172.20.120.50:5060>

Record-Route: <sip:example@172.20.120.50:5060>

How IP address translation is performed depends on whether source NAT or destination NAT is applied to the session containing the message:

 

Source NAT translation of IP addresses in SIP messages

Source NAT translation occurs for SIP messages sent from a phone or server on a private network to a phone or server on the Internet. The source addresses in the SIP header fields of the message are typically set to IP addresses on the private network. The SIP ALG translates these addresses to the address the FortiGate unit interface connected to the Internet.

 

Source NAT translation of IP addresses in SIP request messages

SIP header              NAT action

To:                             None

From:                        Replace private network address with IP address of FortiGate unit interface connected to the Internet.

CallID:                      Replace private network address with IP address of FortiGate unit interface connected to the Internet.

Via:                            Replace private network address with IP address of FortiGate unit interface connected to the Internet.

Request-URI:            None

SIP header              NAT action

Contact:                    Replace private network address with IP address of FortiGate unit interface connected to the Internet.

RecordRoute:         Replace private network address with IP address of FortiGate unit interface connected to the Internet.

Route:                       Replace private network address with IP address of FortiGate unit interface connected to the Internet.

Response messages from phones or servers on the Internet are sent to the FortiGate unit interface connected to the Internet where the destination addresses are translated back to addresses on the private network before forwarding the SIP response message to the private network.

 

Source NAT translation of IP addresses in SIP response messages

SIP header              NAT action

To:                             None

From:                        Replace IP address of FortiGate unit interface connected to the Internet with private network address.

CallID:                      Replace IP address of FortiGate unit interface connected to the Internet with private network address.

Via:                            Replace IP address of FortiGate unit interface connected to the Internet with private network address.

Request-URI:            N/A

Contact:                    None

RecordRoute:         Replace IP address of FortiGate unit interface connected to the Internet with private network address.

Route:                       Replace IP address of FortiGate unit interface connected to the Internet with private network address.

 

Destination NAT translation of IP addresses in SIP messages

Destination NAT translation occurs for SIP messages sent from a phone or server on the Internet to a firewall virtual IP address. The destination addresses in the SIP header fields of the message are typically set to the virtual IP address. The SIP ALG translates these addresses to the address of a SIP server or phone on the private network on the other side of the FortiGate unit.

 

Destination NAT translation of IP addresses in SIP request messages

SIP header              NAT action

To:                             Replace VIP address with address on the private network as defined in the firewall vir- tual IP.

From:                        None

CallID:                      None

Via:                            None

Request-URI:            Replace VIP address with address on the private network as defined in the firewall vir- tual IP.

Contact:                    None

RecordRoute:         None

Route:                       None

SIP response messages sent in response to the destination NAT translated messages are sent from a server or a phone on the private network back to the originator of the request messages on the Internet. These reply messages are accepted by the same security policy that accepted the initial request messages, The firewall VIP in the original security policy contains the information that the SIP ALG uses to translate the private network source addresses in the SIP headers into the firewall virtual IP address.

 

Destination NAT translation of IP addresses in SIP response messages

SIP header              NAT action

To:                             None

From:                        Replace private network address with firewall VIP address.

CallID:                      None

Via:                            None

Request-URI:            N/A

Contact:                    Replace private network address with firewall VIP address.

RecordRoute:         Replace private network address with firewall VIP address.

Route:                       None


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.