How the SIP ALG translates IP addresses in SIP headers

How the SIP ALG translates IP addresses in SIP headers

The SIP ALG applies NAT to SIP sessions by translating the IP addresses contained in SIP headers. For example, the following SIP message contains most of the SIP fields that contain addresses that need to be translated:

INVITE PhoneB@172.20.120.30 SIP/2.0

Via: SIP/2.0/UDP 172.20.120.50:5434

From: PhoneA@10.31.101.20

To: PhoneB@172.20.120.30

Call-ID: a12abcde@172.20.120.50

Contact: PhoneA@10.31.101.20:5434

Route: <sip:example@172.20.120.50:5060>

Record-Route: <sip:example@172.20.120.50:5060>

How the SIP ALG translates IP addresses in SIP headers

How IP address translation is performed depends on whether source NAT or destination NAT is applied to the session containing the message:

Source NAT translation of IP addresses in SIP messages

Source NAT translation occurs for SIP messages sent from a phone or server on a private network to a phone or server on the Internet. The source addresses in the SIP header fields of the message are typically set to IP addresses on the private network. The SIP ALG translates these addresses to the address the FortiGate interface connected to the Internet.

Source NAT translation of IP addresses in SIP request messages

SIP header NAT action
To: None
From: Replace private network address with IP address of FortiGate interface connected to the Internet.
Call-ID: Replace private network address with IP address of FortiGate interface connected to the Internet.
Via: Replace private network address with IP address of FortiGate interface connected to the Internet.
Request-URI: None
Contact: Replace private network address with IP address of FortiGate interface connected to the Internet.
Record-Route: Replace private network address with IP address of FortiGate interface connected to the Internet.
Route: Replace private network address with IP address of FortiGate interface connected to the Internet.

Response messages from phones or servers on the Internet are sent to the FortiGate interface connected to the Internet where the destination addresses are translated back to addresses on the private network before forwarding the SIP response message to the private network.

Source NAT translation of IP addresses in SIP response messages

SIP header NAT action
To: None
From: Replace IP address of FortiGate interface connected to the Internet with private network address.

How the SIP ALG translates IP addresses in SIP headers

SIP header NAT action
Call-ID: Replace IP address of FortiGate interface connected to the Internet with private network address.
Via: Replace IP address of FortiGate interface connected to the Internet with private network address.
Request-URI: N/A
Contact: None
Record-Route: Replace IP address of FortiGate interface connected to the Internet with private network address.
Route: Replace IP address of FortiGate interface connected to the Internet with private network address.

Destination NAT translation of IP addresses in SIP messages

Destination NAT translation occurs for SIP messages sent from a phone or server on the Internet to a firewall virtual IP address. The destination addresses in the SIP header fields of the message are typically set to the virtual IP address. The SIP ALG translates these addresses to the address of a SIP server or phone on the private network on the other side of the FortiGate.

Destination NAT translation of IP addresses in SIP request messages

SIP header NAT action
To: Replace VIP address with address on the private network as defined in the firewall virtual IP.
From: None
Call-ID: None
Via: None
Request-URI: Replace VIP address with address on the private network as defined in the firewall virtual IP.
Contact: None
Record-Route: None
Route: None

SIP response messages sent in response to the destination NAT translated messages are sent from a server or a phone on the private network back to the originator of the request messages on the Internet. These reply

How the SIP ALG translates IP addresses in the SIP body

messages are accepted by the same security policy that accepted the initial request messages, The firewall VIP in the original security policy contains the information that the SIP ALG uses to translate the private network source addresses in the SIP headers into the firewall virtual IP address.

Destination NAT translation of IP addresses in SIP response messages

SIP header NAT action
To: None
From: Replace private network address with firewall VIP address.
Call-ID: None
Via: None
Request-URI: N/A
Contact: Replace private network address with firewall VIP address.
Record-Route: Replace private network address with firewall VIP address.
Route: None

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiGate, FortiOS 6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.