Category Archives: Administration Guides

Configuring SIP IP address conservation for the SIP ALG

You can use the following command to enable or disable SIP IP address conservation in a VoIP profile for the SIP ALG. SIP IP address conservation is enabled by default in a VoIP profile.

config voip profile edit VoIP_Pro_1 config sip set nat-trace disable

end

If the SIP message does not include an i= line and if the original source IP address of the traffic (before NAT) was 10.31.101.20 then the FortiGate would add the following i= line.

i=(o=IN IP4 10.31.101.20)

You can also use the preserve-override option to configure the SIP ALG to either add the original o= line to the end of the i= line or replace the i= line in the original message with a new i= line in the same form as above for adding a new i= line.

By default, preserver-override is disabled and the SIP ALG adds the original o= line to the end of the original i= line. Use the following command to configure the SIP ALG to replace the original i= line:

config voip profile edit VoIP_Pro_1 config sip set preserve-override enable

end

NAT with IP address conservation

Leave a reply

NAT with IP address conservation

In a source or destination NAT security policy that accepts SIP sessions, you can configure the SIP ALG or the SIP session helper to preserve the original source IP address of the SIP message in the i= line of the SDP profile. NAT with IP address conservation (also called SIP NAT tracing) changes the contents of SIP messages by adding the source IP address of the originator of the message into the SDP i= line of the SIP message. The SDP i= line is used for free-form text. However, if your SIP server can retrieve information from the SDP i= line, it can be useful for keeping a record of the source IP address of the originator of a SIP message when operating in a NAT environment. You can use this feature for billing purposes by extracting the IP address of the originator of the message.

Different source and destination NAT for SIP and RTP

Leave a reply

Different source and destination NAT for SIP and RTP

This is a more complex scenario that a SIP service provider may use. It can also be deployed in large-scale SIP environments where RTP has to be processed by the FortiGate and the RTP server IP has to be translated differently than the SIP serverIP.

NAT with IP address conservation

Different source and destination NAT for SIP and RTP

RTP servers

192.168.0.21 – 192.168.0.23 219.29.81.10

In this scenario, shown above, assume there is a SIP server and a separate media gateway. The SIP server is configured so that the SIP phone (219.29.81.20) will connect to 217.233.90.60. The media gateway (RTP server:

219.29.81.10) will connect to 217.233.90.65.

What happens is as follows:

The SIP phone connects to the SIP VIP. The FortiGate ALG translates the SIP contact header to the SIP server: 219.29.81.20 > 217.233.90.60 (> 10.0.0.60).
The SIP server carries out RTP to 217.233.90.65.
The FortiGate ALG opens pinholes, assuming that it knows the ports to be opened.
RTP is sent to the RTP-VIP (217.233.90.65.) The FortiGate ALG translates the SIP contact header to 192.168.0.21.

Source NAT with an IP pool

Leave a reply

Source NAT with an IP pool

You can choose NAT with the Dynamic IP Pool option when configuring a security policy if the source IP of the SIP packets is different from the interface IP. The FortiGate ALG interprets this configuration and translates the SIP header accordingly.

This configuration also applies to destination NAT.

SIP and RTP source NAT

Leave a reply

SIP and RTP source NAT

In the source NAT scenario shown below, a SIP phone connects to the Internet through a FortiGate with and IP address configured using PPPoE. The SIP ALG translates all private IPs in the SIP contact header into public IPs.

You need to configure an internal to external SIP security policy with NAT selected, and include a VoIP profile with SIP enabled.

SIP source NAT

SIP and RTP destination NAT

In the following destination NAT scenario, a SIP phone can connect through the FortiGate to private IP address using a firewall virtual IP (VIP). The SIP ALG translates the SIP contact header to the IP of the real SIP proxy server located on the Internet.

SIP destination NAT

In the scenario, shown above, the SIP phone connects to a VIP (10.72.0.60). The SIP ALG translates the SIP contact header to 217.10.79.9, opens RTP pinholes, and manages NAT.

The FortiGate also supports a variation of this scenario where the RTP media server’s IP address is hidden on a private network or DMZ.

Source NAT with an IP pool

SIP destination NAT-RTP media server hidden

In the scenario shown above, a SIP phone connects to the Internet. The VoIP service provider only publishes a single public IP. The FortiGate is configured with a firewall VIP. The SIP phone connects to the FortiGate (217.233.90.60) and using the VIP the FortiGate translates the SIP contact header to the SIP proxy server IP address (10.0.0.60). The SIP proxy server changes the SIP/SDP connection information (which tells the SIP phone which RTP media server IP it should contact) also to 217.233.90.60.

SIP NAT configuration example: destination address translation (destination NAT)

Leave a reply

SIP NAT configuration example: destination address translation (destination NAT)

This configuration example shows how to configure the FortiGate to support the destination address translation scenario shown in the figure below. The FortiGate requires two SIP security policies:

l A destination NAT security policy that allows SIP messages to be sent from the Internet to the private network. This policy must include destination NAT because the addresses on the private network are not routable on the Internet. l A source NAT security policy that allows SIP messages to be sent from the private network to the Internet.

SIP destination NAT scenario part two: 200 OK returned to Phone B and media streams established

FortiGate HA cluster in NAT mode

General configuration steps

The following general configuration steps are required for this destination NAT SIP configuration. This example uses the default VoIP profile.

Add the SIP proxy server firewall virtual IP.
Add a firewall address for the SIP proxy server on the private network.
Add a destination NAT security policy that accepts SIP sessions from the Internet destined for the SIP proxy server virtual IP and translates the destination address to the IP address of the SIP proxy server on the private network.
Add a security policy that accepts SIP sessions initiated by the SIP proxy server and destined for the Internet.

Configuration steps – GUI

To add the SIP proxy server firewall virtual IP

Go to Policy & Objects > Virtual IPs.
Add the following SIP proxy server virtual IP.

VIP Type

IPv4

destination address translation (destination NAT)

Name	SIP_Proxy_VIP
Interface	port1
Type	Static NAT
External IP Address/Range	172.20.120.50
Mapped IP Address/Range	10.31.101.50

To add a firewall address for the SIP proxy server

Go to Policy & Objects > Addresses.
Add the following for the SIP proxy server:

Address Name	SIP_Proxy_Server
Type	Subnet
Subnet/IP Range	10.31.101.50/255.255.255.255
Interface	port2

To add the security policies

Go to Policy & Objects > IPv4 Policy.
Add a destination NAT security policy that includes the SIP proxy server virtual IP that allows Phone B (and other SIP phones on the Internet) to send SIP request messages to the SIP proxy server.

Incoming Interface		port1
Outgoing Interface		port2
Source		all
Destination Address		SIP_Proxy_VIP
Schedule		always
Service		SIP
Action		ACCEPT

Turn on NAT and select Use Outgoing Interface Address.
Turn on VoIP and select the default VoIP profile.
Select OK.
Add a source NAT security policy to allow the SIP proxy server to send SIP request messages to Phone B and the

Internet:

Incoming Interface

port2

SIP NAT configuration example: destination address translation (destination

Destination Address		all
Source		SIP_Proxy_Server
Schedule		always
Service		SIP
Action		ACCEPT

Turn on NAT and select Use OutgingInterface Address.
Turn on VoIP and select the default VoIP profile.
Select OK.

Configuration steps – CLI

To add the SIP proxy server firewall virtual IP and firewall address

Enter the following command to add the SIP proxy server firewall virtual IP. config firewall vip edit SIP_Proxy_VIP set type static-nat set extip 172.20.120.50 set mappedip 10.31.101.50 set extintf port1

end

Enter the following command to add the SIP proxy server firewall address. config firewall address edit SIP_Proxy_Server set associated interface port2 set type ipmask

set subnet 10.31.101.50 255.255.255.255

end

To add security policies

Enter the following command to add a destination NAT security policy that includes the SIP proxy server virtual IP that allows Phone B (and other SIP phones on the Internet) to send SIP request messages to the SIP proxy server.

config firewall policy edit 0 set srcintf port1 set dstintf port2 set srcaddr all set dstaddr SIP_Proxy_VIP set action accept set schedule always set service SIP set nat enable set utm-status enable set voip-profile default end

and RTP source NAT

Enter the following command to add a source NAT security policy to allow the SIP proxy server to send SIP request messages to Phone B and the Internet:

config firewall policy edit 0 set srcintf port2 set dstintf port1 set srcaddr SIP_Proxy_Server

set dstaddr all set action accept set schedule always set service SIP set nat enable set utm-status enable set voip-profile default end

SIP NAT configuration example: source address translation (source NAT)

Leave a reply

SIP NAT configuration example: source address translation (source NAT)

This configuration example shows how to configure the FortiGate to support the source address translation scenario shown below. The FortiGate requires two security policies that accept SIP packets. One to allow SIP Phone A to start a session with SIP Phone B and one to allow SIP Phone B to start a session with SIP Phone A. Both of these policies must include source NAT. In this example the networks are not hidden from each other so destination NAT is not required.

General configuration steps

The following general configuration steps are required for this SIP configuration. This example uses the default VoIP profile. The example also includes security policies that specifically allow SIP sessions using UDP port 5060 from Phone A to Phone B and from Phone B to Phone A. In most cases you would have more than two phones so would use more general security policies. Also, you can set the firewall service to ANY to allow traffic other than SIP on UDP port 5060.

Add firewall addresses for Phone A and Phone B.
Add a security policy that accepts SIP sessions initiated by Phone A and includes the default VoIP profile.
Add a security policy that accepts SIP sessions initiated by Phone B and includes the default VoIP profile.

Configuration steps – GUI

To add firewall addresses for the SIP phones

Go to Policy & Objects > Addresses.
Add the following addresses for Phone A and Phone B:

Category	Address
Name	Phone_A
Type	IP/Netmask
Subnet / IP Range	10.31.101.20/255.255.255.255
Interface	Internal

SIP NAT configuration example: source address translation (source

Category	Address
Name	Phone_B
Type	IP/Netmask
Subnet / IP Range	172.20.120.30/255.255.255.255
Interface	wan1

To add security policies to apply the SIP ALG to SIP sessions

Go to Policy & Objects > Policy > IPv4.
Add a security policy to allow Phone A to send SIP request messages to Phone B:

Incoming Interface		internal
Outgoing Interface		wan1
Source		Phone_A
Destination Address		Phone_B
Schedule		always
Service		SIP
Action		ACCEPT

Turn on NAT and select Use Outgoing Interface Address.
Turn on VoIP and select the default VoIP profile.
Select OK.
Add a security policy to allow Phone B to send SIP request messages to Phone A:

Incoming Interface		wan1
Outgoing Interface		internal
Source		Phone_B
Destination Address		Phone_A
Schedule		always
Service		SIP
Action		ACCEPT

Turn on NAT and select Use Outgoing Interface Address.
Turn on VoIP and select the default VoIP profile.
Select OK.

Configuration steps – CLI

To add firewall addresses for Phone A and Phone B and security policies to apply the SIP ALG to SIP sessions

Enter the following command to add firewall addresses for Phone A and Phone B. config firewall address edit Phone_A set associated interface internal set type ipmask

set subnet 10.31.101.20 255.255.255.255

next edit Phone_B set associated interface wan1 set type ipmask

set subnet 172.20.120.30 255.255.255.255

end

Enter the following command to add security policies to allow Phone A to send SIP request messages to Phone B and Phone B to send SIP request messages to Phone A.

config firewall policy edit 0 set srcintf internal set dstintf wan1 set srcaddr Phone_A set dstaddr Phone_B set action accept set schedule always set service SIP set nat enable set utm-status enable set voip-profile default

next edit 0 set srcintf wan1 set dstintf internal set srcaddr Phone_B set dstaddr Phone_A set action accept set schedule always set service SIP set nat enable set utm-status enable set voip-profile default end

SIP NAT scenario: destination address translation (destination NAT)

Leave a reply

SIP NAT scenario: destination address translation (destination NAT)

The following figures show how the SIP ALG translates addresses in a SIP INVITE message sent from SIP Phone B on the Internet to SIP Phone A on a private network using the SIP proxy server. Because the addresses on the private network are not visible from the Internet, the security policy on the FortiGate that accepts SIP sessions includes a virtual IP. Phone A sends SIP the INVITE message to the virtual IP address. The FortiGate accepts the INVITE message packets and using the virtual IP, translates the destination address of the packet to the IP address of the SIP proxy server and forwards the SIP message to it.

SIP destination NAT scenario part 1: INVITE request sent from Phone B to Phone A

To simplify the diagrams, some SIP messages are not included (for example, the Ringing and ACK response messages) and some SIP header lines and SDP profile lines have been removed from the SIP messages. destination address translation (destination NAT)

The SIP ALG also translates the destination addresses in the SIP message from the virtual IP address (172.20.120.50) to the SIP proxy server address (10.31.101.50). For this configuration to work, the SIP proxy server must be able to change the destination addresses for Phone A in the SIP message from the address of the SIP proxy server to the actual address of Phone A.

The SIP ALG also opens a pinhole on the Port2 interface that accepts media sessions from the private network to SIP Phone B using ports 4900 and 4901.

Phone A sends a 200 OK response back to the SIP proxy server. The SIP proxy server forwards the response to Phone B. The FortiGate accepts the 100 OK response. The SIP ALG translates the Phone A addresses back to the SIP proxy server virtual IP address before forwarding the response back to Phone B. The SIP ALG also opens a pinhole using the SIP proxy server virtual IP which is the address in the o= line of the SDP profile and the port number in the m= line of the SDP code.

SIP NAT scenario: destination address translation (destination

SIP destination NAT scenario part 2: 200 OK returned to Phone B and media streams established

The media stream from Phone A is accepted by pinhole one and forwarded to Phone B. The source address of this media stream is changed to the SIP proxy server virtual IP address. The media stream from Phone B is accepted by pinhole 2 and forwarded to Phone B. The destination address of this media stream is changed to the IP address of Phone A.