Tag Archives: fortigate SIP NAT scenario: destination address translation (destination NAT)

SIP NAT scenario: destination address translation (destination NAT)

Leave a reply

SIP NAT scenario: destination address translation (destination NAT)

The following figures show how the SIP ALG translates addresses in a SIP INVITE message sent from SIP Phone B on the Internet to SIP Phone A on a private network using the SIP proxy server. Because the addresses on the private network are not visible from the Internet, the security policy on the FortiGate unit that accepts SIP sessions includes a virtual IP. Phone A sends SIP the INVITE message to the virtual IP address. The FortiGate unit accepts the INVITE message packets and using the virtual IP, translates the destination address of the packet to the IP address of the SIP proxy server and forwards the SIP message to it.

 

SIP destination NAT scenario part 1: INVITE request sent from Phone B to Phone A

FortiGate-620B Cluster

In NAT/Route mode

Port2

 

 

72
 

100

10.11.101.  00

 

P   t1

 

Por

172.20.
 

 

.

20 120.141

SIP Virtual IP: 172.20.120.50

SIP Phone A (PhoneA@10.31.101.20)

SIP proxy server

10.31.101.50

SIP Phone B (PhoneB@172.20.120.30)

Phone B sends an INVITE request for Phone A to the SIP Proxy Server Virtual IP (SDP 172.20.120.30:4900)

INVITE sip:PhoneA@172.20.120.50 SIP/2.0

Via: SIP/2.0/UDP 172.20.120.50:5060

From: PhoneB <sip:PhoneB@172.20.120.30> To: PhoneA <sip:PhoneA@172.20.120.50> Call-ID: 314134@172.20.120.30

CSeq: 1 INVITE

Contact: sip:PhoneB@172.20.120.30 v=0

o=PhoneB 2346 134 IN IP4 172.20.120.30 c=IN IP4 172.20.120.30

m=audio 4900 RTP 0 3

SIP ALG creates Pinhole 1. Accepts traffic on Port2 with destination address:port numbers 172.20.120.30:4900 and 4901

The SIP ALG performs destination NAT on the INVITE request and forwards it to the SIP proxy server.

The SIP proxy server forwards the INVITE request to Phone A (SDP: 172.20.120.30:4900)

INVITE sip:PhoneA@10.31.101.50 SIP/2.0

Via: SIP/2.0/UDP 10.31.101.50:5060

From: PhoneB <sip:PhoneB@172.20.120.30> To: PhoneA <sip:PhoneA@10.31.101.50>

Call-ID: 314134@172.20.120.30

CSeq: 1 INVITE

Contact: sip:PhoneB@172.20.120.30 v=0

o=PhoneB 2346 134 IN IP4 172.20.120.30 c=IN IP4 172.20.120.30

m=audio 4900 RTP 0 3

 

To simplify the diagrams, some SIP messages are not included (for example, the Ringing and ACK response messages) and some SIP header lines and SDP profile lines have been removed from the SIP messages.

The SIP ALG also translates the destination addresses in the SIP message from the virtual IP address (172.20.120.50) to the SIP proxy server address (10.31.101.50). For this configuration to work, the SIP proxy server must be able to change the destination addresses for Phone A in the SIP message from the address of the SIP proxy server to the actual address of Phone A.

The SIP ALG also opens a pinhole on the Port2 interface that accepts media sessions from the private network to SIP Phone B using ports 4900 and 4901.

Phone A sends a 200 OK response back to the SIP proxy server. The SIP proxy server forwards the response to Phone B. The FortiGate unit accepts the 100 OK response. The SIP ALG translates the Phone A addresses back to the SIP proxy server virtual IP address before forwarding the response back to Phone B. The SIP ALG also opens a pinhole using the SIP proxy server virtual IP which is the address in the o= line of the SDP profile and the port number in the m= line of the SDP code.

 

SIP destination NAT scenario part 2: 200 OK returned to Phone B and media streams established

FortiGate-620B Cluster

In NAT/Route mode

Port2

SIP Virtual IP: 172.20.120.50

SIP Phone A (PhoneA@10.31.101.20)

SIP proxy server

10.31.101.50

SIP Phone B (PhoneB@172.20.120.30)

Phone A sends a 200 OK response to the SIP proxy server (SDP: 10.31.101.20:8888)

The SIP proxy server forwards the response to Phone B (SDP: 10.31.101.20:8888)

SIP/2.0 200 OK

Via: SIP/2.0/UDP 10.31.101.50:5060

From: PhoneB <sip:PhoneB@172.20.120.30> To: PhoneA <sip:PhoneA@10.31.101.50>

Call-ID: 314134@172.20.120.30

CSeq: 1 INVITE

Contact: sip:PhoneB@172.20.120.30 v=0

o=PhoneB 2346 134 IN IP4 172.20.120.30 c=IN IP4 10.31.101.20

m=audio 5500 RTP 0

The SIP ALG NATs the SDP address to the Virtual IP address before forwarding the response to Phone B (SDP: 172.20.120.50:5500)

SIP/2.0 200 OK

Via: SIP/2.0/UDP 172.20.120.50:5060

From: PhoneB <sip:PhoneB@172.20.120.30> To: PhoneA <sip:PhoneA@172.20.120.50> Call-ID: 314134@172.20.120.30

CSeq: 1 INVITE

Contact: sip:PhoneB@172.20.120.30 v=0

o=PhoneB 2346 134 IN IP4 172.20.120.30 c=IN IP4 172.20.120.50

m=audio 5500 RTP 0

Phone A sends RTP and RTCP media sessions to Phone B through pinhole 1. Destination address:port number 172.20.120.30:4900 and 4901

Pinhole 2 created. Accepts traffic on Port1 with destination address:port numbers 172.20.120.50:5500 and 5501

Pinhole 1

1 The SIP ALG NATs the destination address to 10.31.101.20.

Phone B sends RTP and RTCP media sessions to Phone A through pinhole 2. Destination address:port number 172.20.120.50:5500 and 5501.

 

Pinhole 2

The media stream from Phone A is accepted by pinhole one and forwarded to Phone B. The source address of this media stream is changed to the SIP proxy server virtual IP address. The media stream from Phone B is accepted by pinhole 2 and forwarded to Phone B. The destination address of this media stream is changed to the IP address of Phone A.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!