SIP NAT configuration example: source address translation (source NAT)

SIP NAT configuration example: source address translation (source NAT)

This configuration example shows how to configure the FortiGate to support the source address translation scenario shown below. The FortiGate requires two security policies that accept SIP packets. One to allow SIP Phone A to start a session with SIP Phone B and one to allow SIP Phone B to start a session with SIP Phone A. Both of these policies must include source NAT. In this example the networks are not hidden from each other so destination NAT is not required.

General configuration steps

The following general configuration steps are required for this SIP configuration. This example uses the default VoIP profile. The example also includes security policies that specifically allow SIP sessions using UDP port 5060 from Phone A to Phone B and from Phone B to Phone A. In most cases you would have more than two phones so would use more general security policies. Also, you can set the firewall service to ANY to allow traffic other than SIP on UDP port 5060.

  1. Add firewall addresses for Phone A and Phone B.
  2. Add a security policy that accepts SIP sessions initiated by Phone A and includes the default VoIP profile.
  3. Add a security policy that accepts SIP sessions initiated by Phone B and includes the default VoIP profile.

Configuration steps – GUI

To add firewall addresses for the SIP phones

  1. Go to Policy & Objects > Addresses.
  2. Add the following addresses for Phone A and Phone B:
Category Address
Name Phone_A
Type IP/Netmask
Subnet / IP Range 10.31.101.20/255.255.255.255
Interface Internal

SIP NAT configuration example: source address translation (source

Category Address
Name Phone_B
Type IP/Netmask
Subnet / IP Range 172.20.120.30/255.255.255.255
Interface wan1

To add security policies to apply the SIP ALG to SIP sessions

  1. Go to Policy & Objects > Policy > IPv4.
  2. Add a security policy to allow Phone A to send SIP request messages to Phone B:
Incoming Interface   internal
Outgoing Interface   wan1
Source   Phone_A
Destination Address   Phone_B
Schedule   always
Service   SIP
Action   ACCEPT
  1. Turn on NAT and select Use Outgoing Interface Address.
  2. Turn on VoIP and select the default VoIP profile.
  3. Select OK.
  4. Add a security policy to allow Phone B to send SIP request messages to Phone A:
Incoming Interface   wan1
Outgoing Interface   internal
Source   Phone_B
Destination Address   Phone_A
Schedule   always
Service   SIP
Action   ACCEPT
  1. Turn on NAT and select Use Outgoing Interface Address.
  2. Turn on VoIP and select the default VoIP profile.
  3. Select OK.

Configuration steps – CLI

To add firewall addresses for Phone A and Phone B and security policies to apply the SIP ALG to SIP sessions

  1. Enter the following command to add firewall addresses for Phone A and Phone B. config firewall address edit Phone_A set associated interface internal set type ipmask

set subnet 10.31.101.20 255.255.255.255

next edit Phone_B set associated interface wan1 set type ipmask

set subnet 172.20.120.30 255.255.255.255

end

  1. Enter the following command to add security policies to allow Phone A to send SIP request messages to Phone B and Phone B to send SIP request messages to Phone A.

config firewall policy edit 0 set srcintf internal set dstintf wan1 set srcaddr Phone_A set dstaddr Phone_B set action accept set schedule always set service SIP set nat enable set utm-status enable set voip-profile default

next edit 0 set srcintf wan1 set dstintf internal set srcaddr Phone_B set dstaddr Phone_A set action accept set schedule always set service SIP set nat enable set utm-status enable set voip-profile default end

This entry was posted in Administration Guides, FortiGate, Fortinet, FortiOS 6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.