Hosted NAT traversal
With the increase in the use of VoIP and other media traffic over the Internet, service provider network administrators must defend their networks from threats while allowing voice and multimedia traffic to flow transparently between users and servers and among users. A common scenario could involve providing SIP VoIP services for customers with SIP phones installed behind NAT devices that are not SIP aware. NAT devices that are not SIP aware cannot translate IP addresses in SIP headers and SDP lines in SIP packets but can and do perform source NAT on the source or addresses of the packets. In this scenario the user’s SIP phones would communicate with a SIP proxy server to set up calls between SIP phones. Once the calls are set up RTP packets would be communicated directly between the phones through each user’s NAT device.
The problem with this configuration is that the SIP headers and SDP lines in the SIP packets sent from the phones and received by the SIP proxy server would contain the private network addresses of the VoIP phones that would not be routable on the service provider network or on the Internet. One solution could be to for each customer to install and configure SIP aware NAT devices. If this is not possible, another solution requires implement hosted NAT traversal.
In a hosted NAT traversal (HNT) configuration, a FortiGate unit is installed between the NAT device and the SIP proxy server and configured with a VoIP profile that enables SIP hosted NAT traversal. Security policies that include the VoIP profile also support destination NAT using a firewall virtual IP. When the SIP phones connect to the SIP server IP address the security policy accepts the SIP packets, the virtual IP translates the destination addresses of the packets to the SIP server IP address, and the SIP ALG NAT traversal configuration translates the source IP addresses on the SIP headers and SDP lines to the source address of the SIP packets (which would be the external IP address of the NAT devices). The SIP server then sees the SIP phone IP address as the external IP address of the NAT device. As a result SIP and RTP media sessions are established using the external IP addresses of the NAT devices instead of the actual IP addresses of the SIP phones.
FortiGate SIP Hosted NAT Traversal configuration
VoIP Session Controller
(SIP server)
(For example FortiGate Voice unit)
FortiGate unit with SIP ALG
SIP
172.20.120.141
NAT device
(not SIP aware)
Configured for Host d
NAT Traversal
0.21.101. SIP Server VIP
10.21.101.10
SIP + RTP
172.20.12
SIP Phone C (PhoneC@192.168.30.1)
SIP + RTP
Service Provider Network
SIP + RTP
10.11.101.10 10.11.101.20
NAT devic
(not SIP aware)
RTP Media session
NAT device
(not SIP aware)
SIP Phone A (PhoneA@192.168.10.1)
SIP Phone B (PhoneB@192.168.20.1)
Configuration example: Hosted NAT traversal for calls between SIP Phone A and SIP Phone B
The following address translation takes place to allow a SIP call from SIP Phone A to SIP Phone B in the above diagram.
1. SIP Phone A sends a SIP Invite message to the SIP server. Packet source IP address: 192.168.10.1, destination
IP address: 10.21.101.10.
2. The SIP packets are received by the NAT device which translates the source address of the SIP packets from
192.168.10.1 to 10.11.101.20.
3. The SIP packets are received by the FortiGate unit which translates the packet destination IP address to 10.30.120.20. The SIP ALG also translates the IP address of the SIP phone in the SIP header and SDP lines from 192.168.10.1 to 10.11.101.20.
4. The SIP server accepts the Invite message and forwards it to SIP Phone B at IP address10.11.101.20. The SIP server has this address for SIP Phone B because SIP packets from SIP Phone B have also been translated using the hosted NAT traversal configuration of the SIP ALG.
5. When the SIP call is established, the RTP session is between 10.11.101.10 and 10.11.101.20 and does not pass through the FortiGate unit. The NAT devices translated the destination address of the RTP packets to the private IP addresses of the SIP phones.
General configuration steps
The following general configuration steps are required for this destination NAT SIP configuration. This example uses the default VoIP profile.
1. Add a VoIP profile that enables hosted NAT translation.
2. Add a SIP proxy server firewall virtual IP.
3. Add a firewall address for the SIP proxy server on the private network.
4. Add a destination NAT security policy that accepts SIP sessions from the Internet destined for the SIP proxy server virtual IP and translates the destination address to the IP address of the SIP proxy server on the private network.
5. Add a security policy that accepts SIP sessions initiated by the SIP proxy server and destined for the Internet.
Configuration steps – web-based manager
To add the SIP proxy server firewall virtual IP
1. Go to Policy & Objects > Virtual IPs.
2. Add the SIP proxy server virtual IP.
Name SIP_Proxy_VIP
External Interface port1
Type Static NAT
External IP Address/Range 172.20.120.50
Mapped IP Address/Range 10.31.101.50
To add a firewall address for the SIP proxy server
1. Go to Policy & Objects > Addresses.
2. Add the following for the SIP proxy server:
Category Address
Name SIP_Proxy_Server
Type Subnet
Subnet / IP Range 10.31.101.50/255.255.255.255
Interface port2
To add the security policies
1. Go to Policy & Objects > IPv4 Policy.
2. Add a destination NAT security policy that includes the SIP proxy server virtual IP that allows Phone B (and other SIP phones on the Internet) to send SIP request messages to the SIP proxy server.
Incoming Interface port1
Outgoing Interface port2
Source all
Destination Address SIP_Proxy_VIP
Schedule always
Service SIP
Action ACCEPT
3. TUrn on NAT and select Use Outgoing Interface Address.
4. Turn on VoIP and select the default VoIP profile.
5. Select OK.
6. Add a source NAT security policy to allow the SIP proxy server to send SIP request messages to Phone B and the Internet:
Incoming Interface port2
Outgoing Interface port1
Source SIP_Proxy_Server
Destination Address all
Schedule always
Service SIP
Action ACCEPT
7. Tuen on NAT and select Use Outgoing Interface Address.
8. Turn on VoIP and select the default VoIP profile.
9. Select OK.
Configuration steps – CLI
To add a VoIP profile that enables hosted NAT translation
1. Enter the following command to add a VoIP profile named HNT that enables hosted NAT traversal. This command shows how to clone the default VoIP profile and enable hosted NAT traversal.
config voip profile
clone default to HNT
edit HNT
config sip
set hosted-nat-traversal enable end
end
To add the SIP proxy server firewall virtual IP and firewall address
1. Enter the following command to add the SIP proxy server firewall virtual IP.
config firewall vip edit SIP_Proxy_VIP
set type static-nat
set extip 10.21.101.10
set mappedip 10.30.120.20 set extintf port1
end
2. Enter the following command to add the SIP proxy server firewall address.
config firewall address edit SIP_Proxy_Server
set associated interface port2 set type ipmask
set subnet 10.30.120.20 255.255.255.255 end
To add security policies
1. Enter the following command to add a destination NAT security policy that includes the SIP proxy server virtual IP
that allows Phone A to send SIP request messages to the SIP proxy server.
config firewall policy edit 0
set srcintf port1 set dstintf port2 set srcaddr all
set dstaddr SIP_Proxy_VIP
set action accept set schedule always set service SIP
set nat enable
set utm-status enable
set profile-protocol-options default set voip-profile HNT
end
2. Enter the following command to add a source NAT security policy to allow the SIP proxy server to send SIP request messages to Phone B:
config firewall policy edit 0
set srcintf port2 set dstintf port1
set srcaddr SIP_Proxy_Server set dstaddr all
set action accept
set schedule always set service SIP
set nat enable
set utm-status enable
set profile-protocol-options default set voip-profile default
end
Hosted NAT traversal for calls between SIP Phone A and SIP Phone C
The following address translation takes place to allow a SIP call from SIP Phone A to SIP Phone C in the previous diagram.
1. SIP Phone A sends a SIP Invite message to the SIP server. Packet source IP address: 192.168.10.1 and destination IP address: 10.21.101.10.
2. The SIP packets are received by the NAT device which translates the source address of the SIP packets from 192.168.10.1 to 10.11.101.20.
3. The SIP packets are received by the FortiGate unit which translates the packet destination IP address to 10.30.120.20. The SIP ALG also translates the IP address of the SIP phone in the SIP header and SDP lines from 192.168.10.1 to 10.11.101.20.
4. The SIP server accepts the Invite message and forwards it to SIP Phone C at IP address 172.20.120.30. The SIP server has this address for SIP Phone C because SIP packets from SIP Phone C have also been translated using the hosted NAT traversal configuration of the SIP ALG.
5. When the SIP call is established, the RTP session is between 10.11.101.10 and 172.20.120.30. The packets pass through the FortiGate unit which performs NAT as required.
Restricting the RTP source IP
Use the following command in a VoIP profile to restrict the RTP source IP to be the same as the SIP source IP when hosted NAT traversal is enabled.
config voip profile edit VoIP_HNT
config sip
set hosted-nat-traversal enable set hnt-restrict-source-ip enable
end end