How the SIP ALG translates IP addresses in the SIP body

Leave a reply

How the SIP ALG translates IP addresses in the SIP body

The SDP session profile attributes in the SIP body include IP addresses and port numbers that the SIP ALG uses to create pinholes for the media stream.

The SIP ALG translates IP addresses and port numbers in the o=, c=, and m= SDP lines. For example, in the following lines the ALG could translate the IP addresses in the o= and c= lines and the port number (49170) in the m= line.

o=PhoneA 5462346 332134 IN IP4 10.31.101.20 c=IN IP4 10.31.101.20

m=audio 49170 RTP 0 3

If the SDP session profile includes multiple RTP media streams, the SIP ALG opens pinholes and performs the required address translation for each one.

The two most important SDP attributes for the SIP ALG are c= and m=. The c= attribute is the connection information attribute. This field can appear at the session or media level. The syntax of the connection attribute is:

Where

c=IN {IPV4 | IPV6} <destination_ip_address>

  • IN is the network type. FortiGate units support the IN or Internet network type.
  • {IPV4 | IPV6} is the address type. FortiGate units support IPv4 or IPv6 addresses in SDP statements.

However, FortiGate units do not support all types of IPv6 address translation. See “SIP over IPv6”.

  • <destination_IP_address> is the unicast numeric destination IP address or domain name of the connection in either IPv4 or IPv6 format.

The syntax of the media attribute is:

Where

m=audio <port_number> RTP <format_list>

  • audio is the media type. FortiGate units support the audio media type.
  • <port_number> is the destination port number used by the media stream.
  • RTP is the application layer transport protocol used for the media stream. FortiGate units support the Real Time Protocol (RTP) transport protocol.
  • <format_list> is the format list that provides information about the application layer protocol that the media uses.

How the SIP ALG translates IP addresses in SIP headers

Leave a reply

How the SIP ALG translates IP addresses in SIP headers

The SIP ALG applies NAT to SIP sessions by translating the IP addresses contained in SIP headers. For example, the following SIP message contains most of the SIP fields that contain addresses that need to be translated:

INVITE PhoneB@172.20.120.30 SIP/2.0

Via: SIP/2.0/UDP 172.20.120.50:5434

From: PhoneA@10.31.101.20

To: PhoneB@172.20.120.30

Call-ID: a12abcde@172.20.120.50

Contact: PhoneA@10.31.101.20:5434

Route: <sip:example@172.20.120.50:5060>

Record-Route: <sip:example@172.20.120.50:5060>

How IP address translation is performed depends on whether source NAT or destination NAT is applied to the session containing the message:

 

Source NAT translation of IP addresses in SIP messages

Source NAT translation occurs for SIP messages sent from a phone or server on a private network to a phone or server on the Internet. The source addresses in the SIP header fields of the message are typically set to IP addresses on the private network. The SIP ALG translates these addresses to the address the FortiGate unit interface connected to the Internet.

 

Source NAT translation of IP addresses in SIP request messages

SIP header              NAT action

To:                             None

From:                        Replace private network address with IP address of FortiGate unit interface connected to the Internet.

CallID:                      Replace private network address with IP address of FortiGate unit interface connected to the Internet.

Via:                            Replace private network address with IP address of FortiGate unit interface connected to the Internet.

Request-URI:            None

SIP header              NAT action

Contact:                    Replace private network address with IP address of FortiGate unit interface connected to the Internet.

RecordRoute:         Replace private network address with IP address of FortiGate unit interface connected to the Internet.

Route:                       Replace private network address with IP address of FortiGate unit interface connected to the Internet.

Response messages from phones or servers on the Internet are sent to the FortiGate unit interface connected to the Internet where the destination addresses are translated back to addresses on the private network before forwarding the SIP response message to the private network.

 

Source NAT translation of IP addresses in SIP response messages

SIP header              NAT action

To:                             None

From:                        Replace IP address of FortiGate unit interface connected to the Internet with private network address.

CallID:                      Replace IP address of FortiGate unit interface connected to the Internet with private network address.

Via:                            Replace IP address of FortiGate unit interface connected to the Internet with private network address.

Request-URI:            N/A

Contact:                    None

RecordRoute:         Replace IP address of FortiGate unit interface connected to the Internet with private network address.

Route:                       Replace IP address of FortiGate unit interface connected to the Internet with private network address.

 

Destination NAT translation of IP addresses in SIP messages

Destination NAT translation occurs for SIP messages sent from a phone or server on the Internet to a firewall virtual IP address. The destination addresses in the SIP header fields of the message are typically set to the virtual IP address. The SIP ALG translates these addresses to the address of a SIP server or phone on the private network on the other side of the FortiGate unit.

 

Destination NAT translation of IP addresses in SIP request messages

SIP header              NAT action

To:                             Replace VIP address with address on the private network as defined in the firewall vir- tual IP.

From:                        None

CallID:                      None

Via:                            None

Request-URI:            Replace VIP address with address on the private network as defined in the firewall vir- tual IP.

Contact:                    None

RecordRoute:         None

Route:                       None

SIP response messages sent in response to the destination NAT translated messages are sent from a server or a phone on the private network back to the originator of the request messages on the Internet. These reply messages are accepted by the same security policy that accepted the initial request messages, The firewall VIP in the original security policy contains the information that the SIP ALG uses to translate the private network source addresses in the SIP headers into the firewall virtual IP address.

 

Destination NAT translation of IP addresses in SIP response messages

SIP header              NAT action

To:                             None

From:                        Replace private network address with firewall VIP address.

CallID:                      None

Via:                            None

Request-URI:            N/A

Contact:                    Replace private network address with firewall VIP address.

RecordRoute:         Replace private network address with firewall VIP address.

Route:                       None

Call Re-invite messages

Leave a reply

Call Re-invite messages

SIP Re-INVITE messages can dynamically add and remove media sessions during a call. When new media sessions are added to a call the SIP ALG opens new pinholes and update SIP dialog data. When media sessions are ended, the SIP ALG closes pinholes that are no longer needed and removes SIP dialog data.

How the SIP ALG performs NAT

Leave a reply

How the SIP ALG performs NAT

In most Network Address Translation (NAT) configurations, multiple hosts in a private network share a single public IP address to access the Internet. For sessions originating on the private network for the Internet, NAT replaces the private IP address of the PC in the private subnet with the public IP address of the NAT device. The NAT device converts the public IP address for responses from the Internet back into the private address before sending the response over the private network to the originator of the session.

Using NAT with SIP is more complex because of the IP addresses and media stream port numbers used in SIP message headers and bodies. When a caller on the private network sends a SIP message to a phone or SIP server on the Internet, the SIP ALG must translate the private network addresses in the SIP message to IP addresses and port numbers that are valid on the Internet. When the response message is sent back to the caller, the SIP ALG must translate these addresses back to valid private network addresses.

In addition, the media streams generated by the SIP session are independent of the SIP message sessions and use varying port numbers that can also change during the media session. The SIP ALG opens pinholes to accept these media sessions, using the information in the SIP messages to determine the pinholes to open. The ALG may also perform port translation on the media sessions.

When an INVITE message is received by the SIP ALG, the FortiGate unit extracts addressing and port number information from the message header and stores it in a SIP dialog table. Similar to an IP session table the data in the dialog table is used to translate addresses in subsequent SIP messages that are part of the same SIP call.

When the SIP ALG receives a response to the INVITE message arrives, (for example, an ACK or 200 OK), the SIP ALG compares the addresses in the message fields against the entries in the SIP dialog table to identify the call context of the message. The SIP ALG then translates addresses in the SIP message before forwarding them to their destination.

The addressing and port number information in SDP fields is used by the ALG to reserve ports for the media session and create a NAT mapping between them and the ports in the SDP fields. Because SDP uses sequential ports for the RTP and RTCP channels, the ALG provides consecutive even-odd ports.

 

Source address translation

When a SIP call is started by a phone on a private network destined for a phone on the Internet, only source address translation is required. The phone on the private network attempts to contact the actual IP address of the phone on the Internet. However, the source address of the phone on the private network is not routable on the Internet so the SIP ALG must translate all private IP addresses in the SIP message into public IP addresses.

To configure the FortiGate for source address translation you add security policy that accepts sessions from the internal network destined for the Internet. You must enable NAT for the security policy and add a VoIP profile.

When a SIP request is received from the internal to the external network, the SIP ALG replaces the private network IP addresses and port numbers in the SIP message with the IP address of the FortiGate interface connected to the Internet. Depending on the content of the message, the ALG translates addresses in the Via:, Contact:, Route:, and Record-Route: SIP header fields. The message is then forwarded to the destination (either a VoIP phone or a SIP server on the Internet).

The VoIP phone or server in the Internet sends responses to these SIP messages to the external interface of the FortiGate unit. The addresses in the response messages are translated back into private network addresses and the response is forwarded to the originator of the request.

For the RTP communication between the SIP phones, the SIP ALG opens pinholes to allow media through the FortiGate unit on the dynamically assigned ports negotiated based on information in the SDP and the Via:, Contact:, and Record-Route: header fields. The pinholes also allow incoming packets to reach the Contact:, Via:, and Record-Route: IP addresses and ports. When processing return traffic, the SIP ALG inserts the original Contact:, Via:, Route:, and Record-Route: SIP fields back into the packets.

 

Destination address translation

Incoming calls are directed from a SIP phone on the Internet to the interface of the FortiGate unit connected to the Internet. To receive these calls you must add a security policy to accept SIP sessions from the Internet. The security policy requires a firewall virtual IP. SIP INVITE messages from the Internet connect to the external IP address of the virtual IP. The SIP ALG uses the destination address translation defined in the virtual IP to translated the addresses in the SIP message to addresses on the private network.

When a 200 OK response message arrives from the private network, the SIP ALG translates the addresses in the message to Internet addresses and opens pinholes for media sessions from the private network to the Internet.

When the ACK message is received for the 200 OK, it is also intercepted by the SIP ALG. If the ACK message contains SDP information, the SIP ALG checks to determine if the IP addresses and port numbers are not changed from the previous INVITE. If they are, the SIP ALG deletes pinholes and creates new ones as required. The ALG also monitors the Via:, Contact:, and Record-Route: SIP fields and opens new pinholes as required.

Accepting SIP register responses

Leave a reply

Accepting SIP register responses

You can enable the VoIP profile open-via-pinhole options to accept a SIP Register response message from a SIP server even if the source port of the Register response message is different from the destination port.

Most SIP servers use 5060 as the source port in the SIP register response. Some SIP servers, however, may use a different source port. If your SIP server uses a different source port, you can enable open-via-pinhole and the SIP ALG will create a temporary pinhole when the Register request from a SIP client includes a different source port. The FortiGate unit will accept a SIP Register response with any source port number from the SIP server.

 

Enter the following command to enable accepting any source port from a SIP server:

config voip profile edit VoIP_Pro_1

config sip

set open-via-pinhole enable end

end

Opening and closing SIP register, contact, via and record-route pinholes

Leave a reply

Opening and closing SIP register, contact, via and record-route pinholes

You can use the open-register-pinhole, open-contact-pinhole, open-via-port, and open- record-route-pinhole VoIP profile CLI options to control whether the FortiGate unit opens various pinholes.

If open-register-pinhole is enabled (the default setting) the FortiGate unit opens pinholes for SIP Register request messages. You can disable open-register-pinhole so that the FortiGate unit does not open pinholes for SIP Register request messages.

If open-contact-pinhole is enabled (the default setting) the FortiGate unit opens pinholes for non-Register SIP request messages. You can disable open-contact-pinhole so that the FortiGate unit does not open pinholes for non-register requests. Non-register pinholes are usually opened for SIP INVITE requests.

If open-via-pinhole is disabled (the default setting) the FortiGate unit does not open pinholes for Via messages. You can enable open-via-pinhole so that the FortiGate unit opens pinholes for Via messages.

If open-record-route-pinhole is enabled (the default setting) the FortiGate unit opens pinholes for Record-Route messages. You can disable open-record-route-pinhole so that the FortiGate unit does not open pinholes for Record-Route messages.

Usually you would want to open these pinholes. Keeping them closed may prevent SIP from functioning properly through the FortiGate unit. They can be disabled, however, for interconnect scenarios (where all SIP traffic is between proxies and traveling over a single session). In some cases these settings can also be disabled in access scenarios if it is known that all users will be registering regularly so that their contact information can be learned from the register request.

You might want to prevent pinholes from being opened to avoid creating a pinhole for every register or non- register request. Each pinhole uses additional system memory, which can affect system performance if there are hundreds or thousands of users, and requires refreshing which can take a relatively long amount of time if there are thousands of active calls.

To configure a VoIP profile to prevent opening register and non-register pinholes:

config voip profile edit VoIP_Pro_1

config sip

end

set open-register-pinhole disable set open-contact-pinhole disable

end

 

In some cases you may not want to open pinholes for the port numbers specified in SIP Contact headers. For example, in an interconnect scenario when a FortiGate unit is installed between two SIP servers and the only SIP traffic through the FortiGate unit is between these SIP servers pinholes may not need to be opened for the port numbers specified in the Contact header lines.

If you disable open-register-pinhole then pinholes are not opened for ports in Contact header lines in SIP Register messages. If you disable open-contact-pinhole then pinholes are not opened for ports in Contact header lines in all SIP messages except SIP Register messages.

RTP enable/disable (RTP bypass)

Leave a reply

RTP enable/disable (RTP bypass)

You can configure the SIP ALG to stop from opening RTP pinholes. Called RTP bypass, this configuration can be used when you want to apply SIP ALG features to SIP signalling messages but do not want the RTP media streams to pass through the FortiGate unit. The FortiGate unit only acts as a signalling firewall and RTP media session bypass the FortiGate unit and no pinholes need to be created.

Enter the following command to enable RTP bypass in a VoIP profile by disabling opening RTP pinholes:

config voip profile edit VoIP_Pro_1

config sip

set rtp disable end

end

Configuration example: SIP in Transparent Mode

Leave a reply

Configuration example: SIP in Transparent Mode

The figure below hows an example SIP network consisting of a FortiGate unit operating in Transparent mode between two SIP phones. Since the FortiGate unit is operating in Transparent mode both phones are on the same network and the FortiGate unit and the SIP ALG does not perform NAT. Even though the SIP ALG is not performing NAT you can use this configuration to apply SIP security features to the SIP traffic.

The FortiGate unit requires two security policies that accept SIP packets. One to allow SIP Phone A to start a session with SIP Phone B and one to allow SIP Phone B to start a session with SIP Phone A.

 

SIP network with FortiGate unit in Transparent mode

o

Po                                                         Port2

 

SIP Phone A (PhoneA@10.31.101.20)

rt1                                                     P

FortiGate unit in Transparent mode SIP Phone B (PhoneB@10.31.101.30)

General configuration steps

The following general configuration steps are required for this SIP configuration. This example uses the default VoIP profile. The example also includes security policies that specifically allow SIP sessions using UDP port 5060 from Phone A to Phone B and from Phone B to Phone A. In most cases you would have more than two phones so would use more general security policies. Also, you can set the security service to ANY to allow traffic other than SIP on UDP port 5060.

1. Add firewall addresses for Phone A and Phone B.

2. Add a security policy that accepts SIP sessions initiated by Phone A and includes the default VoIP profile.

3. Add a security policy that accepts SIP sessions initiated by Phone B and includes the default VoIP profile.

 

Configuration steps – web-based manage

Before you begin this procedure you may have to go to System > Feature Select and turn on VoIP.

 

To add firewall addresses for the SIP phones

1. Go to Policy & Objects > Addresses.

2. Add the following addresses for Phone A and Phone B:

Category                                     Address

Name                                          Phone_A

Type                                            IP/Netmask

Subnet / IP Range                     10.31.101.20/255.255.255.255

Interface                                     port1

Category                                     Address

Name                                          Phone_B

Type                                            IP/Netmask

Subnet / IP Range                     10.31.101.30/255.255.255.255

Interface                                     port2

 

To add security policies to apply the SIP ALG to SIP sessions

1. Go to Policy & Objects > IPv4 Policy.

2. Add a security policy to allow Phone A to send SIP request messages to Phone B:

Incoming Interface                   port1

Outgoing Interface                   port2

Source                                        Phone_A

Destination Address                 Phone_B

Schedule                                    always

Service                                       SIP

Action                                         ACCEPT

3. Turn on VoIP and select the default VoIP profile.

4. Select OK.

5. Add a security policy to allow Phone B to send SIP request messages to Phone A:

Incoming Interface                   port2

Outgoing Interface                   port1

Source                                        Phone_B

Destination Address                 Phone_A

Schedule                                    always

Service                                       SIP

Action                                         ACCEPT

6. Turn on VoIP and select the default VoIP profile.

7. Select OK.

 

Configuration steps – CLI

To add firewall addresses for Phone A and Phone B and security policies to apply the SIP ALG to SIP

sessions

1. Enter the following command to add firewall addresses for Phone A and Phone B.

config firewall address edit Phone_A

set associated-interface port1 set type ipmask

set subnet 10.31.101.20 255.255.255.255 next

edit Phone_B

set associated-interface port2 set type ipmask

set subnet 10.31.101.30 255.255.255.255 end

2. Enter the following command to add security policies to allow Phone A to send SIP request messages to Phone B

and Phone B to send SIP request messages to Phone A.

config firewall policy edit 0

set srcintf port1 set dstintf port2 set srcaddr Phone_A set dstaddr Phone_B set action accept set schedule always set service SIP

set utm-status enable

set voip-profile default next

edit 0

set srcintf port2 set dstintf port1 set srcaddr Phone_B set dstaddr Phone_A set action accept set schedule always set service SIP

set utm-status enable

set voip-profile default

end