Tag Archives: fortigate Additional SIP NAT scenarios

Additional SIP NAT scenarios

Additional SIP NAT scenarios

This section lists some additional SIP NAT scenarios.

 

Source NAT (SIP and RTP)

In the source NAT scenario shown below, a SIP phone connects to the Internet through a FortiGate unit with and IP address configured using PPPoE. The SIP ALG translates all private IPs in the SIP contact header into public IPs.

You need to configure an internal to external SIP security policy with NAT selected, and include a VoIP profile with SIP enabled.

 

SIP source NAT

217.10.79.9    217.10.69.11

SIP Proxy

Server

RTP Media

Server

SIP service provider has a SIP server and a separate RTP server 217.233.122.132

10.72.0.57

FortiGate Unit

 

Destination NAT (SIP and RTP)

In the following destination NAT scenario, a SIP phone can connect through the FortiGate unit to private IP address using a firewall virtual IP (VIP). The SIP ALG translates the SIP contact header to the IP of the real SIP proxy server located on the Internet.

SIP destination NAT

217.10.79.9

217.10.69.11

SIP Proxy

Server

RTP Media

Server

SIP service provider has a SIP server and a separate RTP server

In the scenario, shownabove, the SIP phone connects to a VIP (10.72.0.60). The SIP ALG translates the SIP contact header to 217.10.79.9, opens RTP pinholes, and manages NAT.

The FortiGate unit also supports a variation of this scenario where the RTP media server’s IP address is hidden on a private network or DMZ.

 

SIP destination NAT-RTP media server hidden

192.168.200.99

219.29.81.21

RTP Media

Server

10.0.0.60

217.233.90.60

SIP Proxy Server

FortiGate Unit

In the scenario shown above, a SIP phone connects to the Internet. The VoIP service provider only publishes a single public IP. The FortiGate unit is configured with a firewall VIP. The SIP phone connects to the FortiGate unit (217.233.90.60) and using the VIP the FortiGate unit translates the SIP contact header to the SIP proxy server IP address (10.0.0.60). The SIP proxy server changes the SIP/SDP connection information (which tells the SIP phone which RTP media server IP it should contact) also to 217.233.90.60.

 

Source NAT with an IP pool

You can choose NAT with the Dynamic IP Pool option when configuring a security policy if the source IP of the SIP packets is different from the interface IP. The FortiGate ALG interprets this configuration and translates the SIP header accordingly.

This configuration also applies to destination NAT.

 

Different source and destination NAT for SIP and RTP

This is a more complex scenario that a SIP service provider may use. It can also be deployed in large-scale SIP environments where RTP has to be processed by the FortiGate unit and the RTP server IP has to be translated differently than the SIP serverIP.

 

Different source and destination NAT for SIP and RTP

RTP Servers

192.168.0.21 – 192.168.0.23

219.29.81.10

219.29.81.20

RTP Server

10.0.0.60

 

SIP Server

IP: 217.233.90.60

 

In this scenario, shown above, assume there is a SIP server and a separate media gateway. The SIP server is configured so that the SIP phone (219.29.81.20) will connect to 217.233.90.60. The media gateway (RTP server:

219.29.81.10) will connect to 217.233.90.65. What happens is as follows:

1. The SIP phone connects to the SIP VIP. The FortiGate ALG translates the SIP contact header to the SIP server: 219.29.81.20 > 217.233.90.60 (> 10.0.0.60).

2. The SIP server carries out RTP to 217.233.90.65.

3. The FortiGate ALG opens pinholes, assuming that it knows the ports to be opened.

4. RTP is sent to the RTP-VIP (217.233.90.65.) The FortiGate ALG translates the SIP contact header to 192.168.0.21.