Fortinet black logo

Handbook

Configuration example: Hosted NAT traversal for calls between SIP Phone A and SIP Phone B

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:875985
Download PDF

Configuration example: Hosted NAT traversal for calls between SIP Phone A and SIP Phone B

The following address translation takes place to allow a SIP call from SIP Phone A to SIP Phone B in the above diagram.

  1. SIP Phone A sends a SIP Invite message to the SIP server. Packet source IP address: 192.168.10.1, destination IP address: 10.21.101.10.
  2. The SIP packets are received by the NAT device which translates the source address of the SIP packets from 192.168.10.1 to 10.11.101.20.
  3. The SIP packets are received by the FortiGate which translates the packet destination IP address to 10.30 120.20. The SIP ALG also translates the IP address of the SIP phone in the SIP header and SDP lines from 192.168.10.1 to 10.11.101.20.
  4. The SIP server accepts the Invite message and forwards it to SIP Phone B at IP address 10.11.101.20. The SIP server has this address for SIP Phone B because SIP packets from SIP Phone B have also been translated using the hosted NAT traversal configuration of the SIP ALG.
  5. When the SIP call is established, the RTP session is between 10.11.101.10 and 10.11.101.20 and does not pass through the FortiGate. The NAT devices translated the destination address of the RTP packets to the private IP addresses of the SIP phones.

General configuration steps

The following general configuration steps are required for this destination NAT SIP configuration. This example uses the default VoIP profile.

  1. Add a VoIP profile that enables hosted NAT translation.
  2. Add a SIP proxy server firewall virtual IP.
  3. Add a firewall address for the SIP proxy server on the private network.
  4. Add a destination NAT security policy that accepts SIP sessions from the Internet destined for the SIP proxy server virtual IP and translates the destination address to the IP address of the SIP proxy server on the private network.
  5. Add a security policy that accepts SIP sessions initiated by the SIP proxy server and destined for the Internet.

Configuration steps - GUI

To add the SIP proxy server firewall virtual IP
  1. Go to Policy & Objects > Virtual IPs.
  2. Add the SIP proxy server virtual IP.
  3. Name SIP_Proxy_VIP
    External Interface port1
    Type Static NAT
    External IP Address/Range 172.20.120.50
    Mapped IP Address/Range 10.31.101.50
To add a firewall address for the SIP proxy server
  1. Go to Policy & Objects > Addresses.
  2. Add the following for the SIP proxy server:
  3. Category Address
    Name SIP_Proxy_Server
    Type Subnet
    Subnet / IP Range 10.31.101.50/255.255.255.255
    Interface port2
To add the security policies
  1. Go to Policy & Objects > IPv4 Policy.
  2. Add a destination NAT security policy that includes the SIP proxy server virtual IP that allows Phone B (and other SIP phones on the Internet) to send SIP request messages to the SIP proxy server.
  3. Incoming Interface port1
    Outgoing Interface port2
    Source all
    Destination Address SIP_Proxy_VIP
    Schedule always
    Service SIP
    Action ACCEPT
  4. Turn on NAT and select Use Outgoing Interface Address.
  5. Turn on VoIP and select the default VoIP profile.
  6. Select OK.
  7. Add a source NAT security policy to allow the SIP proxy server to send SIP request messages to Phone B and the Internet:
  8. Incoming Interface port2
    Outgoing Interface port1
    Source SIP_Proxy_Server
    Destination Address all
    Schedule always
    Service SIP
    Action ACCEPT
  9. Turn on NAT and select Use Outgoing Interface Address.
  10. Turn on VoIP and select the default VoIP profile.
  11. Select OK.

Configuration steps - CLI

To add a VoIP profile that enables hosted NAT translation
  1. Enter the following command to add a VoIP profile named HNT that enables hosted NAT traversal. This command shows how to clone the default VoIP profile and enable hosted NAT traversal.
  2. config voip profile

    clone default to HNT

    edit HNT

    config sip

    set hosted-nat-traversal enable

    end

    end

To add the SIP proxy server firewall virtual IP and firewall address
  1. Enter the following command to add the SIP proxy server firewall virtual IP.
  2. config firewall vip

    edit SIP_Proxy_VIP

    set type static-nat

    set extip 10.21.101.10

    set mappedip 10.30.120.20

    set extintf port1

    end

  3. Enter the following command to add the SIP proxy server firewall address.
  4. config firewall address

    edit SIP_Proxy_Server

    set associated interface port2

    set type ipmask

    set subnet 10.30.120.20 255.255.255.255

    end

To add security policies
  1. Enter the following command to add a destination NAT security policy that includes the SIP proxy server virtual IP that allows Phone A to send SIP request messages to the SIP proxy server.
  2. config firewall policy

    edit 0

    set srcintf port1

    set dstintf port2

    set srcaddr all

    set dstaddr SIP_Proxy_VIP

    set action accept

    set schedule always

    set service SIP

    set nat enable

    set utm-status enable

    set profile-protocol-options default

    set voip-profile HNT

    end

  3. Enter the following command to add a source NAT security policy to allow the SIP proxy server to send SIP request messages to Phone B:
  4. config firewall policy

    edit 0

    set srcintf port2

    set dstintf port1

    set srcaddr SIP_Proxy_Server

    set dstaddr all

    set action accept

    set schedule always

    set service SIP

    set nat enable

    set utm-status enable

    set profile-protocol-options default

    set voip-profile default

    end

Configuration example: Hosted NAT traversal for calls between SIP Phone A and SIP Phone B

The following address translation takes place to allow a SIP call from SIP Phone A to SIP Phone B in the above diagram.

  1. SIP Phone A sends a SIP Invite message to the SIP server. Packet source IP address: 192.168.10.1, destination IP address: 10.21.101.10.
  2. The SIP packets are received by the NAT device which translates the source address of the SIP packets from 192.168.10.1 to 10.11.101.20.
  3. The SIP packets are received by the FortiGate which translates the packet destination IP address to 10.30 120.20. The SIP ALG also translates the IP address of the SIP phone in the SIP header and SDP lines from 192.168.10.1 to 10.11.101.20.
  4. The SIP server accepts the Invite message and forwards it to SIP Phone B at IP address 10.11.101.20. The SIP server has this address for SIP Phone B because SIP packets from SIP Phone B have also been translated using the hosted NAT traversal configuration of the SIP ALG.
  5. When the SIP call is established, the RTP session is between 10.11.101.10 and 10.11.101.20 and does not pass through the FortiGate. The NAT devices translated the destination address of the RTP packets to the private IP addresses of the SIP phones.

General configuration steps

The following general configuration steps are required for this destination NAT SIP configuration. This example uses the default VoIP profile.

  1. Add a VoIP profile that enables hosted NAT translation.
  2. Add a SIP proxy server firewall virtual IP.
  3. Add a firewall address for the SIP proxy server on the private network.
  4. Add a destination NAT security policy that accepts SIP sessions from the Internet destined for the SIP proxy server virtual IP and translates the destination address to the IP address of the SIP proxy server on the private network.
  5. Add a security policy that accepts SIP sessions initiated by the SIP proxy server and destined for the Internet.

Configuration steps - GUI

To add the SIP proxy server firewall virtual IP
  1. Go to Policy & Objects > Virtual IPs.
  2. Add the SIP proxy server virtual IP.
  3. Name SIP_Proxy_VIP
    External Interface port1
    Type Static NAT
    External IP Address/Range 172.20.120.50
    Mapped IP Address/Range 10.31.101.50
To add a firewall address for the SIP proxy server
  1. Go to Policy & Objects > Addresses.
  2. Add the following for the SIP proxy server:
  3. Category Address
    Name SIP_Proxy_Server
    Type Subnet
    Subnet / IP Range 10.31.101.50/255.255.255.255
    Interface port2
To add the security policies
  1. Go to Policy & Objects > IPv4 Policy.
  2. Add a destination NAT security policy that includes the SIP proxy server virtual IP that allows Phone B (and other SIP phones on the Internet) to send SIP request messages to the SIP proxy server.
  3. Incoming Interface port1
    Outgoing Interface port2
    Source all
    Destination Address SIP_Proxy_VIP
    Schedule always
    Service SIP
    Action ACCEPT
  4. Turn on NAT and select Use Outgoing Interface Address.
  5. Turn on VoIP and select the default VoIP profile.
  6. Select OK.
  7. Add a source NAT security policy to allow the SIP proxy server to send SIP request messages to Phone B and the Internet:
  8. Incoming Interface port2
    Outgoing Interface port1
    Source SIP_Proxy_Server
    Destination Address all
    Schedule always
    Service SIP
    Action ACCEPT
  9. Turn on NAT and select Use Outgoing Interface Address.
  10. Turn on VoIP and select the default VoIP profile.
  11. Select OK.

Configuration steps - CLI

To add a VoIP profile that enables hosted NAT translation
  1. Enter the following command to add a VoIP profile named HNT that enables hosted NAT traversal. This command shows how to clone the default VoIP profile and enable hosted NAT traversal.
  2. config voip profile

    clone default to HNT

    edit HNT

    config sip

    set hosted-nat-traversal enable

    end

    end

To add the SIP proxy server firewall virtual IP and firewall address
  1. Enter the following command to add the SIP proxy server firewall virtual IP.
  2. config firewall vip

    edit SIP_Proxy_VIP

    set type static-nat

    set extip 10.21.101.10

    set mappedip 10.30.120.20

    set extintf port1

    end

  3. Enter the following command to add the SIP proxy server firewall address.
  4. config firewall address

    edit SIP_Proxy_Server

    set associated interface port2

    set type ipmask

    set subnet 10.30.120.20 255.255.255.255

    end

To add security policies
  1. Enter the following command to add a destination NAT security policy that includes the SIP proxy server virtual IP that allows Phone A to send SIP request messages to the SIP proxy server.
  2. config firewall policy

    edit 0

    set srcintf port1

    set dstintf port2

    set srcaddr all

    set dstaddr SIP_Proxy_VIP

    set action accept

    set schedule always

    set service SIP

    set nat enable

    set utm-status enable

    set profile-protocol-options default

    set voip-profile HNT

    end

  3. Enter the following command to add a source NAT security policy to allow the SIP proxy server to send SIP request messages to Phone B:
  4. config firewall policy

    edit 0

    set srcintf port2

    set dstintf port1

    set srcaddr SIP_Proxy_Server

    set dstaddr all

    set action accept

    set schedule always

    set service SIP

    set nat enable

    set utm-status enable

    set profile-protocol-options default

    set voip-profile default

    end