Custom SIP RTP Port Range Support
nat-port-range attribute can be used to specify a port range in the Voice Over Internet Protocol (VoIP) profile to restrict the Network Address Translation (NAT) port range for Real-Time Transport Protocol/Real-Time Transport Control Protocol (RTP/RTCP) packets in a Session Initiation Protocol (SIP) call session that is handled by the SIP ALG (Application Layer Gateway) in a FortiGate device.
When NAT is enabled or VIP is used in a firewall policy for SIP ALG to handle a SIP call session established through a FortiGate device, the SIP ALG can perform NAT to translate the ports used for the RTP/RTCP packets when they are flowing through the device between the external and internal networks.
Previously, you could not configure the translated port range, and the fixed port range was [5117-65533]. Now you can control the translated port range for RTP/RTCP packets by using the CLI:
config voip profile
set nat-port-range <start_port_number>-<end_port_number>
FGT(sip) # set nat-port-range ?
<start>-<end> NAT port range (default 5117-65533)
A valid port range must be configured within [5117-65533]. For example: set nat-port-range 30000-30099 .
This section provides an example for NAT where Phone1 is in subnet_1, and the SIP server and phone are in subnet_2. All SIP signaling messages and RTP/RTCP packets will go through the SIP Server. In this example, the RTP/RTCP ports on Phone1 are configured as 17078/17079.
The FortiGate administrator wants to use NAT for the port 17078/17079 to 30000/30001. As a result, all RTP/RTCP packets going out of port2 have source ports of 30000/30001, and all RTP/RTCP packets going into port2 have destination ports of 30000/30001 too, which can be specified in the nat-port-range.
The topology is shown as follows:
The configuration is as follows:
config voip profile
set nat-port-range 30000-30001 <--------------------------------
configure firewall policy
set srcintf port1
set dstintf port2
set srcaddr all
set dstaddr all
set service SIP
set action accept
set schedule always
set voip-profile natPortRange <---------------------
set nat enable <---------------------
Now if phone1 and phone2 are registered to the SIP server, and they establish a call session between them through the FortiGate and the SIP server, then the RTP/RTCP ports 17078/17079 of phone1 will be NATed to 30000/30001 at the FortiGate unit based on the setting of nat-port-range. That is, the RTP/RTCP packets egressing port2 of the Fortigate will have the source port as 30000/30001, and the RTP/RTCP packets ingressing port2 will have the destination port as 30000/30001.