Fortinet Document Library

Version:


Table of Contents

New Features

6.2.0
Download PDF
Copy Link

Custom SIP RTP Port Range Support

A new nat-port-range attribute can be used to specify a port range in the Voice Over Internet Protocol (VoIP) profile to restrict the Network Address Translation (NAT) port range for Real-Time Transport Protocol/Real-Time Transport Control Protocol (RTP/RTCP) packets in a Session Initiation Protocol (SIP) call session that is handled by the SIP ALG (Application Layer Gateway) in a FortiGate device.

When NAT is enabled or VIP is used in a firewall policy for SIP ALG to handle a SIP call session established through a FortiGate device, the SIP ALG can perform NAT to translate the ports used for the RTP/RTCP packets when they are flowing through the device between the external and internal networks.

Previously, you could not configure the translated port range, and the fixed port range was [5117-65533]. Now you can control the translated port range for RTP/RTCP packets by using the CLI:

config voip profile

edit <profile-name>

config sip

set nat-port-range <start_port_number>-<end_port_number>

end

next

end

FGT(sip) # set nat-port-range ?

<start>-<end>    NAT port range (default 5117-65533)

A valid port range must be configured within [5117-65533]. For example: set nat-port-range 30000-30099 .

Example

This section provides an example for NAT where Phone1 is in subnet_1, and the SIP server and phone are in subnet_2. All SIP signaling messages and RTP/RTCP packets will go through the SIP Server. In this example, the RTP/RTCP ports on Phone1 are configured as 17078/17079.

The FortiGate administrator wants to use NAT for the port 17078/17079 to 30000/30001. As a result, all RTP/RTCP packets going out of port2 have source ports of 30000/30001, and all RTP/RTCP packets going into port2 have destination ports of 30000/30001 too, which can be specified in the nat-port-range.

The topology is shown as follows:

The configuration is as follows:

config voip profile

edit "natPortRange"

config sip

set nat-port-range 30000-30001               <--------------------------------

end

next

end

configure firewall policy

edit 1

set srcintf port1

set  dstintf port2

set srcaddr all

set dstaddr all

set service SIP

set action accept

set schedule always

set voip-profile natPortRange      <---------------------

set nat enable                              <---------------------

end

Now if phone1 and phone2 are registered to the SIP server, and they establish a call session between them through the FortiGate and the SIP server, then the RTP/RTCP ports 17078/17079 of phone1 will be NATed to 30000/30001 at the FortiGate unit based on the setting of nat-port-range. That is, the RTP/RTCP packets egressing port2 of the Fortigate will have the source port as 30000/30001, and the RTP/RTCP packets ingressing port2 will have the destination port as 30000/30001.

Custom SIP RTP Port Range Support

A new nat-port-range attribute can be used to specify a port range in the Voice Over Internet Protocol (VoIP) profile to restrict the Network Address Translation (NAT) port range for Real-Time Transport Protocol/Real-Time Transport Control Protocol (RTP/RTCP) packets in a Session Initiation Protocol (SIP) call session that is handled by the SIP ALG (Application Layer Gateway) in a FortiGate device.

When NAT is enabled or VIP is used in a firewall policy for SIP ALG to handle a SIP call session established through a FortiGate device, the SIP ALG can perform NAT to translate the ports used for the RTP/RTCP packets when they are flowing through the device between the external and internal networks.

Previously, you could not configure the translated port range, and the fixed port range was [5117-65533]. Now you can control the translated port range for RTP/RTCP packets by using the CLI:

config voip profile

edit <profile-name>

config sip

set nat-port-range <start_port_number>-<end_port_number>

end

next

end

FGT(sip) # set nat-port-range ?

<start>-<end>    NAT port range (default 5117-65533)

A valid port range must be configured within [5117-65533]. For example: set nat-port-range 30000-30099 .

Example

This section provides an example for NAT where Phone1 is in subnet_1, and the SIP server and phone are in subnet_2. All SIP signaling messages and RTP/RTCP packets will go through the SIP Server. In this example, the RTP/RTCP ports on Phone1 are configured as 17078/17079.

The FortiGate administrator wants to use NAT for the port 17078/17079 to 30000/30001. As a result, all RTP/RTCP packets going out of port2 have source ports of 30000/30001, and all RTP/RTCP packets going into port2 have destination ports of 30000/30001 too, which can be specified in the nat-port-range.

The topology is shown as follows:

The configuration is as follows:

config voip profile

edit "natPortRange"

config sip

set nat-port-range 30000-30001               <--------------------------------

end

next

end

configure firewall policy

edit 1

set srcintf port1

set  dstintf port2

set srcaddr all

set dstaddr all

set service SIP

set action accept

set schedule always

set voip-profile natPortRange      <---------------------

set nat enable                              <---------------------

end

Now if phone1 and phone2 are registered to the SIP server, and they establish a call session between them through the FortiGate and the SIP server, then the RTP/RTCP ports 17078/17079 of phone1 will be NATed to 30000/30001 at the FortiGate unit based on the setting of nat-port-range. That is, the RTP/RTCP packets egressing port2 of the Fortigate will have the source port as 30000/30001, and the RTP/RTCP packets ingressing port2 will have the destination port as 30000/30001.