Fortinet black logo

New Features

NAT46 and NAT64 for SIP ALG

Copy Link
Copy Doc ID 77966226-6996-11ec-bdf2-fa163e15d75b:246395
Download PDF

NAT46 and NAT64 for SIP ALG

NAT46 and NAT64 are supported for SIP ALG. A mix of IPv4 and IPv6 networks can use SIP ALG, allowing for proper call handling.

NAT46 example

In this example, SIP phones on the internal network use IPv4, and the SIP server on an external network uses IPv6. NAT46 is used with SIP ALG to allow for seamless communication. A VoIP profile, sip, has already been created.

To configure the FortiGate:
  1. Configure a firewall VIP with NAT46 enabled:

    config firewall vip
        edit "vip46_server_asterisk"
            set extip 10.1.100.100
            set nat44 disable
            set nat46 enable
            set extintf "port1"
            set ipv6-mappedip 2000:172:16:200::44
        next
    end
  2. Configure an IPv6 pool:

    config firewall ippool6
        edit "client_server_nat46"
            set startip 2000:172:16:200::200
            set endip 2000:172:16:200::207
            set nat46 enable
        next
    end
  3. Configure a firewall policy:

    config firewall policy
        edit 1
            set name "policy46-1"
            set srcintf "port1"
            set dstintf "port9"
            set action accept                                  
            set nat46 enable                                  
            set srcaddr "all"
            set dstaddr "vip46_server_asterisk"   
            set srcaddr6 "all"
            set dstaddr6 "all"
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set inspection-mode proxy                
            set voip-profile "sip"
            set logtraffic all
            set auto-asic-offload disable
            set ippool enable                               
            set poolname6 "client_server_nat46"  
        next
    end
To check the SIP calls and session lists when the phones are registering to the SIP server:
  1. View the SIP proxy SIP calls:

    # diagnose sys sip-proxy calls
    sip calls
      vdom 3 (vdom1) vrf 0 call 7f64bf044b00
        call-id: 1513782757
        txn 7f64bf048f00 (REGISTER)
          cseq 2 dir 0 state 5 status 200 expiry 868 HA 0
          i_session: 7f64bf045e00  r_session: 7f64bf045e00
          register: present
          from: sip:2002@10.1.100.100
          to: sip:2002@10.1.100.100
          src: 10.1.100.22:5060
          dst: [2000:172:16:200::44]:5060
    
      vdom 3 (vdom1) vrf 0 call 7f64bf076700
        call-id: 1490871789
        txn 7f64bf047a00 (REGISTER)
          cseq 2 dir 0 state 5 status 200 expiry 861 HA 0
          i_session: 7f64bf045000  r_session: 7f64bf045000
          register: present
          from: sip:2001@10.1.100.100
          to: sip:2001@10.1.100.100
          src: 10.1.100.11:5060
          dst: [2000:172:16:200::44]:5060
  2. View the IPv4 session list:

    # diagnose sys session list
    
    orgin->sink: org pre->post, reply pre->post dev=9->52/52->9 gwy=10.1.100.100/10.1.100.11
    hook=pre dir=org act=noop 10.1.100.11:5060->10.1.100.100:5060(0.0.0.0:0)
    hook=post dir=reply act=noop 10.1.100.100:5060->10.1.100.11:5060(0.0.0.0:0)
    peer=2000:172:16:200::203:65476->2000:172:16:200::44:5060 naf=1
    hook=pre dir=org act=noop 2000:172:16:200::203:65476->2000:172:16:200::44:5060(:::0)
    hook=post dir=reply act=noop 2000:172:16:200::44:5060->2000:172:16:200::203:65476(:::0)
    
    orgin->sink: org pre->post, reply pre->post dev=9->52/52->9 gwy=10.1.100.100/10.1.100.22
    hook=pre dir=org act=noop 10.1.100.22:5060->10.1.100.100:5060(0.0.0.0:0)
    hook=post dir=reply act=noop 10.1.100.100:5060->10.1.100.22:5060(0.0.0.0:0)
    peer=2000:172:16:200::200:65476->2000:172:16:200::44:5060 naf=1
    hook=pre dir=org act=noop 2000:172:16:200::200:65476->2000:172:16:200::44:5060(:::0)
    hook=post dir=reply act=noop 2000:172:16:200::44:5060->2000:172:16:200::200:65476(:::0)
  3. View the IPv4 expectation session list:

    # diagnose sys session list expectation
    
    orgin->sink: org pre->post, reply pre->post dev=9->0/52->0 gwy=0.0.0.0/0.0.0.0
    hook=pre dir=org act=noop 10.1.100.100:0->10.1.100.11:5060(0.0.0.0:0)
    hook=pre dir=org act=noop 0.0.0.0:0->0.0.0.0:0(0.0.0.0:0)
    peer=:::0->:::0 naf=2
    
    orgin->sink: org pre->post, reply pre->post dev=9->0/52->0 gwy=0.0.0.0/0.0.0.0
    hook=pre dir=org act=noop 10.1.100.100:0->10.1.100.22:5060(0.0.0.0:0)
    hook=pre dir=org act=noop 0.0.0.0:0->0.0.0.0:0(0.0.0.0:0)
    peer=:::0->:::0 naf=2
  4. View the IPv6 session list:

    # diagnose sys session6 list
    
    hook=pre dir=org act=noop 2000:172:16:200::203:65476->2000:172:16:200::44:5060(:::0)
    hook=post dir=reply act=noop 2000:172:16:200::44:5060->2000:172:16:200::203:65476(:::0)
    peer=10.1.100.100:5060->10.1.100.11:5060 naf=2
    hook=pre dir=org act=noop 10.1.100.11:5060->10.1.100.100:5060(0.0.0.0:0)
    hook=post dir=reply act=noop 10.1.100.100:5060->10.1.100.11:5060(0.0.0.0:0)
    
    hook=pre dir=org act=noop 2000:172:16:200::200:65476->2000:172:16:200::44:5060(:::0)
    hook=post dir=reply act=noop 2000:172:16:200::44:5060->2000:172:16:200::200:65476(:::0)
    peer=10.1.100.100:5060->10.1.100.22:5060 naf=2
    hook=pre dir=org act=noop 10.1.100.22:5060->10.1.100.100:5060(0.0.0.0:0)
    hook=post dir=reply act=noop 10.1.100.100:5060->10.1.100.22:5060(0.0.0.0:0)
  5. View the IPv6 expectation session list:

    # diagnose sys session6 list expectation
    
    orgin->sink: org pre->post, reply pre->post dev=17->0/52->0
    hook=post dir=org act=noop 2000:172:16:200::44:0->2000:172:16:200::200:65476(:::0)
    hook=pre dir=org act=noop :::0->:::0(:::0)
    peer=10.1.100.100:0->10.1.100.22:5060 naf=1
    
    orgin->sink: org pre->post, reply pre->post dev=17->0/52->0
    hook=post dir=org act=noop 2000:172:16:200::44:0->2000:172:16:200::203:65476(:::0)
    hook=pre dir=org act=noop :::0->:::0(:::0)
    peer=10.1.100.100:0->10.1.100.11:5060 naf=1
To check the SIP calls and session lists when one phone is calling another phone:
  1. View the SIP proxy SIP calls:

    # diagnose sys sip-proxy calls
    
    sip calls
      vdom 3 (vdom1) vrf 0 call 7f64bf057a00
        call-id: 217ac4733f80ac766c7e0f3a69d317a1@[2000:172:16:200::44]:5060
        txn 7f64bf038800 (INVITE)
          cseq 103 dir 1 state 11 status 200 expiry 252 HA 0
          i_session: 7f64bf036500  r_session: 7f64bf036500
          register: not-present
          contact[0]:  factory 7f64bf057900/4 expectation 7f64bf02cf00/2 session 7f64bf036500
          contact[1]:  factory 7f64bf057700/3 expectation 7f64bf02ca00/3 session 7f64bf036500
          from: sip:2001@[2000:172:16:200::44]
          to: sip:2002@[2000:172:16:200::200]:65476;o=10.1.100.22;line=28c59e086cac7c9
          src: [2000:172:16:200::44]:5060
          dst: 10.1.100.22:5060
    
      vdom 3 (vdom1) vrf 0 call 7f64bf057a00
        call-id: 217ac4733f80ac766c7e0f3a69d317a1@[2000:172:16:200::44]:5060
        txn 7f64bf038100 (INVITE)
          cseq 102 dir 1 state 11 status 200 expiry 252 HA 0
          i_session: 7f64bf036500  r_session: 7f64bf036500
          register: not-present
          contact[0]:  factory 7f64bf057900/4 expectation 7f64bf02cf00/2 session 7f64bf036500
          contact[1]:  factory 7f64bf057700/3 expectation 7f64bf02ca00/3 session 7f64bf036500
          from: sip:2001@[2000:172:16:200::44]
          to: sip:2002@[2000:172:16:200::200]:65476;o=10.1.100.22;line=28c59e086cac7c9
          src: [2000:172:16:200::44]:5060
          dst: 10.1.100.22:5060
    
      vdom 3 (vdom1) vrf 0 call 7f64bf057600
        call-id: 1876706695
        txn 7f64bf037300 (REGISTER)
          cseq 2 dir 0 state 5 status 200 expiry 856 HA 0
          i_session: 7f64bf036500  r_session: 7f64bf036500
          register: present
          from: sip:2002@10.1.100.100
          to: sip:2002@10.1.100.100
          src: 10.1.100.22:5060
          dst: [2000:172:16:200::44]:5060
    
      vdom 3 (vdom1) vrf 0 call 7f64bf057400
        call-id: 1372246794
        txn 7f64bf035e00 (REGISTER)
          cseq 2 dir 0 state 5 status 200 expiry 853 HA 0
          i_session: 7f64bf035000  r_session: 7f64bf035000
          register: present
          from: sip:2001@10.1.100.100
          to: sip:2001@10.1.100.100
          src: 10.1.100.11:5060
          dst: [2000:172:16:200::44]:5060
    
      vdom 3 (vdom1) vrf 0 call 7f64bf057800
        call-id: 16530657
        txn 7f64bf038f00 (INVITE)
          cseq 102 dir 1 state 11 status 200 expiry 252 HA 0
          i_session: 7f64bf035000  r_session: 7f64bf035000
          register: not-present
          contact[0]:  factory 7f64bf057900/4 expectation 7f64bf02cc80/2 session 7f64bf035000
          contact[1]:  factory 7f64bf057500/3 expectation 7f64bf02c780/3 session 7f64bf035000
          from: sip:2002@[2000:172:16:200::44]
          to: sip:2001@[2000:172:16:200::44]
          src: [2000:172:16:200::44]:5060
          dst: 10.1.100.11:5060
    
      vdom 3 (vdom1) vrf 0 call 7f64bf057800
        call-id: 16530657
        txn 7f64bf037a00 (INVITE)
          cseq 21 dir 0 state 11 status 200 expiry 252 HA 0
          i_session: 7f64bf035000  r_session: 7f64bf035000
          register: not-present
          contact[0]:  factory 7f64bf057500/3 expectation 7f64bf02c780/3 session 7f64bf035000
          contact[1]:  factory 7f64bf057900/4 expectation 7f64bf02cc80/2 session 7f64bf035000
          from: sip:2001@10.1.100.100
          to: sip:2002@10.1.100.100
          src: 10.1.100.11:5060
          dst: [2000:172:16:200::44]:5060
  2. View the IPv6 session list:

    # diagnose sys session6 list
    
    hook=pre dir=org act=noop 2000:172:16:200::203:17078->2000:172:16:200::44:17090(:::0)
    hook=post dir=reply act=noop 2000:172:16:200::44:17090->2000:172:16:200::203:17078(:::0)
    peer=10.1.100.100:17090->10.1.100.11:17078 naf=2
    
    hook=pre dir=org act=noop 2000:172:16:200::200:17078->2000:172:16:200::44:17082(:::0)
    hook=post dir=reply act=noop 2000:172:16:200::44:17082->2000:172:16:200::200:17078(:::0)
    peer=10.1.100.100:17082->10.1.100.22:17078 naf=2
    hook=pre dir=org act=noop 10.1.100.22:17078->10.1.100.100:17082(0.0.0.0:0)
    hook=post dir=reply act=noop 10.1.100.100:17082->10.1.100.22:17078(0.0.0.0:0)
    
    hook=pre dir=org act=noop 2000:172:16:200::203:65476->2000:172:16:200::44:5060(:::0)
    hook=post dir=reply act=noop 2000:172:16:200::44:5060->2000:172:16:200::203:65476(:::0)
    peer=10.1.100.100:5060->10.1.100.11:5060 naf=2
    hook=pre dir=org act=noop 10.1.100.11:5060->10.1.100.100:5060(0.0.0.0:0)
    hook=post dir=reply act=noop 10.1.100.100:5060->10.1.100.11:5060(0.0.0.0:0)
    
    hook=pre dir=org act=noop 2000:172:16:200::200:65476->2000:172:16:200::44:5060(:::0)
    hook=post dir=reply act=noop 2000:172:16:200::44:5060->2000:172:16:200::200:65476(:::0)
    peer=10.1.100.100:5060->10.1.100.22:5060 naf=2
    hook=pre dir=org act=noop 10.1.100.22:5060->10.1.100.100:5060(0.0.0.0:0)
    hook=post dir=reply act=noop 10.1.100.100:5060->10.1.100.22:5060(0.0.0.0:0)
  3. View the IPv6 expectation session list:

    # diagnose sys session6 list expectation
    
    hook=post dir=org act=noop 2000:172:16:200::44:0->2000:172:16:200::203:65476(:::0)
    hook=pre dir=org act=noop :::0->:::0(:::0)
    peer=10.1.100.100:0->10.1.100.11:5060 naf=1
  4. View the IPv4 session list:

    # diagnose sys session list
    
    orgin->sink: org pre->post, reply pre->post dev=9->52/52->9 gwy=10.1.100.100/10.1.100.22
    hook=pre dir=org act=noop 10.1.100.22:17078->10.1.100.100:17082(0.0.0.0:0)
    hook=post dir=reply act=noop 10.1.100.100:17082->10.1.100.22:17078(0.0.0.0:0)
    peer=2000:172:16:200::200:17078->2000:172:16:200::44:17082 naf=1
    hook=pre dir=org act=noop 2000:172:16:200::200:17078->2000:172:16:200::44:17082(:::0)
    hook=post dir=reply act=noop 2000:172:16:200::44:17082->2000:172:16:200::200:17078(:::0)
    
    orgin->sink: org pre->post, reply pre->post dev=9->52/52->9 gwy=10.1.100.100/10.1.100.22
    hook=pre dir=org act=noop 10.1.100.22:5060->10.1.100.100:5060(0.0.0.0:0)
    hook=post dir=reply act=noop 10.1.100.100:5060->10.1.100.22:5060(0.0.0.0:0)
    peer=2000:172:16:200::200:65476->2000:172:16:200::44:5060 naf=1
    hook=pre dir=org act=noop 2000:172:16:200::200:65476->2000:172:16:200::44:5060(:::0)
    hook=post dir=reply act=noop 2000:172:16:200::44:5060->2000:172:16:200::200:65476(:::0)
    
    orgin->sink: org pre->post, reply pre->post dev=9->52/52->9 gwy=10.1.100.100/10.1.100.11
    hook=pre dir=org act=noop 10.1.100.11:5060->10.1.100.100:5060(0.0.0.0:0)
    hook=post dir=reply act=noop 10.1.100.100:5060->10.1.100.11:5060(0.0.0.0:0)
    peer=2000:172:16:200::203:65476->2000:172:16:200::44:5060 naf=1
    hook=pre dir=org act=noop 2000:172:16:200::203:65476->2000:172:16:200::44:5060(:::0)
    hook=post dir=reply act=noop 2000:172:16:200::44:5060->2000:172:16:200::203:65476(:::0)
  5. View the IPv4 expectation session list:

    # diagnose sys session list expectation
    
    orgin->sink: org pre->post, reply pre->post dev=9->0/52->0 gwy=0.0.0.0/0.0.0.0
    hook=pre dir=org act=noop 10.1.100.100:0->10.1.100.11:5060(0.0.0.0:0)
    hook=pre dir=org act=noop 0.0.0.0:0->0.0.0.0:0(0.0.0.0:0)
    peer=:::0->:::0 naf=2
    
    orgin->sink: org pre->post, reply pre->post dev=9->0/52->0 gwy=0.0.0.0/0.0.0.0
    hook=pre dir=org act=noop 10.1.100.100:0->10.1.100.22:17078(0.0.0.0:0)
    peer=:::0->:::0 naf=2
    
    orgin->sink: org pre->post, reply pre->post dev=9->0/52->0 gwy=0.0.0.0/0.0.0.0
    hook=pre dir=org act=noop 10.1.100.100:0->10.1.100.22:17079(0.0.0.0:0)
    peer=:::0->:::0 naf=2
    
    orgin->sink: org pre->post, reply pre->post dev=9->0/52->0 gwy=0.0.0.0/0.0.0.0
    hook=post dir=org act=noop 10.1.100.22:0->10.1.100.100:17083(0.0.0.0:0)
    peer=2000:172:16:200::200:17085->2000:172:16:200::44:17903 naf=1

Log messages

When the phones are registering to the SIP server:

date=2022-02-17 time=16:44:47 eventtime=1645145087805236720 tz="-0800" logid="0814044032" type="utm" subtype="voip" eventtype="voip" level="information" vd="vdom1" session_id=924 epoch=0 event_id=9 srcip=10.1.100.11 src_port=5060 dstip=2000:172:16:200::44 dst_port=5060 proto=17 src_int="port1" dst_int="port9" policy_id=1 profile="sip" voip_proto="sip" kind="register" action="permit" status="authentication-required" duration=0 dir="session_origin" call_id="1868762230" from="sip:2001@10.1.100.100" to="sip:2001@10.1.100.100"

When one phone is calling another phone:

date=2022-02-17 time=16:44:53 eventtime=1645145093351288241 tz="-0800" logid="0814044032" type="utm" subtype="voip" eventtype="voip" level="information" vd="vdom1" session_id=924 epoch=0 event_id=11 srcip=10.1.100.11 src_port=5060 dstip=2000:172:16:200::44 dst_port=5060 proto=17 src_int="port1" dst_int="port9" policy_id=1 profile="sip" voip_proto="sip" kind="call" action="permit" status="start" duration=0 dir="session_origin" call_id="133636365" from="sip:2001@10.1.100.100" to="sip:2002@10.1.100.100"

NAT64 example

In this example, SIP phones on the internal network use IPv6, and the SIP server on an external network uses IPv4. NAT64 is used with SIP ALG to allow for seamless communication. A VoIP profile, sip, has already been created.

To configure the FortiGate:
  1. Configure a firewall VIP with NAT64 enabled:

    config firewall vip
        edit "vip64-1-asterisk"
            set extip 2000:10:1:100::100
            set nat66 disable
            set nat64 enable
            set ipv4-mappedip 172.16.200.44
        next
    end
  2. Configure an IP pool:

    config firewall ippool
        edit "client_server_nat46"
            set startip 172.16.200.2
            set endip 172.16.200.3
            set nat64 enable
        next
    end
  3. Configure a firewall policy:

    config firewall policy
        edit 1
            set name "policy64-1"
            set srcintf "port1"
            set dstintf "port9"
            set action accept
            set nat64 enable
            set srcaddr "all"
            set dstaddr "all"
            set srcaddr6 "all"
            set dstaddr6 "vip64-1-asterisk" 
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set inspection-mode proxy
            set voip-profile "sip"
            set logtraffic all
            set auto-asic-offload disable
            set ippool enable
            set poolname "client_server_nat64" 
        next
    end

NAT46 and NAT64 for SIP ALG

NAT46 and NAT64 are supported for SIP ALG. A mix of IPv4 and IPv6 networks can use SIP ALG, allowing for proper call handling.

NAT46 example

In this example, SIP phones on the internal network use IPv4, and the SIP server on an external network uses IPv6. NAT46 is used with SIP ALG to allow for seamless communication. A VoIP profile, sip, has already been created.

To configure the FortiGate:
  1. Configure a firewall VIP with NAT46 enabled:

    config firewall vip
        edit "vip46_server_asterisk"
            set extip 10.1.100.100
            set nat44 disable
            set nat46 enable
            set extintf "port1"
            set ipv6-mappedip 2000:172:16:200::44
        next
    end
  2. Configure an IPv6 pool:

    config firewall ippool6
        edit "client_server_nat46"
            set startip 2000:172:16:200::200
            set endip 2000:172:16:200::207
            set nat46 enable
        next
    end
  3. Configure a firewall policy:

    config firewall policy
        edit 1
            set name "policy46-1"
            set srcintf "port1"
            set dstintf "port9"
            set action accept                                  
            set nat46 enable                                  
            set srcaddr "all"
            set dstaddr "vip46_server_asterisk"   
            set srcaddr6 "all"
            set dstaddr6 "all"
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set inspection-mode proxy                
            set voip-profile "sip"
            set logtraffic all
            set auto-asic-offload disable
            set ippool enable                               
            set poolname6 "client_server_nat46"  
        next
    end
To check the SIP calls and session lists when the phones are registering to the SIP server:
  1. View the SIP proxy SIP calls:

    # diagnose sys sip-proxy calls
    sip calls
      vdom 3 (vdom1) vrf 0 call 7f64bf044b00
        call-id: 1513782757
        txn 7f64bf048f00 (REGISTER)
          cseq 2 dir 0 state 5 status 200 expiry 868 HA 0
          i_session: 7f64bf045e00  r_session: 7f64bf045e00
          register: present
          from: sip:2002@10.1.100.100
          to: sip:2002@10.1.100.100
          src: 10.1.100.22:5060
          dst: [2000:172:16:200::44]:5060
    
      vdom 3 (vdom1) vrf 0 call 7f64bf076700
        call-id: 1490871789
        txn 7f64bf047a00 (REGISTER)
          cseq 2 dir 0 state 5 status 200 expiry 861 HA 0
          i_session: 7f64bf045000  r_session: 7f64bf045000
          register: present
          from: sip:2001@10.1.100.100
          to: sip:2001@10.1.100.100
          src: 10.1.100.11:5060
          dst: [2000:172:16:200::44]:5060
  2. View the IPv4 session list:

    # diagnose sys session list
    
    orgin->sink: org pre->post, reply pre->post dev=9->52/52->9 gwy=10.1.100.100/10.1.100.11
    hook=pre dir=org act=noop 10.1.100.11:5060->10.1.100.100:5060(0.0.0.0:0)
    hook=post dir=reply act=noop 10.1.100.100:5060->10.1.100.11:5060(0.0.0.0:0)
    peer=2000:172:16:200::203:65476->2000:172:16:200::44:5060 naf=1
    hook=pre dir=org act=noop 2000:172:16:200::203:65476->2000:172:16:200::44:5060(:::0)
    hook=post dir=reply act=noop 2000:172:16:200::44:5060->2000:172:16:200::203:65476(:::0)
    
    orgin->sink: org pre->post, reply pre->post dev=9->52/52->9 gwy=10.1.100.100/10.1.100.22
    hook=pre dir=org act=noop 10.1.100.22:5060->10.1.100.100:5060(0.0.0.0:0)
    hook=post dir=reply act=noop 10.1.100.100:5060->10.1.100.22:5060(0.0.0.0:0)
    peer=2000:172:16:200::200:65476->2000:172:16:200::44:5060 naf=1
    hook=pre dir=org act=noop 2000:172:16:200::200:65476->2000:172:16:200::44:5060(:::0)
    hook=post dir=reply act=noop 2000:172:16:200::44:5060->2000:172:16:200::200:65476(:::0)
  3. View the IPv4 expectation session list:

    # diagnose sys session list expectation
    
    orgin->sink: org pre->post, reply pre->post dev=9->0/52->0 gwy=0.0.0.0/0.0.0.0
    hook=pre dir=org act=noop 10.1.100.100:0->10.1.100.11:5060(0.0.0.0:0)
    hook=pre dir=org act=noop 0.0.0.0:0->0.0.0.0:0(0.0.0.0:0)
    peer=:::0->:::0 naf=2
    
    orgin->sink: org pre->post, reply pre->post dev=9->0/52->0 gwy=0.0.0.0/0.0.0.0
    hook=pre dir=org act=noop 10.1.100.100:0->10.1.100.22:5060(0.0.0.0:0)
    hook=pre dir=org act=noop 0.0.0.0:0->0.0.0.0:0(0.0.0.0:0)
    peer=:::0->:::0 naf=2
  4. View the IPv6 session list:

    # diagnose sys session6 list
    
    hook=pre dir=org act=noop 2000:172:16:200::203:65476->2000:172:16:200::44:5060(:::0)
    hook=post dir=reply act=noop 2000:172:16:200::44:5060->2000:172:16:200::203:65476(:::0)
    peer=10.1.100.100:5060->10.1.100.11:5060 naf=2
    hook=pre dir=org act=noop 10.1.100.11:5060->10.1.100.100:5060(0.0.0.0:0)
    hook=post dir=reply act=noop 10.1.100.100:5060->10.1.100.11:5060(0.0.0.0:0)
    
    hook=pre dir=org act=noop 2000:172:16:200::200:65476->2000:172:16:200::44:5060(:::0)
    hook=post dir=reply act=noop 2000:172:16:200::44:5060->2000:172:16:200::200:65476(:::0)
    peer=10.1.100.100:5060->10.1.100.22:5060 naf=2
    hook=pre dir=org act=noop 10.1.100.22:5060->10.1.100.100:5060(0.0.0.0:0)
    hook=post dir=reply act=noop 10.1.100.100:5060->10.1.100.22:5060(0.0.0.0:0)
  5. View the IPv6 expectation session list:

    # diagnose sys session6 list expectation
    
    orgin->sink: org pre->post, reply pre->post dev=17->0/52->0
    hook=post dir=org act=noop 2000:172:16:200::44:0->2000:172:16:200::200:65476(:::0)
    hook=pre dir=org act=noop :::0->:::0(:::0)
    peer=10.1.100.100:0->10.1.100.22:5060 naf=1
    
    orgin->sink: org pre->post, reply pre->post dev=17->0/52->0
    hook=post dir=org act=noop 2000:172:16:200::44:0->2000:172:16:200::203:65476(:::0)
    hook=pre dir=org act=noop :::0->:::0(:::0)
    peer=10.1.100.100:0->10.1.100.11:5060 naf=1
To check the SIP calls and session lists when one phone is calling another phone:
  1. View the SIP proxy SIP calls:

    # diagnose sys sip-proxy calls
    
    sip calls
      vdom 3 (vdom1) vrf 0 call 7f64bf057a00
        call-id: 217ac4733f80ac766c7e0f3a69d317a1@[2000:172:16:200::44]:5060
        txn 7f64bf038800 (INVITE)
          cseq 103 dir 1 state 11 status 200 expiry 252 HA 0
          i_session: 7f64bf036500  r_session: 7f64bf036500
          register: not-present
          contact[0]:  factory 7f64bf057900/4 expectation 7f64bf02cf00/2 session 7f64bf036500
          contact[1]:  factory 7f64bf057700/3 expectation 7f64bf02ca00/3 session 7f64bf036500
          from: sip:2001@[2000:172:16:200::44]
          to: sip:2002@[2000:172:16:200::200]:65476;o=10.1.100.22;line=28c59e086cac7c9
          src: [2000:172:16:200::44]:5060
          dst: 10.1.100.22:5060
    
      vdom 3 (vdom1) vrf 0 call 7f64bf057a00
        call-id: 217ac4733f80ac766c7e0f3a69d317a1@[2000:172:16:200::44]:5060
        txn 7f64bf038100 (INVITE)
          cseq 102 dir 1 state 11 status 200 expiry 252 HA 0
          i_session: 7f64bf036500  r_session: 7f64bf036500
          register: not-present
          contact[0]:  factory 7f64bf057900/4 expectation 7f64bf02cf00/2 session 7f64bf036500
          contact[1]:  factory 7f64bf057700/3 expectation 7f64bf02ca00/3 session 7f64bf036500
          from: sip:2001@[2000:172:16:200::44]
          to: sip:2002@[2000:172:16:200::200]:65476;o=10.1.100.22;line=28c59e086cac7c9
          src: [2000:172:16:200::44]:5060
          dst: 10.1.100.22:5060
    
      vdom 3 (vdom1) vrf 0 call 7f64bf057600
        call-id: 1876706695
        txn 7f64bf037300 (REGISTER)
          cseq 2 dir 0 state 5 status 200 expiry 856 HA 0
          i_session: 7f64bf036500  r_session: 7f64bf036500
          register: present
          from: sip:2002@10.1.100.100
          to: sip:2002@10.1.100.100
          src: 10.1.100.22:5060
          dst: [2000:172:16:200::44]:5060
    
      vdom 3 (vdom1) vrf 0 call 7f64bf057400
        call-id: 1372246794
        txn 7f64bf035e00 (REGISTER)
          cseq 2 dir 0 state 5 status 200 expiry 853 HA 0
          i_session: 7f64bf035000  r_session: 7f64bf035000
          register: present
          from: sip:2001@10.1.100.100
          to: sip:2001@10.1.100.100
          src: 10.1.100.11:5060
          dst: [2000:172:16:200::44]:5060
    
      vdom 3 (vdom1) vrf 0 call 7f64bf057800
        call-id: 16530657
        txn 7f64bf038f00 (INVITE)
          cseq 102 dir 1 state 11 status 200 expiry 252 HA 0
          i_session: 7f64bf035000  r_session: 7f64bf035000
          register: not-present
          contact[0]:  factory 7f64bf057900/4 expectation 7f64bf02cc80/2 session 7f64bf035000
          contact[1]:  factory 7f64bf057500/3 expectation 7f64bf02c780/3 session 7f64bf035000
          from: sip:2002@[2000:172:16:200::44]
          to: sip:2001@[2000:172:16:200::44]
          src: [2000:172:16:200::44]:5060
          dst: 10.1.100.11:5060
    
      vdom 3 (vdom1) vrf 0 call 7f64bf057800
        call-id: 16530657
        txn 7f64bf037a00 (INVITE)
          cseq 21 dir 0 state 11 status 200 expiry 252 HA 0
          i_session: 7f64bf035000  r_session: 7f64bf035000
          register: not-present
          contact[0]:  factory 7f64bf057500/3 expectation 7f64bf02c780/3 session 7f64bf035000
          contact[1]:  factory 7f64bf057900/4 expectation 7f64bf02cc80/2 session 7f64bf035000
          from: sip:2001@10.1.100.100
          to: sip:2002@10.1.100.100
          src: 10.1.100.11:5060
          dst: [2000:172:16:200::44]:5060
  2. View the IPv6 session list:

    # diagnose sys session6 list
    
    hook=pre dir=org act=noop 2000:172:16:200::203:17078->2000:172:16:200::44:17090(:::0)
    hook=post dir=reply act=noop 2000:172:16:200::44:17090->2000:172:16:200::203:17078(:::0)
    peer=10.1.100.100:17090->10.1.100.11:17078 naf=2
    
    hook=pre dir=org act=noop 2000:172:16:200::200:17078->2000:172:16:200::44:17082(:::0)
    hook=post dir=reply act=noop 2000:172:16:200::44:17082->2000:172:16:200::200:17078(:::0)
    peer=10.1.100.100:17082->10.1.100.22:17078 naf=2
    hook=pre dir=org act=noop 10.1.100.22:17078->10.1.100.100:17082(0.0.0.0:0)
    hook=post dir=reply act=noop 10.1.100.100:17082->10.1.100.22:17078(0.0.0.0:0)
    
    hook=pre dir=org act=noop 2000:172:16:200::203:65476->2000:172:16:200::44:5060(:::0)
    hook=post dir=reply act=noop 2000:172:16:200::44:5060->2000:172:16:200::203:65476(:::0)
    peer=10.1.100.100:5060->10.1.100.11:5060 naf=2
    hook=pre dir=org act=noop 10.1.100.11:5060->10.1.100.100:5060(0.0.0.0:0)
    hook=post dir=reply act=noop 10.1.100.100:5060->10.1.100.11:5060(0.0.0.0:0)
    
    hook=pre dir=org act=noop 2000:172:16:200::200:65476->2000:172:16:200::44:5060(:::0)
    hook=post dir=reply act=noop 2000:172:16:200::44:5060->2000:172:16:200::200:65476(:::0)
    peer=10.1.100.100:5060->10.1.100.22:5060 naf=2
    hook=pre dir=org act=noop 10.1.100.22:5060->10.1.100.100:5060(0.0.0.0:0)
    hook=post dir=reply act=noop 10.1.100.100:5060->10.1.100.22:5060(0.0.0.0:0)
  3. View the IPv6 expectation session list:

    # diagnose sys session6 list expectation
    
    hook=post dir=org act=noop 2000:172:16:200::44:0->2000:172:16:200::203:65476(:::0)
    hook=pre dir=org act=noop :::0->:::0(:::0)
    peer=10.1.100.100:0->10.1.100.11:5060 naf=1
  4. View the IPv4 session list:

    # diagnose sys session list
    
    orgin->sink: org pre->post, reply pre->post dev=9->52/52->9 gwy=10.1.100.100/10.1.100.22
    hook=pre dir=org act=noop 10.1.100.22:17078->10.1.100.100:17082(0.0.0.0:0)
    hook=post dir=reply act=noop 10.1.100.100:17082->10.1.100.22:17078(0.0.0.0:0)
    peer=2000:172:16:200::200:17078->2000:172:16:200::44:17082 naf=1
    hook=pre dir=org act=noop 2000:172:16:200::200:17078->2000:172:16:200::44:17082(:::0)
    hook=post dir=reply act=noop 2000:172:16:200::44:17082->2000:172:16:200::200:17078(:::0)
    
    orgin->sink: org pre->post, reply pre->post dev=9->52/52->9 gwy=10.1.100.100/10.1.100.22
    hook=pre dir=org act=noop 10.1.100.22:5060->10.1.100.100:5060(0.0.0.0:0)
    hook=post dir=reply act=noop 10.1.100.100:5060->10.1.100.22:5060(0.0.0.0:0)
    peer=2000:172:16:200::200:65476->2000:172:16:200::44:5060 naf=1
    hook=pre dir=org act=noop 2000:172:16:200::200:65476->2000:172:16:200::44:5060(:::0)
    hook=post dir=reply act=noop 2000:172:16:200::44:5060->2000:172:16:200::200:65476(:::0)
    
    orgin->sink: org pre->post, reply pre->post dev=9->52/52->9 gwy=10.1.100.100/10.1.100.11
    hook=pre dir=org act=noop 10.1.100.11:5060->10.1.100.100:5060(0.0.0.0:0)
    hook=post dir=reply act=noop 10.1.100.100:5060->10.1.100.11:5060(0.0.0.0:0)
    peer=2000:172:16:200::203:65476->2000:172:16:200::44:5060 naf=1
    hook=pre dir=org act=noop 2000:172:16:200::203:65476->2000:172:16:200::44:5060(:::0)
    hook=post dir=reply act=noop 2000:172:16:200::44:5060->2000:172:16:200::203:65476(:::0)
  5. View the IPv4 expectation session list:

    # diagnose sys session list expectation
    
    orgin->sink: org pre->post, reply pre->post dev=9->0/52->0 gwy=0.0.0.0/0.0.0.0
    hook=pre dir=org act=noop 10.1.100.100:0->10.1.100.11:5060(0.0.0.0:0)
    hook=pre dir=org act=noop 0.0.0.0:0->0.0.0.0:0(0.0.0.0:0)
    peer=:::0->:::0 naf=2
    
    orgin->sink: org pre->post, reply pre->post dev=9->0/52->0 gwy=0.0.0.0/0.0.0.0
    hook=pre dir=org act=noop 10.1.100.100:0->10.1.100.22:17078(0.0.0.0:0)
    peer=:::0->:::0 naf=2
    
    orgin->sink: org pre->post, reply pre->post dev=9->0/52->0 gwy=0.0.0.0/0.0.0.0
    hook=pre dir=org act=noop 10.1.100.100:0->10.1.100.22:17079(0.0.0.0:0)
    peer=:::0->:::0 naf=2
    
    orgin->sink: org pre->post, reply pre->post dev=9->0/52->0 gwy=0.0.0.0/0.0.0.0
    hook=post dir=org act=noop 10.1.100.22:0->10.1.100.100:17083(0.0.0.0:0)
    peer=2000:172:16:200::200:17085->2000:172:16:200::44:17903 naf=1

Log messages

When the phones are registering to the SIP server:

date=2022-02-17 time=16:44:47 eventtime=1645145087805236720 tz="-0800" logid="0814044032" type="utm" subtype="voip" eventtype="voip" level="information" vd="vdom1" session_id=924 epoch=0 event_id=9 srcip=10.1.100.11 src_port=5060 dstip=2000:172:16:200::44 dst_port=5060 proto=17 src_int="port1" dst_int="port9" policy_id=1 profile="sip" voip_proto="sip" kind="register" action="permit" status="authentication-required" duration=0 dir="session_origin" call_id="1868762230" from="sip:2001@10.1.100.100" to="sip:2001@10.1.100.100"

When one phone is calling another phone:

date=2022-02-17 time=16:44:53 eventtime=1645145093351288241 tz="-0800" logid="0814044032" type="utm" subtype="voip" eventtype="voip" level="information" vd="vdom1" session_id=924 epoch=0 event_id=11 srcip=10.1.100.11 src_port=5060 dstip=2000:172:16:200::44 dst_port=5060 proto=17 src_int="port1" dst_int="port9" policy_id=1 profile="sip" voip_proto="sip" kind="call" action="permit" status="start" duration=0 dir="session_origin" call_id="133636365" from="sip:2001@10.1.100.100" to="sip:2002@10.1.100.100"

NAT64 example

In this example, SIP phones on the internal network use IPv6, and the SIP server on an external network uses IPv4. NAT64 is used with SIP ALG to allow for seamless communication. A VoIP profile, sip, has already been created.

To configure the FortiGate:
  1. Configure a firewall VIP with NAT64 enabled:

    config firewall vip
        edit "vip64-1-asterisk"
            set extip 2000:10:1:100::100
            set nat66 disable
            set nat64 enable
            set ipv4-mappedip 172.16.200.44
        next
    end
  2. Configure an IP pool:

    config firewall ippool
        edit "client_server_nat46"
            set startip 172.16.200.2
            set endip 172.16.200.3
            set nat64 enable
        next
    end
  3. Configure a firewall policy:

    config firewall policy
        edit 1
            set name "policy64-1"
            set srcintf "port1"
            set dstintf "port9"
            set action accept
            set nat64 enable
            set srcaddr "all"
            set dstaddr "all"
            set srcaddr6 "all"
            set dstaddr6 "vip64-1-asterisk" 
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set inspection-mode proxy
            set voip-profile "sip"
            set logtraffic all
            set auto-asic-offload disable
            set ippool enable
            set poolname "client_server_nat64" 
        next
    end