SIP NAT configuration example: source address translation (source NAT)
This configuration example shows how to configure the FortiGate to support the source address translation scenario shown below. The FortiGate requires two security policies that accept SIP packets. One to allow SIP Phone A to start a session with SIP Phone B and one to allow SIP Phone B to start a session with SIP Phone A. Both of these policies must include source NAT. In this example the networks are not hidden from each other so destination NAT is not required.
General configuration steps
The following general configuration steps are required for this SIP configuration. This example uses the default VoIP profile. The example also includes security policies that specifically allow SIP sessions using UDP port 5060 from Phone A to Phone B and from Phone B to Phone A. In most cases you would have more than two phones so would use more general security policies. Also, you can set the firewall service to ANY to allow traffic other than SIP on UDP port 5060.
- Add firewall addresses for Phone A and Phone B.
- Add a security policy that accepts SIP sessions initiated by Phone A and includes the default VoIP profile.
- Add a security policy that accepts SIP sessions initiated by Phone B and includes the default VoIP profile.
Configuration steps – GUI
To add firewall addresses for the SIP phones
- Go to Policy & Objects > Addresses.
- Add the following addresses for Phone A and Phone B:
| Category | Address |
| Name | Phone_A |
| Type | IP/Netmask |
| Subnet / IP Range | 10.31.101.20/255.255.255.255 |
| Interface | Internal |
SIP NAT configuration example: source address translation (source
| Category | Address |
| Name | Phone_B |
| Type | IP/Netmask |
| Subnet / IP Range | 172.20.120.30/255.255.255.255 |
| Interface | wan1 |
To add security policies to apply the SIP ALG to SIP sessions
- Go to Policy & Objects > Policy > IPv4.
- Add a security policy to allow Phone A to send SIP request messages to Phone B:
| Incoming Interface | internal | |
| Outgoing Interface | wan1 | |
| Source | Phone_A | |
| Destination Address | Phone_B | |
| Schedule | always | |
| Service | SIP | |
| Action | ACCEPT |
- Turn on NAT and select Use Outgoing Interface Address.
- Turn on VoIP and select the default VoIP profile.
- Select OK.
- Add a security policy to allow Phone B to send SIP request messages to Phone A:
| Incoming Interface | wan1 | |
| Outgoing Interface | internal | |
| Source | Phone_B | |
| Destination Address | Phone_A | |
| Schedule | always | |
| Service | SIP | |
| Action | ACCEPT |
- Turn on NAT and select Use Outgoing Interface Address.
- Turn on VoIP and select the default VoIP profile.
- Select OK.
Configuration steps – CLI
To add firewall addresses for Phone A and Phone B and security policies to apply the SIP ALG to SIP sessions
- Enter the following command to add firewall addresses for Phone A and Phone B. config firewall address edit Phone_A set associated interface internal set type ipmask
set subnet 10.31.101.20 255.255.255.255
next edit Phone_B set associated interface wan1 set type ipmask
set subnet 172.20.120.30 255.255.255.255
end
- Enter the following command to add security policies to allow Phone A to send SIP request messages to Phone B and Phone B to send SIP request messages to Phone A.
config firewall policy edit 0 set srcintf internal set dstintf wan1 set srcaddr Phone_A set dstaddr Phone_B set action accept set schedule always set service SIP set nat enable set utm-status enable set voip-profile default
next edit 0 set srcintf wan1 set dstintf internal set srcaddr Phone_B set dstaddr Phone_A set action accept set schedule always set service SIP set nat enable set utm-status enable set voip-profile default end