SIP and RTP source NAT
In the source NAT scenario shown below, a SIP phone connects to the Internet through a FortiGate with and IP address configured using PPPoE. The SIP ALG translates all private IPs in the SIP contact header into public IPs.
You need to configure an internal to external SIP security policy with NAT selected, and include a VoIP profile with SIP enabled.
SIP source NAT
SIP and RTP destination NAT
SIP and RTP destination NAT
In the following destination NAT scenario, a SIP phone can connect through the FortiGate to private IP address using a firewall virtual IP (VIP). The SIP ALG translates the SIP contact header to the IP of the real SIP proxy server located on the Internet.
SIP destination NAT
In the scenario, shown above, the SIP phone connects to a VIP (10.72.0.60). The SIP ALG translates the SIP contact header to 217.10.79.9, opens RTP pinholes, and manages NAT.
The FortiGate also supports a variation of this scenario where the RTP media server’s IP address is hidden on a private network or DMZ.
Source NAT with an IP pool
SIP destination NAT-RTP media server hidden
In the scenario shown above, a SIP phone connects to the Internet. The VoIP service provider only publishes a single public IP. The FortiGate is configured with a firewall VIP. The SIP phone connects to the FortiGate (217.233.90.60) and using the VIP the FortiGate translates the SIP contact header to the SIP proxy server IP address (10.0.0.60). The SIP proxy server changes the SIP/SDP connection information (which tells the SIP phone which RTP media server IP it should contact) also to 217.233.90.60.