Additional SIP NAT scenarios
This section lists some additional SIP NAT scenarios.
Source NAT (SIP and RTP)
In the source NAT scenario shown below, a SIP phone connects to the Internet through a FortiGate unit with and IP address configured using PPPoE. The SIP ALG translates all private IPs in the SIP contact header into public IPs.
You need to configure an internal to external SIP security policy with NAT selected, and include a VoIP profile with SIP enabled.
SIP source NAT
217.10.79.9 217.10.69.11
SIP Proxy
Server
RTP Media
Server
SIP service provider has a SIP server and a separate RTP server 217.233.122.132
10.72.0.57
FortiGate Unit
Destination NAT (SIP and RTP)
In the following destination NAT scenario, a SIP phone can connect through the FortiGate unit to private IP address using a firewall virtual IP (VIP). The SIP ALG translates the SIP contact header to the IP of the real SIP proxy server located on the Internet.
SIP destination NAT
217.10.79.9
217.10.69.11
SIP Proxy
Server
RTP Media
Server
SIP service provider has a SIP server and a separate RTP server
In the scenario, shownabove, the SIP phone connects to a VIP (10.72.0.60). The SIP ALG translates the SIP contact header to 217.10.79.9, opens RTP pinholes, and manages NAT.
The FortiGate unit also supports a variation of this scenario where the RTP media server’s IP address is hidden on a private network or DMZ.
SIP destination NAT-RTP media server hidden
192.168.200.99
219.29.81.21
RTP Media
Server
10.0.0.60
217.233.90.60
SIP Proxy Server
FortiGate Unit
In the scenario shown above, a SIP phone connects to the Internet. The VoIP service provider only publishes a single public IP. The FortiGate unit is configured with a firewall VIP. The SIP phone connects to the FortiGate unit (217.233.90.60) and using the VIP the FortiGate unit translates the SIP contact header to the SIP proxy server IP address (10.0.0.60). The SIP proxy server changes the SIP/SDP connection information (which tells the SIP phone which RTP media server IP it should contact) also to 217.233.90.60.
Source NAT with an IP pool
You can choose NAT with the Dynamic IP Pool option when configuring a security policy if the source IP of the SIP packets is different from the interface IP. The FortiGate ALG interprets this configuration and translates the SIP header accordingly.
This configuration also applies to destination NAT.
Different source and destination NAT for SIP and RTP
This is a more complex scenario that a SIP service provider may use. It can also be deployed in large-scale SIP environments where RTP has to be processed by the FortiGate unit and the RTP server IP has to be translated differently than the SIP serverIP.
Different source and destination NAT for SIP and RTP
RTP Servers
192.168.0.21 – 192.168.0.23
219.29.81.10
219.29.81.20
RTP Server
10.0.0.60
SIP Server
IP: 217.233.90.60
In this scenario, shown above, assume there is a SIP server and a separate media gateway. The SIP server is configured so that the SIP phone (219.29.81.20) will connect to 217.233.90.60. The media gateway (RTP server:
219.29.81.10) will connect to 217.233.90.65. What happens is as follows:
1. The SIP phone connects to the SIP VIP. The FortiGate ALG translates the SIP contact header to the SIP server: 219.29.81.20 > 217.233.90.60 (> 10.0.0.60).
2. The SIP server carries out RTP to 217.233.90.65.
3. The FortiGate ALG opens pinholes, assuming that it knows the ports to be opened.
4. RTP is sent to the RTP-VIP (217.233.90.65.) The FortiGate ALG translates the SIP contact header to 192.168.0.21.