Fortinet black logo

Handbook

SIP NAT configuration example: source address translation (source NAT)

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:192475
Download PDF

SIP NAT configuration example: source address translation (source NAT)

This configuration example shows how to configure the FortiGate to support the source address translation scenario shown below. The FortiGate requires two security policies that accept SIP packets. One to allow SIP Phone A to start a session with SIP Phone B and one to allow SIP Phone B to start a session with SIP Phone A. Both of these policies must include source NAT. In this example the networks are not hidden from each other so destination NAT is not required.

SIP source NAT configuration

General configuration steps

The following general configuration steps are required for this SIP configuration. This example uses the default VoIP profile. The example also includes security policies that specifically allow SIP sessions using UDP port 5060 from Phone A to Phone B and from Phone B to Phone A. In most cases you would have more than two phones so would use more general security policies. Also, you can set the firewall service to ALL to allow traffic other than SIP on UDP port 5060.

  1. Add firewall addresses for Phone A and Phone B.
  2. Add a security policy that accepts SIP sessions initiated by Phone A and includes the default VoIP profile.
  3. Add a security policy that accepts SIP sessions initiated by Phone B and includes the default VoIP profile.

Configuration steps - GUI

To add firewall addresses for the SIP phones
  1. Go to Policy & Objects > Addresses.
  2. Add the following addresses for Phone A and Phone B:
Category Address
Name Phone_A
Type IP/Netmask
Subnet / IP Range 10.31.101.20/255.255.255.255
Interface Internal

Category Address
Name Phone_B
Type IP/Netmask
Subnet / IP Range 172.20.120.30/255.255.255.255
Interface wan1
To add security policies to apply the SIP ALG to SIP sessions
  1. Go to Policy & Objects > Policy > IPv4.
  2. Add a security policy to allow Phone A to send SIP request messages to Phone B:
Incoming Interface internal
Outgoing Interface wan1
Source Phone_A
Destination Address Phone_B
Schedule always
Service SIP
Action ACCEPT
  1. Turn on NAT and select Use Outgoing Interface Address.
  2. Turn on VoIP and select the default VoIP profile.
  3. Select OK.
  4. Add a security policy to allow Phone B to send SIP request messages to Phone A:
Incoming Interface wan1
Outgoing Interface internal
Source Phone_B
Destination Address Phone_A
Schedule always
Service SIP
Action ACCEPT
  1. Turn on NAT and select Use Outgoing Interface Address.
  2. Turn on VoIP and select the default VoIP profile.
  3. Select OK.

Configuration steps - CLI

To add firewall addresses for Phone A and Phone B and security policies to apply the SIP ALG to SIP sessions
  1. Enter the following command to add firewall addresses for Phone A and Phone B.

config firewall address

edit Phone_A

set associated interface internal

set type ipmask

set subnet 10.31.101.20 255.255.255.255

next

edit Phone_B

set associated interface wan1

set type ipmask

set subnet 172.20.120.30 255.255.255.255

end

  1. Enter the following command to add security policies to allow Phone A to send SIP request messages to Phone B and Phone B to send SIP request messages to Phone A.

config firewall policy

edit 0

set srcintf internal

set dstintf wan1

set srcaddr Phone_A

set dstaddr Phone_B

set action accept

set schedule always

set service SIP

set nat enable

set utm-status enable

set voip-profile default

next

edit 0

set srcintf wan1

set dstintf internal

set srcaddr Phone_B

set dstaddr Phone_A

set action accept

set schedule always

set service SIP

set nat enable

set utm-status enable

set voip-profile default

end

SIP NAT configuration example: source address translation (source NAT)

This configuration example shows how to configure the FortiGate to support the source address translation scenario shown below. The FortiGate requires two security policies that accept SIP packets. One to allow SIP Phone A to start a session with SIP Phone B and one to allow SIP Phone B to start a session with SIP Phone A. Both of these policies must include source NAT. In this example the networks are not hidden from each other so destination NAT is not required.

SIP source NAT configuration

General configuration steps

The following general configuration steps are required for this SIP configuration. This example uses the default VoIP profile. The example also includes security policies that specifically allow SIP sessions using UDP port 5060 from Phone A to Phone B and from Phone B to Phone A. In most cases you would have more than two phones so would use more general security policies. Also, you can set the firewall service to ALL to allow traffic other than SIP on UDP port 5060.

  1. Add firewall addresses for Phone A and Phone B.
  2. Add a security policy that accepts SIP sessions initiated by Phone A and includes the default VoIP profile.
  3. Add a security policy that accepts SIP sessions initiated by Phone B and includes the default VoIP profile.

Configuration steps - GUI

To add firewall addresses for the SIP phones
  1. Go to Policy & Objects > Addresses.
  2. Add the following addresses for Phone A and Phone B:
Category Address
Name Phone_A
Type IP/Netmask
Subnet / IP Range 10.31.101.20/255.255.255.255
Interface Internal

Category Address
Name Phone_B
Type IP/Netmask
Subnet / IP Range 172.20.120.30/255.255.255.255
Interface wan1
To add security policies to apply the SIP ALG to SIP sessions
  1. Go to Policy & Objects > Policy > IPv4.
  2. Add a security policy to allow Phone A to send SIP request messages to Phone B:
Incoming Interface internal
Outgoing Interface wan1
Source Phone_A
Destination Address Phone_B
Schedule always
Service SIP
Action ACCEPT
  1. Turn on NAT and select Use Outgoing Interface Address.
  2. Turn on VoIP and select the default VoIP profile.
  3. Select OK.
  4. Add a security policy to allow Phone B to send SIP request messages to Phone A:
Incoming Interface wan1
Outgoing Interface internal
Source Phone_B
Destination Address Phone_A
Schedule always
Service SIP
Action ACCEPT
  1. Turn on NAT and select Use Outgoing Interface Address.
  2. Turn on VoIP and select the default VoIP profile.
  3. Select OK.

Configuration steps - CLI

To add firewall addresses for Phone A and Phone B and security policies to apply the SIP ALG to SIP sessions
  1. Enter the following command to add firewall addresses for Phone A and Phone B.

config firewall address

edit Phone_A

set associated interface internal

set type ipmask

set subnet 10.31.101.20 255.255.255.255

next

edit Phone_B

set associated interface wan1

set type ipmask

set subnet 172.20.120.30 255.255.255.255

end

  1. Enter the following command to add security policies to allow Phone A to send SIP request messages to Phone B and Phone B to send SIP request messages to Phone A.

config firewall policy

edit 0

set srcintf internal

set dstintf wan1

set srcaddr Phone_A

set dstaddr Phone_B

set action accept

set schedule always

set service SIP

set nat enable

set utm-status enable

set voip-profile default

next

edit 0

set srcintf wan1

set dstintf internal

set srcaddr Phone_B

set dstaddr Phone_A

set action accept

set schedule always

set service SIP

set nat enable

set utm-status enable

set voip-profile default

end