Fortinet black logo

Handbook

How the SIP ALG translates IP addresses in SIP headers

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:765029
Download PDF

How the SIP ALG translates IP addresses in SIP headers

The SIP ALG applies NAT to SIP sessions by translating the IP addresses contained in SIP headers. For example, the following SIP message contains most of the SIP fields that contain addresses that need to be translated:

INVITE PhoneB@172.20.120.30 SIP/2.0

Via: SIP/2.0/UDP 172.20.120.50:5434

From: PhoneA@10.31.101.20

To: PhoneB@172.20.120.30

Call-ID: a12abcde@172.20.120.50

Contact: PhoneA@10.31.101.20:5434

Route: <sip:example@172.20.120.50:5060>

Record-Route: <sip:example@172.20.120.50:5060>

How IP address translation is performed depends on whether source NAT or destination NAT is applied to the session containing the message:

Source NAT translation of IP addresses in SIP messages

Source NAT translation occurs for SIP messages sent from a phone or server on a private network to a phone or server on the Internet. The source addresses in the SIP header fields of the message are typically set to IP addresses on the private network. The SIP ALG translates these addresses to the address the FortiGate interface connected to the Internet.

Source NAT translation of IP addresses in SIP request messages
SIP header NAT action
To: None
From: Replace private network address with IP address of FortiGate interface connected to the Internet.
Call-ID: Replace private network address with IP address of FortiGate interface connected to the Internet.
Via: Replace private network address with IP address of FortiGate interface connected to the Internet.
Request-URI: None
Contact: Replace private network address with IP address of FortiGate interface connected to the Internet.
Record-Route: Replace private network address with IP address of FortiGate interface connected to the Internet.
Route: Replace private network address with IP address of FortiGate interface connected to the Internet.

Response messages from phones or servers on the Internet are sent to the FortiGate interface connected to the Internet where the destination addresses are translated back to addresses on the private network before forwarding the SIP response message to the private network.

Source NAT translation of IP addresses in SIP response messages
SIP header NAT action
To: None
From: Replace IP address of FortiGate interface connected to the Internet with private network address.
Call-ID: Replace IP address of FortiGate interface connected to the Internet with private network address.
Via: Replace IP address of FortiGate interface connected to the Internet with private network address.
Request-URI: N/A
Contact: None
Record-Route: Replace IP address of FortiGate interface connected to the Internet with private network address.
Route: Replace IP address of FortiGate interface connected to the Internet with private network address.

Destination NAT translation of IP addresses in SIP messages

Destination NAT translation occurs for SIP messages sent from a phone or server on the Internet to a firewall virtual IP address. The destination addresses in the SIP header fields of the message are typically set to the virtual IP address. The SIP ALG translates these addresses to the address of a SIP server or phone on the private network on the other side of the FortiGate.

Destination NAT translation of IP addresses in SIP request messages
SIP header NAT action
To: Replace VIP address with address on the private network as defined in the firewall virtual IP.
From: None
Call-ID: None
Via: None
Request-URI: Replace VIP address with address on the private network as defined in the firewall virtual IP.
Contact: None
Record-Route: None
Route: None

SIP response messages sent in response to the destination NAT translated messages are sent from a server or a phone on the private network back to the originator of the request messages on the Internet. These reply messages are accepted by the same security policy that accepted the initial request messages, The firewall VIP in the original security policy contains the information that the SIP ALG uses to translate the private network source addresses in the SIP headers into the firewall virtual IP address.

Destination NAT translation of IP addresses in SIP response messages
SIP header NAT action
To: None
From: Replace private network address with firewall VIP address.
Call-ID: None
Via: None
Request-URI: N/A
Contact: Replace private network address with firewall VIP address.
Record-Route: Replace private network address with firewall VIP address.
Route: None

How the SIP ALG translates IP addresses in SIP headers

The SIP ALG applies NAT to SIP sessions by translating the IP addresses contained in SIP headers. For example, the following SIP message contains most of the SIP fields that contain addresses that need to be translated:

INVITE PhoneB@172.20.120.30 SIP/2.0

Via: SIP/2.0/UDP 172.20.120.50:5434

From: PhoneA@10.31.101.20

To: PhoneB@172.20.120.30

Call-ID: a12abcde@172.20.120.50

Contact: PhoneA@10.31.101.20:5434

Route: <sip:example@172.20.120.50:5060>

Record-Route: <sip:example@172.20.120.50:5060>

How IP address translation is performed depends on whether source NAT or destination NAT is applied to the session containing the message:

Source NAT translation of IP addresses in SIP messages

Source NAT translation occurs for SIP messages sent from a phone or server on a private network to a phone or server on the Internet. The source addresses in the SIP header fields of the message are typically set to IP addresses on the private network. The SIP ALG translates these addresses to the address the FortiGate interface connected to the Internet.

Source NAT translation of IP addresses in SIP request messages
SIP header NAT action
To: None
From: Replace private network address with IP address of FortiGate interface connected to the Internet.
Call-ID: Replace private network address with IP address of FortiGate interface connected to the Internet.
Via: Replace private network address with IP address of FortiGate interface connected to the Internet.
Request-URI: None
Contact: Replace private network address with IP address of FortiGate interface connected to the Internet.
Record-Route: Replace private network address with IP address of FortiGate interface connected to the Internet.
Route: Replace private network address with IP address of FortiGate interface connected to the Internet.

Response messages from phones or servers on the Internet are sent to the FortiGate interface connected to the Internet where the destination addresses are translated back to addresses on the private network before forwarding the SIP response message to the private network.

Source NAT translation of IP addresses in SIP response messages
SIP header NAT action
To: None
From: Replace IP address of FortiGate interface connected to the Internet with private network address.
Call-ID: Replace IP address of FortiGate interface connected to the Internet with private network address.
Via: Replace IP address of FortiGate interface connected to the Internet with private network address.
Request-URI: N/A
Contact: None
Record-Route: Replace IP address of FortiGate interface connected to the Internet with private network address.
Route: Replace IP address of FortiGate interface connected to the Internet with private network address.

Destination NAT translation of IP addresses in SIP messages

Destination NAT translation occurs for SIP messages sent from a phone or server on the Internet to a firewall virtual IP address. The destination addresses in the SIP header fields of the message are typically set to the virtual IP address. The SIP ALG translates these addresses to the address of a SIP server or phone on the private network on the other side of the FortiGate.

Destination NAT translation of IP addresses in SIP request messages
SIP header NAT action
To: Replace VIP address with address on the private network as defined in the firewall virtual IP.
From: None
Call-ID: None
Via: None
Request-URI: Replace VIP address with address on the private network as defined in the firewall virtual IP.
Contact: None
Record-Route: None
Route: None

SIP response messages sent in response to the destination NAT translated messages are sent from a server or a phone on the private network back to the originator of the request messages on the Internet. These reply messages are accepted by the same security policy that accepted the initial request messages, The firewall VIP in the original security policy contains the information that the SIP ALG uses to translate the private network source addresses in the SIP headers into the firewall virtual IP address.

Destination NAT translation of IP addresses in SIP response messages
SIP header NAT action
To: None
From: Replace private network address with firewall VIP address.
Call-ID: None
Via: None
Request-URI: N/A
Contact: Replace private network address with firewall VIP address.
Record-Route: Replace private network address with firewall VIP address.
Route: None