Description
This article describes what Hosted NAT Traversal (HNAT) is and when it must be enabled (used) in a SIP-ALG configuration.
Scope
FortiOS.
Solution
HNAT is a solution offered for SIP clients who directly connect from a remote location behind a router (ISP, MPLS, etc.) that performs NAT to the all the traffic, including SIP, but without being aware of the SIP content (and therefore not changing it as it is expected).
This will cause problems in the process of SIP handling (phones unable to register, one-way audio).
Diagram of the SIP communication w/o HNAT:
Note: The FortiGate with SIP-ALG or an SIP session-helper enabled (and HNAT disabled) may still perform SNAT to the SDP header in this case. So the IP of 192.168.1.10 may not be propagated to the PBX. Instead, the public (or local IP) of the FortiGate interface may replace this IP in the SDP header.
Ideally, the NAT in the SIP header should be addressed by the local router.
But most home routers provided by the ISPs do not have this capability.
Furthermore, the increasing demand for security and need for VPN connection from the client, renders this solution unnecessary. As all the client traffic is tunneled through the Endpoint connection to the company Fortigate (and PBX), the need for NAT in the SIP headers is no longer present.
How to tell if this is the case (and HNAT is needed)?
Run a packet capture on the incoming interface of the FortiGate with port 5060 and the public source IP of the client.
Attempt a call. Stop the capture and open it with a packet analyzer.
What to look for:
A SIP request sent by the user phone, containing SDP data will show SIP/SDP in the 'Protocol field' (ie. INVITE, 200 OK).
The IPv4 header will show:
Src: 10.11.12.13 Dst: 99.98.97.96 (where Src is the public IP of the client calling, DST is the public IP of the FortiGate)
Expand the SIP part of the packet -> 'Request line', 'Message Header', 'Message body'.
Focus on the following content:
Header:
Via: 192.168.1.11:5060 <- This is the local IP of the phone in the private network of the client. This should be the public IP of the client (10.11.12.13).
From: 12345@10.11.12.13 <- This is OK.
Contact: 12345@192.168.1.11:65432
Body:
(o): ……. IN IP4 192.168.1.11 <- As these IPs are not public, FortiGate or PBX will not know how to route the traffic back without enabling HNAT
(c): IN IP4 192.168.1.11 <-
Solution
If the SIP end-point router external to the FortiGate network does nor support SIP ALG, use SIP HNT (Hosted NAT traversal) in order to help to complete registration or achieve both way audio.
set external enable
config voip profile
edit "SIP-HNT"
config sip
set hosted-nat-traversal enable
set hnt-restrict-source-ip enable*
*(optional, but more secure) - check Technical Tip: How to Restrict RTP IP to be the same as SIP source IP when HNT is enabled.
end
next
end
Related articles:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.