Technical Tip: FortiGate Hosted NAT Traversal for SIP

gmanea · ‎05-01-2021

Description

This article describes what Hosted NAT Traversal (HNAT) is and when it must be enabled (used) in a SIP-ALG configuration.

Scope

FortiOS.

Solution

HNAT is a solution offered for SIP clients who directly connect from a remote location behind a router (ISP, MPLS, etc.) that performs NAT to the all the traffic, including SIP, but without being aware of the SIP content (and therefore not changing it as it is expected).
This will cause problems in the process of SIP handling (phones unable to register, one-way audio).

Diagram of the SIP communication w/o HNAT:

Note: The FortiGate with SIP-ALG or an SIP session-helper enabled (and HNAT disabled) may still perform SNAT to the SDP header in this case. So the IP of 192.168.1.10 may not be propagated to the PBX. Instead, the public (or local IP) of the FortiGate interface may replace this IP in the SDP header.

Ideally, the NAT in the SIP header should be addressed by the local router.
But most home routers provided by the ISPs do not have this capability.

Furthermore, the increasing demand for security and need for VPN connection from the client, renders this solution unnecessary. As all the client traffic is tunneled through the Endpoint connection to the company Fortigate (and PBX), the need for NAT in the SIP headers is no longer present.

How to tell if this is the case (and HNAT is needed)?
Run a packet capture on the incoming interface of the FortiGate with port 5060 and the public source IP of the client.
Attempt a call. Stop the capture and open it with a packet analyzer.

What to look for:
A SIP request sent by the user phone, containing SDP data will show SIP/SDP in the 'Protocol field' (ie. INVITE, 200 OK).

The IPv4 header will show:
Src: 10.11.12.13 Dst: 99.98.97.96 (where Src is the public IP of the client calling, DST is the public IP of the FortiGate)
Expand the SIP part of the packet -> 'Request line', 'Message Header', 'Message body'.
Focus on the following content:

Header:

Via: 192.168.1.11:5060 <- This is the local IP of the phone in the private network of the client. This should be the public IP of the client (10.11.12.13).
From: 12345@10.11.12.13 <- This is OK.
Contact: 12345@192.168.1.11:65432

Body:

(o): ……. IN IP4 192.168.1.11 <- As these IPs are not public, FortiGate or PBX will not know how to route the traffic back without enabling HNAT
(c): IN IP4 192.168.1.11 <-

Solution
If the SIP end-point router external to the FortiGate network does nor support SIP ALG, use SIP HNT (Hosted NAT traversal) in order to help to complete registration or achieve both way audio.

On FortiGate, it is necessary to first identify the external interface with the following statement. Add this on the interface the packet is received from (WAN):

set external enable

VIP configuration (in most cases, a VIP is required to open at least port 5060 to the internal network).

There can be cases when the FortiGate simply passes the traffic from one public network to another public network, thus performing only SNAT (or no NAT at all). Even in this case, as an SIP-aware firewall, some changes are performed on the SDP data within the SIP requests by default (i.e. add via field).

Create a voip profile with HNT enabled.

config voip profile
    edit "SIP-HNT"
        config sip
            set hosted-nat-traversal enable
            set hnt-restrict-source-ip enable*
*(optional, but more secure) - check Technical Tip: How to Restrict RTP IP to be the same as SIP source IP when HNT is enabled.
        end
    next
end

Apply this VoIP profile in the firewall policy for incoming traffic (otherwise the "default" voip profile is used).

For FortiGates connected to the ISP (not MPLS), a VIP is required to be defined, and also to be referenced as destination in the policy.

Detailed explanation of HNAT and how it works can be found in FortiOS Handbooks or cookbooks (links referenced below).

Related articles: