Technical Tip: Most common cases of SIP implementation

gmanea · ‎05-01-2021

Description

This article describes the most common scenarios of VOIP implementation in FortiGate when SIP is used.

There are three general scenarios in which the FortiOS session initiation protocol (SIP) solution is usually deployed, and a common practice for ISP/multi-vdom scenarios, where NAT is needed.

Solution

For the ease of understanding, the green highlight covers the network part that is managed.

The SIP server (managed by user) is in a private network, protected from the internet by a FortiGate (managed by user).

Phones need to register to the SIP server, in order to place calls through it. So port 5060 needs to be open through FortiGate by a VIP.

VIP can open port 5060 or all ports, and only one firewall policy is needed, external_intf>sip_server_intf, service SIP, NAT disabled.

Based on the SDP information in the SIP packets, the FortiGate will open the necessary audio ports for each session.

The SIP clients (managed by user) are in a private network, protected from the internet by a FortiGate (managed by user).

FortiGate must apply Source-NAT to the outgoing packets, including the SDP content, to hide the internal network.

By default, SIP-ALG does this with no further configuration other than a firewall policy: LAN ->external_interface, service SIP, NAT enabled.

Based on the SDP content a new session expectation -for RTP- is created).

The SIP server (managed by user) is in a private network, protected from the internet by a FortiGate (managed by user).

The SIP clients are in a remote private network, such as a SOHO network, AND behind a NAT device that is not aware of SIP applications.

The NAT will only change the content of the IP headers, leaving the SDP content (IPs) unchanged. This causes problems in the SIP process.

FortiGate must have HNAT enabled to correct this situation:

'set external enable' on the incoming interface, VIP to open the port 5060 to the local SIP server,

'hosted-nat-traversal' must be enabled on the voip profile, VIP as dest object + NAT enabled in policy.

See more here in related article Technical Tip: FortiGate Hosted NAT Traversal for SIP

The SIP clients are in a remote public network; SIP server is located in a different public network.
SIP clients may or may not be behind a SIP-aware NAT unit.

SIP server accepts incoming connections only from a specific range of IPs, so FortiGate must NAT the traffic to the desired range by using an IP-pool.
Neither the clients, nor the server is on the local/private network.

Firewall Policy Configuration for SIP traffic:

Note: This will be the sample for SIP configuration. Check the SIP provider documentation for requirements

Topology:

Internal phone network (Test-Phone VLAN) --- Internal Phone Server (Test-Server VLAN) --- FGT (WAN) --- Internet --- SIP provider

(If the phone server is in the same VLAN as the phone system, you can skip the first step of the policy configuration below)

Make sure to establish the connections between the phones and the internal phone server by creating 2 firewall policies for the VLAN traffic with NAT disabled:

config firewall policy
edit 1
set name "Phone-to-Server"
set srcintf "Test-Phone"
set dstintf "Test-Server"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
next

edit 2
  set name "Server-to-Phone"
  set uuid c25ad7ee-d4b2-51ed-cc97-a28410b79310
  set srcintf "Test-Server"
  set dstintf "Test-Phone"
  set action accept
  set srcaddr "all"
  set dstaddr "all"
  set schedule "always"
  set service "ALL"
next

end

Create a new VIP object mapping the WAN IP address to the internal phone server’s IP address. Enable 'Optional Filters' and 'Source address' to type the IP address of the SIP provider. This means that only traffic from the SIP provider will be able to reach the internal phone server through the WAN IP address.

config firewall vip
edit "SIP-to-Server-VIP"
set uuid deafae72-d4b4-51ed-665a-f03753be03dd
set src-filter "<SIP-provider-public-IP>"
set extip "<WAN-IP-address>"
set mappedip "<Test-Server-VLAN-address>"
set extintf "any"
next
end

It is optionally possible to enable services to further restrict the traffic through port(s) to be able to reach the internal address and enable port forwarding to map the external port(s) to internal port(s).

In the firewall policy configuration page (either 'IPv4 Policy', 'Firewall Policy' or 'Security Policy' for NGFW mode), create 2 firewall rules for traffic from the internal phone server VLAN to the Internet and vice versa:

config firewall policy

edit 4
set name "SIP-to-Server"
set srcintf "WAN"
set dstintf "Test-Server"
set action accept
set srcaddr "all"
set dstaddr "SIP-to-Server-VIP"
set schedule "always"
set service "ALL"
next

edit 3
set name "Server-to-SIP"
set srcintf "Test-Server"
set dstintf "WAN"
set action accept
set srcaddr "Test-Server address"
set dstaddr "SIP Provider"
set schedule "always"
set service "ALL"
set nat enable
next
end

(Optionally) it is possible to configure any UTM features as needed and/or restrict the policies to only allow traffic for a certain port(s) by adding service(s) (for example, UDP port 5060)

IMPORTANT NOTE.
In a SIP VoIP scenario, it is desirable to perform the least necessary NAT operations, and only if absolutely needed.

It has to be chosen as the ones most easier to control.
It has to be considered in this order: VIP (most common), VIP (ranges of IPs), SIP-ALG (it is performing NAT), IP-pool (least desirable, only when absolutely needed, otherwise SIP-ALG or VIP are a better solution).

Based on: https://docs.fortinet.com/document/fortigate/6.2.3/cookbook/667795/general-use-cases