FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Description In a source or destination NAT security policy that accepts SIP sessions, it's possible to configure the SIP ALG or the SIP session helper to preserve the original source IP address of the SIP message in the Session Description Protocol (SDP) profile. In other case, original IP address and port from the SIP contact required after the NAT.
Solution In SIP session with SNAT or DNAT in security policy, it's possible to preserve the original source IP address of the SIP message in the i= line of the SDP profile with SIP ALG or SIP session helper. NAT with IP address conservation (also called SIP NAT tracing) changes the contents of SIP messages by adding the source IP address of the originator of the message into the SDP i= line of the SIP message. However, if the SIP server can retrieve information from the SDP i= line, it can be useful for keeping a record of the source IP address of the originator of a SIP message when operating in a NAT environment.
NAT with IP address conservation
- Configuring SIP IP address conservation for the SIP ALG: Use the following command to enable or disable SIP IP address conservation in a VoIP profile for the SIP ALG. SIP IP address conservation is enabled by default in a VoIP profile.
#config voip profile edit VoIP_Pro_1 config sip set nat-trace disable end end
If the SIP message does not include an i= line and if the original source IP address of the traffic (before NAT) was 10.31.101.20 then the FortiGate would add the following i= line.
i=(o=IN IP4 10.31.101.20)
It is also possible to use the preserve-override option to configure the SIP ALG to either add the original o= line to the end of the i= line or replace the i= line in the original message with a new i= line in the same form as above for adding a new i= line.
By default, preserver-override is disabled and the SIP ALG adds the original o= line to the end of the original i= line. Use the following command to configure the SIP ALG to replace the original i= line:
#config voip profile edit VoIP_Pro_1 config sip set preserve-override enable end end
- Configuring SIP IP address conservation for the SIP session helper
Use the following command to enable or disable SIP IP address conservation for the SIP session helper. IP address conservation is enabled by default for the SIP session helper.
#config system settings set sip-nat-trace disable end
If the SIP message does not include an i= line and if the original source IP address of the traffic (before NAT) was 10.31.101.20 then the FortiGate would add the following i= line.
i=(o=IN IP4 10.31.101.20)
Adding the original IP address and port to the SIP message header after NAT
In some cases, the SIP configuration may require that the original IP address and port from the SIP contact request is kept after NAT. For example, the original SIP contact request could include the following:
Contact: <sip:0150302438@172.20.120.110:5060>;
After the packet goes through the FortiGate and NAT is performed, the contact request could normally look like the following (the IP address translated to a different IP address and the port to a different port):
Contact: <sip:0150302438@10.10.10.21:33608>;
Enable register-contact-trace in a VoIP profile to have the SIP ALG add the original IP address and port in the following format:
