This article describes what is Hosted NAT Traversal (HNAT) and when it must be enabled (used) in a SIP-ALG configuration.
Detailed explanation of HNAT and how it works can be found in FortiOS Handbooks or cookbooks (links below).
HNAT is a solution offered for SIP clients who connect from a location behind a router (ISP, MPLS, etc.) that performs NAT to the all the traffic, including SIP, BUT without being aware of the SIP content (and therefore not changing it as it is expected).
This will cause problems in the process of SIP handling (phones unable to register, one-way audio).
Ideally, this should be addressed by the local router.
But most home routers provided by the ISPs do not have this capability.
How to tell if this is the case?
– Run a packet capture on the incoming interface of the FortiGate with port 5060 and the public source IP of the client.
Attempt a call. Stop the capture and open it with a packet analyzer.
What to look for:
A SIP request sent by the user phone, containing SDP data will show SIP/SDP in the 'Protocol field' (ie. INVITE, 200 OK).
The IPv4 header will show:
Src: 10.11.12.13 Dst: 188.8.131.52 (where Src is the public IP of the client calling, Dst is the public IP of the FortiGate)
Expand the SIP part of the packet > “Request line”, “Message Header”, “Message body”
You will focus on the following content:
Via: 192.168.1.11:5060 <----- This is the local IP of the phone in the private network of the client. This should be the public IP of the client (10.11.12.13).
From: firstname.lastname@example.org <----- This is OK.
(o): ……. IN IP4 192.168.1.11
(c): IN IP4 192.168.1.11
If the SIP end-point router external to FG network does nor support SIP ALG, use SIP HNT (Hosted NAT traversal) in order to help to complete registration/both way audio.
1) On FortiGate it is necessary to indentify the external interface with the following statement on the interface the packet is received from:
set external enable
2) VIP configuration (in most cases, a VIP is required to open at least port 5060 to the internal network).
There can be cases when the FortiGate simply passes the traffic from one public network to another public network, thus performing only NAT.
Even in this case, Destination NAT must also be performed on the SDP data within the SIP requests.
3) Create a voip profile with HNT enabled.
# config voip profile
set hosted-nat-traversal enable
set hnt-restrict-source-ip enable (optional, but more secure)
4) Apply this VoIP profile in a firewall policy, with Nat enabled.
If a VIP is configured for access to internal network, then the VIP object must be referenced as the destination address.