Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
anandpatel
Staff
Staff

Created on ‎09-13-2019 02:13 AM Edited on ‎02-05-2024 09:40 AM By Moderator

Article Id 195729

Technical Tip: SIP Helper / ALG preserve source IP and port information

Description


This article describes that in a source or destination NAT firewall policy that accepts SIP sessions, it is possible to configure the SIP ALG (or the SIP session helper) to remove the original source IP address of the SIP message in the Session Description Protocol (SDP) profile.
Generally, the original IP address and port from the SIP contact is required in SDP header after the NAT (details below).

This is enabled by default in SIP ALG or SIP session-helper and should be left unchanged. 


Solution


In a SIP session with SNAT or DNAT, the original source IP address of the SIP message is preserverd in the "i=" line of the SDP header.

This is done by default whether SIP ALG or SIP session-helper is used.
NAT with IP address conservation (also called SIP NAT tracing) changes the contents of SIP messages by adding the source IP address of the originator of the message into the SDP i= line of the SIP message.
If the SIP server can retrieve information from the SDP i= line, it can be useful for keeping a record of the source IP address of the originator of a SIP message when operating in a NAT environment. This is useful for example when the local phones are tracked individually on the SIP server, instead of only one IP (public IP of FortiGate).

The problems may arise when the SIP server choses to use the "i=" record (which may be a local IP) for the return path. This may fail over multiple NATs.

 

NAT with IP address conservation.

 

For the SIP ALG, use the following command to disable SIP IP address conservation in the VoIP profile

In the 'default' VOIP profile which is used for all calls, SIP IP address conservation is enabled by default (i= field is added).

 

# config voip profile
    edit VoIP_Pro_1
    # config sip
        set nat-trace disable
    end
end

 

If the SIP message does not include an i= line and if the original source IP address of the traffic (before NAT) was 10.31.101.20 then the FortiGate would add the following i= line.

 

i=(o=IN IP4 10.31.101.20)

 

It is also possible to use the preserve-override option to configure the SIP ALG to either add the original o= line to the end of the i= line or replace the i= line in the original message with a new i= line in the same form as above for adding a new i= line.

By default, preserve-override is disabled and the SIP ALG adds the original o= line to the end of the original i= line (this is expected, and generally used).
Use the following command to configure the SIP ALG to replace the original i= line:

 

# config voip profile
    edit VoIP_Pro_1
    # config sip
        set preserve-override enable
    end
end

 

For the SIP session helper.


Note:

Do not use sip session-helper unless all possible troubleshooting has been done with SIP-ALG. 

Session-hlper for SIP is a feature that is no longer maintained or updated since 2012, and provides very limited troubleshooting.

 

IP address conservation is enabled by default for the SIP session helper. 

To disable SIP IP address conservation for the SIP session helper.


# config system settings
    set sip-nat-trace disable
end

 

If the SIP message does not include an i= line and if the original source IP address of the traffic (before NAT) was 10.31.101.20 then the FortiGate would add the following i= line.

 

i=(o=IN IP4 10.31.101.20)

 

Adding the original IP address and port to the SIP message header after NAT (SIP header, not SDP header).

 

In some rare cases of SIP setup it may be required that the original IP address and port from the SIP contact request is kept after NAT.

This only applies to REGISTER packets. These packets have no SDP header.
So if the phone registration is successful, this section does not concern your problem.

 

For example, the original SIP contact request could include the following:

 

Contact: <sip:0150302438@172.20.120.110:5060>;

 

After the packet goes through the FortiGate and NAT is performed, the contact request could normally look like the following (the IP address translated to a different IP address and the port to a different port):

 

Contact: <sip:0150302438@10.10.10.21:33608>;

 

Enable register-contact-trace in a VoIP profile to have the SIP ALG add the original IP address and port in the following format:

 

Contact: <sip:0150302438@<nated-ip>:<nated-port>;o=<original-ip>: <original-port>>;

 

So the contact line after NAT could look like the following:

 

Contact: <sip:0150302438@10.10.10.21:33608;o=172.20.120.110:5060>;

 

Enter the following command to enable keeping the original IP address and port:

 

# config voip profile
    edit Profile_name
    # config sip
        set register-contract-trace enable
    end

17962
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.