Description
This article describes what is Hosted NAT Traversal (HNAT) and when it must be enabled (used) in a SIP-ALG configuration.
Detailed explanation of HNAT and how it works can be found in FortiOS Handbooks or cookbooks (links below).
HNAT is a solution offered for SIP clients who connect from a location behind a router (ISP, MPLS, etc.) that performs NAT to the all the traffic, including SIP, BUT without being aware of the SIP content (and therefore not changing it as it is expected).
This will cause problems in the process of SIP handling (phones unable to register, one-way audio).
Ideally, this should be addressed by the local router.
But most home routers provided by the ISPs do not have this capability.
How to tell if this is the case?
– Run a packet capture on the incoming interface of the FortiGate with port 5060 and the public source IP of the client.
Attempt a call. Stop the capture and open it with a packet analyzer.
What to look for:
A SIP request sent by the user phone, containing SDP data will show SIP/SDP in the 'Protocol field' (ie. INVITE, 200 OK).
The IPv4 header will show:
Src: 10.11.12.13 Dst: 99.98.97.96 (where Src is the public IP of the client calling, Dst is the public IP of the FortiGate)
Expand the SIP part of the packet > “Request line”, “Message Header”, “Message body”
You will focus on the following content:
Header:
Via: 192.168.1.11:5060 <----- This is the local IP of the phone in the private network of the client. This should be the public IP of the client (10.11.12.13).
From: 12345@10.11.12.13 <----- This is OK.
Contact: 12345@192.168.1.11:65432
Body:
(o): ……. IN IP4 192.168.1.11
(c): IN IP4 192.168.1.11
Solution
If the SIP end-point router external to FG network does nor support SIP ALG, use SIP HNT (Hosted NAT traversal) in order to help to complete registration/both way audio.
1) On FortiGate it is necessary to indentify the external interface with the following statement on the interface the packet is received from:
set external enable
2) VIP configuration (in most cases, a VIP is required to open at least port 5060 to the internal network).
There can be cases when the FortiGate simply passes the traffic from one public network to another public network, thus performing only NAT.
Even in this case, Destination NAT must also be performed on the SDP data within the SIP requests.
3) Create a voip profile with HNT enabled.
# config voip profile
edit "SIP-HNT"
config sip
set hosted-nat-traversal enable
set hnt-restrict-source-ip enable (optional, but more secure)
end
next
end
4) Apply this VoIP profile in a firewall policy, with Nat enabled.
If a VIP is configured for access to internal network, then the VIP object must be referenced as the destination address.
Related links.
https://docs.fortinet.com/document/fortigate/6.4.5/administration-guide/858887/voip-solutions
https://docs.fortinet.com/document/fortigate/6.2.7/cookbook/858887/voip-solutions
https://pub.kb.fortinet.com/ksmcontent/Fortinet-Public/current/FortiGate_6_0/fortigate-sip-603.pdf
https://kb.fortinet.com/kb/documentLink.do?popup=true&externalID=fortigate-voip-sip-521pdf
Related Articles
Technical Tip: VOIP calls (using SIP)
Technical Tip: Disabling VoIP Inspection
Techincal Tip: SIP useful Commands
Technical Tip: Enabling the SIP Application Layer Gateway (ALG)
Technical Tip: How to confirm if FortiGate is using SIP Session Helper or SIP ALG
Technical Tip: How to use the SIP ALG to prevent unwanted calls
SIP and SCCP Traffic is Handled by the VoIP ALG/Proxy by default in FortiOS 5.2
