SIP support
How SIP support works
FortiGate Version 4.0 Administration Guide
01-400-89802-20090424
431
•
Source NAT with IP pool
You can choose NAT with the Dynamic IP Pool option when configuring a firewall policy if
the source IP of the SIP packets is different from the interface IP. The FortiGate ALG
interprets this configuration and translates the SIP header accordingly.
This configuration also applies to destination NAT.
Different source and destination NAT for SIP and RTP
This is a more complex scenario that a SIP service provider may use. It can also be
deployed in large-scale SIP environments where RTP has to be processed by the
FortiGate unit and the RTP server IP has to be translated differently than the SIP
server IP.
Figure 275: Different source and destination NAT for SIP and RTP
In this scenario, shown in
, assume there is a SIP server and a separate media
gateway. The SIP server is configured so that the SIP phone (219.29.81.20) will connect
to 217.233.90.60. The media gateway (RTP server: 219.29.81.10) will connect to
217.233.90.65.
What happens is as follows:
1
The SIP phone connects to the SIP VIP. The FortiGate ALG translates the SIP contact
header to the SIP server: 219.29.81.20 > 217.233.90.60 (> 10.0.0.60).
2
The SIP server carries out RTP to 217.233.90.65.
3
The FortiGate ALG opens pinholes, assuming that it knows the ports to be opened.
4
RTP is sent to the RTP-VIP (217.233.90.65.) The FortiGate ALG translates the SIP
contact header to 192.168.0.21.
How SIP support works
The FortiGate unit uses firewall policies to protect communications between servers and
VoIP end devices. These policies restrict VoIP communication based on authorized end
devices or traffic sourced or destined for a particular IP address or interface. The
FortiGate unit segments the VoIP network, separating the voice traffic from other traffic to
ensure that appropriate priority and policies are applied.
219.29.81.20
SIP Server
Internet
SIP: 217.233.90.60
RTP Servers
10.0.0.60
192.168.0.23
RTP Server
219.29.81.10
192.168.0.21 -
RTP-1: 217.233.90.65
RTP-2: 217.233.90.70
Summary of Contents for Gate 60D
Page 705: ...www fortinet com...
Page 706: ...www fortinet com...