The FortiGate unit and VoIP security SIP support
FortiGate Version 4.0 MR1 Administration Guide
508 01-410-89802-20090903
http://docs.fortinet.com/ • Feedback
Destination NAT (SIP and RTP)
In the destination NAT scenario, a SIP phone can connect to a local IP using a FortiOS
VIP. The FortiGate unit translates the SIP contact header to the IP of the real SIP server
located outside.
Figure 297: SIP destination NAT
In the scenario, shown in Figure 297, the SIP phone connects to a VIP (10.72.0.60). The
FortiGate SIP ALG translates the SIP contact header to 217.10.79.9. The FortiGate ALG
will open the Real-time Transport Protocol (RTP) pinholes and manage NAT.
The FortiGate unit also supports a variation of this scenario—the RTP server hides its real
address.
Figure 298: SIP destination NAT-RTP server hidden
In this scenario, shown in Figure 298, a SIP phone connects to the Internet. The VoIP
service provider only publishes a single public IP (a VIP). The SIP phone connects to the
FortiGate unit (217.233.90.60) and the FortiGate unit then translates the SIP contact
header to the SIP server (10.0.0.60). The SIP server changes the SIP/SDP connection
information (which tells the SIP phone which RTP IP it should contact) also to
217.233.90.60.
10.72.0.57
SIP Server
Internet
217.233.122.132
RTP Server
217.10.79.9
SIP service provider has a SIP server
and a separate RTP server
217.10.69.11
10.72.0.60
219.29.81.21
SIP Server
Internet
217.233.90.60
RTP Server
10.0.0.60
192.168.200.99
To Next Page
Loading...
Need help?
General
