Destination NAT translation of IP addresses in SIP messages
Destination NAT translation occurs for SIP messages sent from a phone or server on the Internet to a firewall virtual IP address. The destination addresses in the SIP header fields of the message are typically set to the virtual IP address. The SIP ALG translates these addresses to the address of a SIP server or phone on the private network on the other side of the FortiGate unit.
Table 105: Destination NAT translation of IP addresses in SIP request messages
SIP header | NAT action |
To: | Replace VIP address with address on the private network as defined in the firewall virtual IP. |
From: | None |
Call-ID: | None |
Via: | None |
Request-URI: | Replace VIP address with address on the private network as defined in the firewall virtual IP. |
Contact: | None |
Record-Route: | None |
Route: | None |
SIP response messages sent in response to the destination NAT translated messages are sent from a server or a phone on the private network back to the originator of the request messages on the Internet. These reply messages are accepted by the same security policy that accepted the initial request messages, The firewall VIP in the original security policy contains the information that the SIP ALG uses to translate the private network source addresses in the SIP headers into the firewall virtual IP address.
Table 106: Destination NAT translation of IP addresses in SIP response messages
SIP header | NAT action |
To: | None |
From: | Replace private network address with firewall VIP address. |
Call-ID: | None |
Via: | None |
Request-URI: | N/A |
Contact: | Replace private network address with firewall VIP address. |
Record-Route: | Replace private network address with firewall VIP address. |
Route: | None |