Hide NAT for SIP Traffic

SIP over UDP

You can enable Hide NAT changes source port for SIP over UDP IP on the gateways of:

• IP address of the SIP endpoint phones
• Source port of the SIP endpoint phones

To Hide NAT on the gateway for SIP over UDP:

1. Open SmartConsole.
2. In the Manage & Settings tab, go to Blades > General, select Inspection Settings.
3. In the search field, type SIP - General Settings. Double-click on the setting that shows.
4. Select a Profile > Advanced.
5. Check the box Hide NAT changes source port for SIP over UDP IP.
6. Click OK.

SIP over TCP

• If Hide NAT is enabled, the source port is always translated.
• If Hide NAT is disabled, the gateway performs Hide NAT only on the IP address of the SIP endpoint phones.
• Hide NAT must be enabled in environments where:
  • The gateway is configured to Hide NAT on the internal IP addresses of the endpoints

  AND

  • The SIP server can register only one endpoint with a given IP address and port combination (as with the Cisco Unified Communications Manager).

  Note - For all internal phones to be registered successfully on the server, the source port of the Register message sent by the phone must be the same as the port in the Contact header of the Register message.

  In Cisco IP Phones, this is done by selecting the NAT Enabled option.

For more information, see SIP Security Rules.

SIP Packets

If Hide NAT changes source port for SIP over UDP is selected, the SIP packets change.

SIP Packet Before NAT

The image of the packet capture below shows a SIP packet from a phone with IP address 192.168.3.40, and source port 5060 (the default SIP port). The phone's extension is 4321.

SIP Packet after Hide NAT when option is disabled

The image of the packet capture below shows the SIP packet after Hide NAT, with the Hide NAT changes source port for SIP over UDP option disabled. The IP address is translated to the Hide NAT address of 172.16.8.232, but the source port 5060 is unchanged.

Here, all the internal phones are registered with the same Source IP: port combination. For example: sip:4321@172.16.8.232:5060. A different phone with extension 8765 would register as sip:8765@172.16.8.232:5060

Some SIP servers can register a phone with only one IP address and port combination. As a result, only one of the phones behind that IP address will be registered successfully on the server.

SIP Packet after Hide NAT when option is enabled

The image of the packet capture below shows the SIP packet after Hide NAT, with the Hide NAT changes source port for SIP over UDP option enabled. The IP address is translated to the Hide NAT address of 172.16.8.232, and the source port is also translated to an allocated port of 10015

Here, each internal phone is allocated a different port. Each phone is registered with a different Source IP: port combination. For example: one phone is registered as sip:4321@172.16.8.232:10015 (as shown in the packet capture). A different phone with extension 8765 is registered as sip:8765@172.16.8.232:10016

As a result, each internal phone is registered successfully on the server.

Defining Hide NAT Rules in DMZ Topology

To define Hide NAT rules:

1. Select the network object and double-click.
2. The Network window opens.
3. In the NAT tab, select Add Automatic Address Translation Rules > Translation method > Hide > OK.
   1. Select the network object and double-click.

      The Network window opens.

   2. Select NAT (+) > Advanced.
   3. Check the box Add automatic address translation rules to hide this Gateway behind another Gateway.
   4. Select the Translation method > Hide.
      • Create a node object with the Hide NAT IP address
      • Select the Security Policies tab.
      • Add the services to the Services & Applications column.
      • Add the node object to the Destination column.
4. Install the Security Policy.

Defining Static NAT Rules in DMZ Topology

Static NAT

Static NAT on the proxy in DMZ can be configured with Manual NAT rules or with Automatic NAT rules. To configure the NAT rules, all internal endpoints for which NAT is defined have to:

• Use SIP over UDP to communicate with the proxy in DMZ

  AND

• Refrain from sending data (such as voice) through the proxy, and instead, send it directly to other endpoints

If either of these conditions is not met, NAT on the proxy in the DMZ can only be configured with Manual NAT rules.

To define Static NAT for the proxy in the DMZ using Automatic NAT rules:

1. Select the network object and double-click.

   The Network window opens.

2. In the NAT tab, select Add Automatic Address Translation Rules > Translation method > Hide > OK.
   1. Select the network object and double-click.

      The Network window opens.

   2. Select NAT (+) > Advanced.
   3. Check the box Add automatic address translation rules to hide this Gateway behind another Gateway.
   4. Select the Translation method > Static.
      • Create a node object with the Static NAT IP address
      • Select the Security Policies tab.
      • Add the services to the Services & Applications column.
      • Add the node object to the Destination column.
3. Install the Security Policy.

To define Static NAT for the proxy in the DMZ using Manual NAT rules:

1. Add Proxy_DMZ_NATed to the Destination of the Rule Base rule for SIP services and <sip_service>.
2. Add the Manual NAT rules above and configure Proxy-ARP.
3. Associate the translated IP address with the MAC address of the gateway interface that is on the same network as the translated addresses:
   • For Unix, use local.arp

     To display the proxy ARP table on Unix, run: fw ctl arp

     OR

   • For Windows, use arp

     To display the proxy ARP table on Windows, run: arp -a

     Original			Translated			Comment
     Source	Destination	Service	Source	Destination	Service
     Proxy_DMZ	Net_B	*Any	Proxy_DMZ_NATed: Static	=	=	Outgoing calls
     Net_B	Proxy_DMZ_NATed	*Any	=	Proxy_DMZ: Static	=	Incoming calls

Unix gateways

On UNIX-based gateways including SecurePlatform:

1. Create a file $FWDIR/conf/local.arp
2. Add the related entry, such as: 192.168.6.145 00:0D:60:83:B3:74

   192.168.6.145 is the static address, and 00:0D:60:83:B3:74 is the address of the external interface.

3. In SmartConsole select the Manage & Settings tab.
4. Select Global Properties.

   The Global Properties window opens.

5. Select NAT - Network Address Translation and check the box Merge Manual Proxy ARP Configuration.
6. Install the security policy.

Make sure that the fw ctl arp command shows the new entry in the proxy ARP table.