Forum Discussion

bojan_sukalo_20's avatar
bojan_sukalo_20
Icon for Nimbostratus rankNimbostratus
Jul 06, 2015

Plain old NAT and SIP

Hello,

 

What would be the easiest way to just NAT SIP traffic without terminating SIP connection on F5 as suggested in their official document here https://www.f5.com/pdf/deployment-guides/load-balancing-sip-dg.pdf.

 

I don't want any SIP traffic engineering or anything fancy. Just NAT and SIP adjustment accordingly.

 

I have a SIP gateway and a separate media server (on a different IP). So clients (firewall inside) always go to SIP gateway (firewall outside) and never talk to each other directly.

 

Please advise.

 

Thank You!

 

Bojan

 

nat
sip

4 Replies

Sort By
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jul 06, 2015

    A simple NAT configuration would work just fine.

     

    https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-concepts-11-4-0/17.htmlconceptid

     

    But you could do better with an actual virtual server configuration. As a full proxy, the F5 will always proxy layer 4 (TCP and UDP), but beyond that layers 5 and up are controlled by profiles that either manage the traffic or simply pass them through. A simple virtual server listening on port 5060 or 5061, with nothing more than a pool assigned also pointing to port 5060 or 5061 backend services will not terminate or touch the SIP traffic passing through it.

     

  • bojan_sukalo_20's avatar
    bojan_sukalo_20
    Icon for Nimbostratus rankNimbostratus
    Jul 06, 2015

    Thanks Kevin,

     

    If I got it right, I have to have only one virtual server in this case then (instead of two, one for clients to server and another for server to clients)?

     

    By the way I've already tried simple SNAT but calls can not be established. I haven't taken packet capture yet to see whether there was a SIP NAT translation taking place.

     

    Thank you anyway, I'll try with one virtual server configuration.

     

    Cheers!

     

    Bojan

     

    • Kevin_Stewart's avatar
      Kevin_Stewart
      Icon for Employee rankEmployee
      Jul 06, 2015
      You'd just need one VIP. All client requests pass through this VIP, and all server responses flow back through the same VIP. SNAT applied to the VIP is needed if the server knows how to go around the VIP for its responses.
  • imfvieira_14470's avatar
    imfvieira_14470
    Icon for Nimbostratus rankNimbostratus
    Aug 19, 2015

    Hello,

     

    I have a similar question. I have a IP Phone and I need to use NAT for source and destination. The Ip Phone will be inside a backbone network and need to go to DMZ network and after redirected to Internet. IP Phone -> Enterprise Network -> Firewall -> F5 -> Firewall -> Internet. One of the solutions that I found was use a SIP Proxy. Is possible to use the F5 as a SIP proxy?