Cisco Call Manager Calls Through Fortigate

Forum|Forum|14 years ago
September 7, 2011
3 replies
6232 views

We are deploying some Cisco IPT handsets on an external interface on our Fortigate 310B firewall. The phones will have to register and do SCCP setup messaes with our call manager cluster on the inside on the firewall. Once the call is setup the call manager hands over the voice conversation to the two handsets. The voice call is then direct between the two IPT handsets using dynmically generated Real Time Protocol UDP port numbers. I have read the guidelines on using the SCCP feature on the Fortigate. http://docs.fortinet.com/fgt/archives/3.0/techdocs/FortiGate_SCCP_Support_01-30006-0467-20080425.pdf The document states, " The FortiGate Antivirus Firewall includes special module that tracks SCCP calls. The FortiGate unit can make all necessary adjustments, to both the firewall state and call data, to ensure a seamless call is established through the FortiGate unit regardless of its operation mode, NAT, route, or transparent." Does this mean that the rules for the RTP UDP stream will be dynamically created if the correct SCCP rules are in place. Meaning I only need to create a rule for the call setup between the handsets and the call manager and not for the conversation between the handsets? Will the firewall inspect the SCCP packets for the ports and IP addresses to be used between the handsets? Anyone used this feature with Cisco IPT deployment?

ddskier

New Member

You will need policies between the handsets and the individual handsets to the call manager. The audio stream goes directly between the two handsets, with the Call Manager invovled in the creation and teardown of the phone call.

emnoc

New Member

Do you have any gateways? if so, you might need policies between that and the phones. Can you explain more of you voice topo? Example, do you have designated voice only vlans? If you have deisgnated voice subnets, you fwpolicies can be simplified e.g allow voice subnet 10.1.0.0/24 to voice subnet 10.2.0.0/24 allow TCP SCCP 2100/tcp allow MGCP 2427/tcp ( probably used for gateways ) Don' t forget the need for DHCP and TFTP-services So basically the phone neesds access to the call manager and then to each other. the RTP streams should be in a udp port range 24XXX to 24XXXX or something along that line. I' m including a cisco link to all of the ports within cisco jacked up voip deployment ;) http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_tech_note09186a00801a62b9.shtml If I recalled correctly, i thought FGT supported a SCCP aware ALG, but I could be wrong.

ddskier

New Member

To be honest we tried the ALG. It is pretty crappy. You never knew how stable it was between the different releases of the firmware. We ended up putting our voice router outside of our firewall to get reliable connectivity with our SIP trunk provider.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded