SIP trunking

Forum|Forum|16 years ago
February 14, 2010
6 replies
16512 views

I have tried everything under the sun to get a Fortigate 60B to properly handle SIP trunking and I cannot get this thing to work 100% of the time. The customer uses bandwidth.com for SIP trunking, both in and out, along with a Fonality PBXtra onsite PBX. Fonality says open the following ports: UDP 5060 (SIP) UDP 10000 - 20000 (SIP audio) Bandwidth.com says open the following ports: UDP 5060 (SIP) UDP 1024 - 64000 (SIP audio) I have done this using Virtual IPs with port forwarding. I have done this using just Custom Service rules with the ports. I have tried creating Virtual IPs with ALL ports open. I have tried this with Custom Service rules with ALL ports open. Randomly I can get outbound calls to go through, but no audio. I do not get what I am doing wrong, I have done this 500 times with other firewalls and have never had any sort of problem. This Fortigate is the most ridiculously complicated thing I have encountered in over 20 years of network consulting. I recommended to the client that they trash it in favor of much better Cisco firewall but they claim that Fonality told their former network administrator that the Fortigate was the recommended solution to work with the PBXtra. I cannot get anyone at Fonality to verify this statement. Regardless, SIP trunking is a simple technology that should not be this difficult to get setup. I have searched all over the internet for instructions relating to a Fortigate firewall and have come up mostly empty handed, save for a few references to some SIP document in the knowledge base (if those are referring to " FortiGate Support for SIP FortiOS v3.0 MR5" then save your time because that document is a piece of trash). I have tried getting the folks at bandwidth.com to help, they refuse to provide help " behind the firewall" , which I totally understand. Fonality is the same way. I have tried getting anyone at Fortinet to help but have come up empty handed. Is there anyone on this planet that has actually successfully set up SIP trunking, both inbound and outbound, using a FortiGate 60B fireall?? This is my last effort at solving this problem before I tell the client to forget it unless they want to us a real firewall. TIA

emnoc

New Member

Give us an example of your firewall-policy? what I did when I had a PBX downstream of a fortigate was to find out the source ranges for the PBX/SIP gateways and made firewall=policy that allowed for that range of ip_address and allowed all services thru. Once I diagnose the sessions and validated the port range, I locked it down further. One way audio is very common and proper due to one side of the session not being allowed. You also might want to disable sip-helper if you have that enable, and checkout the KB on fortinet website. They have some great examples iirc on proper setup. I use a Cisco SIP enable phone at home behind my FWF60, and we have a asterisk server behind a FG200A. I also have a nortel IP phone vpn thru my FWF60B and it works great but it' s not SIP but uses some other call session control. All works great btw.

A

Anonymous_UserAuthor

Contributor

emnoc ... no offense intended, but that is exactly an example of what I would call a pretty much useless response. No definitive " here is how you do it" instructions, just a bunch of mumbo jumbo that exists in a dozen other areas in this forum. I love how everyone points to these so-called great examples in the KB on the fortinet site, yet not one of you can provide a link, an article number, nothing. That KB is a piece of crap, worst I' ve ever come across in my life. I found exactly ONE article that discusses SIP and it appears to have been created by a child that barely understands English. red.adair: - currently use 4.0, MR1 patch 3 - do have a FW rule allowing 5060/UDP outbound from DMZ to WAN1, PBXtra lives in DMZ - do have a VIP rule binding ext:5060 to dmz:5060 with associated ext->dmz rule - I do have the SIP-ALG protection profile created and bound to all rules - NOT using STUN I' m very familiar with SIP. The amazing thing is, when I switch to testing with another SIP trunk provider, everything magically works perfectly. Switch back to bandwidth.com, nothing works. Yet they claim everything is setup perfect on their end. Quite frankly I think they are full of crap.

abelio

SuperUser

Hi 316, being an experienced (20 yr) network consulting as you claim you are, it should be obvious some basic things: - if you post to a forum about a technology you don' t know, you should provide the more accurate and exhaustive detail about what' s your setup, your configuration, captured screens or output of relevant CLI commands, etc. - it' s surely useless that you post concepts like ' everything is a crap' or whatever like that, and qualify those guys whose are trying to understand (guessing about your draft description) is completely annoying. This is just a volunteer effort forum, not tech free support for you; if you' re kind, more possibilities to find somebody to take some time to kindly study your problem and help you, just for fun; If you consider this not enough for you, open a ticket with paid Fortinet TAC or hire a consultant. good luck

red_adair

New Member

- Use a recent 4.0.x or 4.1.x Build - create a FW Rule that allows udp/5060 outbound (guess you need to tick NAT as well) - if needed create a VIP from ext:5060 -> int:5060 and bind it to a ext->int Rule (in case someone needs to access your PBX from the Internet) - NOW: Kick in the SIP-ALG ! (That does all the Magic like Pinholing RTP and NATing) .- Create a Application-Control with SIP enabled .- Create a Protection-Profile with that App-Control Sensor enabled .- Apply that Protection profile to both inbound and outbound SIP Policies make sure not using STUN or hacks like that - or at least open ports that they use. And BTW - i disagree SIP is a simple technology. It' s a a fairly open Signalling; and when u say SIP Audio you likely refer to RTP (which Pinholes are openened dyamically). When using FortiOS 4.1 you will get a strong SIP ALG into your hands, so make sure you better be familiar with SIP. -R.

emnoc

New Member

316 it took me all but 30secs to google sip and fortigate. http://docs.fortinet.com/fgt/archives/3.0/techdocs/FortiGate_SIP_Support_Tech_Note_01-30007-0232-20080909.pdf And within 60secs I found quite a few SIP related articles on KB, for vr3 or 4 . http://kb.fortinet.com/kb/microsites/searchEntry.do So what did you expect? or what? A simple request for your FW policy and description of the method I used to diagnosed my SIP related problems was not good enough for you? Get real and get a life .

rwpatterson

New Member

Why don' t you go over an do it too....

red_adair

New Member

If all SIP Peering Providers work, except one you may try to find out why this happens. to reveal SIP NAT/pinholing etc. (all the ALG does): # diag debug ena # diag debug application sip -1 Also may help tp take simultaneous traces extern and DMZ and work them out in Wireshark # diag sniff pack external-IF ' <sip-srv-ip>' 3 simltanous # diag sniff pack DMZ-IF ' host <sip-srv-ip>' 3 Use the Perl Script you find (search for sniffer) to convert the output into PCAP.

reco

New Member

hi there, is it possible to have multiple trunks registered at the same time? also i have a sip provider (callcentric) which uses port 5080. how would i need to change the sip ALG to take care about that too? see my setup here: http://dl.dropbox.com/u/125755/network.png thanx

FortiRack_Eric

New Member

It' s no problem having multiple sip trunks over 1 line.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded