FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vermap
Staff
Staff
Article Id 367652
Description

This article describes how to configure access to FortiVoice from an external network when central natting is enabled on the FortiGate.

Scope FortiGate
Solution
  1. create a VIP, under Policy and Objects -> Virtual IPs and select 'Create New'
 
 

Picture1.png

 

As shown in the above example, 172.24.3.29 is an external WAN IP and 10.10.10.8 is a mapped internal server IP.

The incoming traffic is on port 56004 and is mapped internally to the port 5060.

 

  1. Create another VIP to allow the 443 port, this helps in the registration of FortiVoice during the initial communication.

 

Picture2.png

 

  1. Create a policy to allow this traffic under Policy and Objects -> IPv4 and select 'Create New'.

   Picture3.png

 

As shown in the screenshot above, the IPv4 policy configuration where the WAN interface is WAN1 and the FortiVoice connected interface is VOIP VLAN.

When Central NAT is enabled, the firewall policy configuration is to set an IP address object as the 'destination', which also refers to the IP addresses of FortiVoice. Ensure the match-vip-only option is enabled for the firewall policy.

 

Picture4.png

 

  1. Configure the Central SNAT rule. The Central SNAT (Secure NAT) table enables definition and control (with more granularity) of the address translation performed by the FortiGate.

 

Picture5.png

 

This will allow to access FortiVoice from outside of the network when central NAT is enabled.

Contributors