Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
xspader
New Contributor

Assistance with rules

Hi All

 

We've recently got a fortigate for the office and its setup with SSL VPN working fine. I've been asked to add rules to allow external access to the PBX for softphones. I've created the firewall rules and the DNAT and SNAT but it isn't functioning. It hits the DNAT and the firewall rule, but the central SNAT rule isnt triggered when I use specific services as a filter. If I take the services off so it allows all, the access functions but the VPN access stops working.

I've searched the web and haven't found any thing that explains it to me simple enough as to how to create the rule components for this to work without stopping the VPN access. If someone can point me to a good site that can explain this or assist me with where I may have gone wrong I'd appreciate it. Firewall is behind a ISP fibre router

Firewall rule (outside interface to inside interface)

PBX rule.png

Central SNAT

PBX central snat.png

DNAT

PBX dnat.png

 

3 REPLIES 3
AlexC-FTNT
Staff
Staff

I would personally not recommend the use of central SNAT, as it is not easy to maintain or troubleshoot.

If this has a connection to the VPN tunnels, something is probably set up wrong. VPN access stops working = the VPN tunnel is disconnected? Or no traffic flows through the tunnel? You probably need to correct the NAT for some of the services.
What I see in these images is that your policy outside>inside doesn't have "Pabx_Web" VIP as destination, in order to perform DNAT.


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
ede_pfau
Esteemed Contributor III

Using SNAT would make the traffic packets differ from the addresses contained in the SIP messages. Stop using SNAT altogether.

Of course you have to use the VIP in the policy, just declaring it will not make it effective.

I would not limit the DNAT to port tcp/8088 unless you have instructions to do so. What about RTP or SIP packets?

Dropping your SSLVPN depends on other policies not shown, and their placement in the policy table. Please supply that info as well.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
xspader
New Contributor

Thanks for the responses. I'll take some time in the next little while and rebuild the config to remove the central SNAT. Initially it was only going to be used for VPN and nothing else so it wasnt a problem. We're moving to a cloud PBX now so I'll have some time to change things without causing too much of a problem soon

Labels
Top Kudoed Authors