Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Autumn 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- RE: Problems with Asterisk server behind firewall
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Problems with Asterisk server behind firewall
I suspect somebody has been down this road before.
I setup a new asterisk server behind the firewall. It has an internal IP, and it has a VIP assigned to it.
The relevant rules are (for now for testing).
piaf=192.168.0.1 (for example).
PIAF (VIP)
external IP
91.117.108.79 (for example)
internal ip
192.168.0.1
Internal to Wan
piaf allow all to all.
Wan to Internal
all to PIAF allow all.
I still can' t get any external clients working. Does anybody have any ideas?
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
11 REPLIES 11
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The short story is - you have to use the " SIP ALG" to work.
Basically create a FW-rule with udp/5060 (SIP) passing through and apply a protection profile to this policy where, under the VoIP Section, you tick the SIP checkbox.
I highly recommend that you also search this forum for SIP
there have been many discussions around this.
-R.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I will do a search for SIP. I searched for asterisk and nothing much came up. In paticular I don' t care about internal phones.
I tried that technique which did not work. I might also give Fortigate a call later. I setup a PBX at home using the exact same settings on the PBX side of things (okay the externip setting is obviously different but that is insignificant) and it works without any problems.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unfortunately still nothing I haven' t tried.
I will post a solution when/if I find one.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
make sure you run something like a recent MR7 release.
Also apply a SIP-enabled Protection-Profile to the policy
vip:ext -> int.
# diag sniff pack internal ' udp port 5060'
and/or
# diag sniff pack internal ' host <ip-of-pbx>'
to see if at least this communication works (to PBX and reply from PBX)
# diag sniff pack internal ' host <ip-of-pbx>' 3
gives you full packet trace. Dump this to a file and have it converted with fgt2eth.pl (check kc.forticare.com) to PCAP Format for post Analysis in Wireshark.
Wireshark does have pretty nice SIP decoding.
-R.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
red.adair
Any more ideas. The packet sniffing is obviously useful but in this case is brining me to a dead end. The traffic is being eaten and not by any rule that I can determine.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well the plot thickens so to say.
I have 2 VDOMs. The first is connected to the 2 WAN interfaces and simply passes all traffic into the internal VDOM. It actually does no NAT even. The reason for this config is that I am running BGP to 2 ISPs. I need the same public IP to map to one machine from both WAN1&2. The fortigate won' t allow you to do that it is too smart except in the case of BGP it is too smart for it' s own good:-) The solution Fortinet provided was running with 2 VDOMs...
If I watch traffic coming into the external VDOM I can see the traffic coming in no problem.
If I watch the traffic flowing between the VDOMs it is sorely missing! Let alone inside the root VDOM where it also obviously can' t be seen as it never gets there.
The firewall policy on the BGP vdom is to allow ALL traffic from anywhere from either wan interface to the root VDOM and vice versa. In other words firewall policies should not be interfering at all.
Does anybody have any suggestions!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
_what_ is eaten ? SIP or RTP or both ?
Did you apply a Protectionprofile with SIP enabled to the inbound VIP rule ?
Do you run a recent Version of MR7 (highly recommended when working with SIP) ?
whenever you do NAT (and a VIP is NAT; DNAT) you must use a SIP-enabled Protection profile - otherwise the SIP Header is not changed.
-R.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
red.adair
It is eating SIP as for RTP who know we haven' t gotten there yet.
You are missing it however I am not doing NAT at the point the traffic is being eaten!
It doesn' t pass through a VDOM that only has public IP addresses assigned to any given interface! All it does is routing ruth 2 firewall rules just set to allow anything and everything. It' s purpose in life is to do BGP and that is it.
I see the traffic come in but I don' t see it hit the other side.
Here is a log (with IP addresses obfuscated).
Logging on wan1
141.182197 91.208.x.x.5060 -> 216.235.152.230.5060: udp 647
141.364724 91.208.x.x.5060 -> 216.235.152.230.5060: udp 647
150.602570 192.115.22.9.29454 -> 91.208.x.x.5060: udp 554
151.111102 192.115.x.x.29454 -> 91.208.x.x.5060: udp 554
152.111112 192.115.x.x.29454 -> 91.208.x.x.5060: udp 554
154.110166 192.115.x.x.29454 -> 91.208.x.x.5060: udp 554
capturing on the inter-vdom link
0.173618 91.208.x.x.5060 -> 216.235.152.230.5060: udp 647
0.356034 91.208.x.x.5060 -> 216.235.152.230.5060: udp 647
Again this has NO NAT involved!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i had this issue with vdom-links and traffic that is not comming back,
the trick is to use source nat on the policy that goes to the v-link.
good luck
player.
rock the boat , dont sink the ship
player. rock the boat , dont sink the ship
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Subject: Issue with MFA Integration between... 176 Views
- ZTNA policy is blocking me 273 Views
- FSSO broken on one of the... 264 Views
- HA problem in 121 G firewall... 503 Views
- Fortigate to Fortigate NATing and Routing 654 Views
Labels
-
FortiGate
8,256 -
FortiClient
1,668 -
5.2
801 -
FortiManager
692 -
5.4
639 -
FortiAnalyzer
526 -
FortiSwitch
446 -
FortiAP
439 -
6.0
416 -
FortiClient EMS
382 -
5.6
362 -
FortiMail
306 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
197 -
5.0
196 -
FortiWeb
193 -
FortiNAC
168 -
IPsec
166 -
FortiGuard
131 -
6.4
128 -
SD-WAN
101 -
FortiGateCloud
100 -
FortiSIEM
97 -
FortiCloud Products
95 -
FortiToken
88 -
FortiAuthenticator
77 -
Customer Service
75 -
Wireless Controller
75 -
Firewall policy
67 -
4.0MR3
64 -
FortiProxy
55 -
FortiADC
51 -
Fortivoice
50 -
FortiEDR
50 -
VLAN
46 -
High Availability
45 -
ZTNA
44 -
FortiExtender
43 -
FortiDNS
42 -
FortiSandbox
40 -
Routing
37 -
DNS
37 -
BGP
36 -
FortiGate v5.4
35 -
LDAP
35 -
FortiSwitch v6.4
33 -
SAML
32 -
Certificate
32 -
Interface
31 -
SSO
29 -
FortiConnect
28 -
Authentication
28 -
NAT
28 -
RADIUS
26 -
FortiLink
26 -
FortiWAN
25 -
FortiConverter
25 -
VDOM
24 -
FortiGate v5.2
23 -
Application control
22 -
Virtual IP
22 -
Web profile
21 -
Logging
20 -
Fortigate Cloud
19 -
FortiSwitch v6.2
18 -
FortiPortal
18 -
FortiMonitor
18 -
FortiPAM
18 -
Traffic shaping
17 -
SSL SSH inspection
16 -
FortiDDoS
15 -
FortiGate v5.0
14 -
OSPF
14 -
IP address management - IPAM
14 -
FortiCASB
12 -
SNMP
12 -
SSID
12 -
Admin
12 -
Static route
12 -
WAN optimization
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiSOAR
11 -
Automation
11 -
System settings
11 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiManager v4.0
9 -
FortiWeb v5.0
9 -
FortiAP profile
9 -
FortiBridge
8 -
RMA Information and Announcements
8 -
Security profile
8 -
Port policy
8 -
Proxy policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
Traffic shaping policy
7 -
Fabric connector
7 -
Intrusion prevention
7 -
FortiDeceptor
6 -
FortiCache
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
FortiCarrier
5 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Traffic shaping profile
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiScan
4 -
Explicit proxy
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Email filter profile
4 -
Netflow
4 -
Replacement messages
4 -
Web rating
4 -
FortiDB
3 -
FortiHypervisor
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
API
2 -
FortiNDR
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
Schedule
2 -
SDN connector
2 -
Service
2 -
Zone
2 -
Cloud Management Security
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
TACACS
1 -
Multicast policy
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1603 | |
| 1048 | |
| 749 | |
| 443 | |
| 210 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.