Unlock Exclusive Benefits
Join Our Community Today!
Join our Community and post in the forum to earn your exclusive badge; celebrating 3 years of the Fortinet Community!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- SIP Problem with NAT
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SIP Problem with NAT
Dear Bros!
I have deployed 1 case of SIP besides FGs, with NAT enabled, and many malfunctions were happenned.
Let me introduce about related infrastructure:
1. We have 4 sites: 1 HQ, 3 Remote sites(R1,R2,R3)
2. At HQ use FG-800F, R1,R3 use FG-60A, R2 use FG-100A. All of them have upgraded to latest build(v3.00, MR6, build 662)
3. SIP Server is located at HQ, inside FG-800F with VIP-enabled to accessible public IP address.
4. SIP clients will have 2 ways for registering to SIP Server:
a. Through WAN link(Fiber/DSL). This option use Route.
b. Through Internet public IP. This option use NAT.
The trouble at present as belows:
A. SIP Client register to SIP Srv through WAN link will work okie.
B. If force the SIP Client go through local FG, and register to SIP Srv through Internet IP, the register failed!!!However, then, the correlative SIP Client Phone also can receive calls from another phone, while can not call to others!!!
C. If by pass the local FG, and directly connect SIP Phone to ADSL modem, register successfully done...and phone can make call to other phones at HQ, however can not do the switching call follow IVR on local PBX!!!
I wonder if NAT and VIP are the problem in this case, when we use SIP over FGs?
Look foward your instructors help, bros...
Big tks to All!
Brgds
Work..40xx..Eat..40xx..Drink..40xx..
Sleep..40xx..and 9mare..also..40xx..too..
Never Stop Learning...
Work..40xx..Eat..40xx..Drink..40xx.. Sleep..40xx..and
9mare..also..40xx..too.. Never Stop Learning...
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear Bros!
Anyone help me pls...
Another trouble, when upgrade to latest build V3.00, MR6, build 662,..after SIP call established, i only can talk within 18-20 seconds...then the session will be iterrupted...hixhix...
Big tks to All!
Brgds
Work..40xx..Eat..40xx..Drink..40xx..
Sleep..40xx..and 9mare..also..40xx..too..
Never Stop Learning...
Work..40xx..Eat..40xx..Drink..40xx.. Sleep..40xx..and
9mare..also..40xx..too.. Never Stop Learning...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
a general rule in order to make a Fortigate " SIP Aware" is like:
#1 create a FW Policy (direct, NATed or VIPed) with SIP allowed (udp/5060 normally)
#2 create a Protection-profile with " SIP" ticked on under the VoIP Section
#3 apply this profile to the policy created in #1
This enables the SIP-ALG that will NAT (SIP-Header NAT) and open the RTP ports dynamically that are exchanged within SIP/SDP.
Don' t underestimate the complexitiy of SIP and its friend RTP!
-R.
Not applicable
Created on 05-23-2008 08:36 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We just spent the better part of 2 days fighting with something similar. We just deployed an Asterisk based PBX (Fonality...also known as Trixbox).
We have a Fortigate 60B w/ the latest firmware.
Phones were registering just fine, outbound calls were making it to our SIP trunk provider, but we were getting one-way audio. Obviously a problem with the RTP stream coming back. But we put the PBX in the DMZ, and left it wide open.
So, finally, here' s what we did:
1. Removed the SIP session helper entry through the CLI
2. Disabled session helper
3. Made sure NOT to enable any protection profiles that have " SIP" checked
I know the opposite is true for some other IP PBX systems based on comments I' ve seen in the forums, but this is what worked for us!
By the way, here' s a quick run down of the config we used:
DMZ-->WAN1 All allowed; NAT on; virtual IP mapping the public address to the IP of the PBX server
WAN1-->DMZ SIP (5060), UDP6600, and UDP10000-50000 Allowed
Not applicable
Created on 05-30-2008 03:24 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Same problems here, except that we didn' t manage to solve it.
We even try to make things more simplier.
We have public IP on WAN1 interface and we have public IP C class on INTERNAL interface on FG-100A and phone is able to register but no audio is passing trough FG-100A.
All protection profiles are disabled only policy which allows traffic from wan1 to internal for all traffic exist and policy which allows all traffic from INTERNAL to WAN1 exist.
And still SIP does not work..
I would say again...
We put some SSG temporarly in place of that FG-100 to enable VoIP to work.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
if i re-read my earlier posting - it doesn' t say " disable protection profile" .
In order to get VoIP (SIP/RTP) to work you normally need a Protection profile with " SIP" ticked on.
For all those that may need a recap: VoIP (SIP/RTP) consist of the signalling channel which is " SIP" (usually tcp/udp 5060) and the " packetized speech" -> RTP.
SIP only maintains the call setup etc. and it tells the peers on which RTP ports the " voice" is being sent and received. Having that said you need " something" intelligent that parses the SIP communication, takes the appropriate information out and opens the RTP ports dynamically (to maintain security).
This " something intelligent" is the protection profile, attached to a " SIP / PASS" policy that listens to SIP and magically opens RTP.
#diag debug enable
#diag debug application im 255
will show you all the freaking details during a call setup and it will also show you the dynamically opened (pinholed) RTP ports (search for pinhole).
Needless to say that this outgoing SIP-policy normally also needs NAt to be ticked on.
ALSO - DO NOT USE stuff like STUN enabled on your PBX/Phone. Google is your friend to help understand what STUN is for and why it should not be used wih Firewalls that DO understand like Fortigate does.
According to your decription (Not use either Protection profile or the (old) session helper) it cannot work. And it will not.
Either use the (Old) session-helper OR (recommended) use the protection profile with SIP enabled.
You only need
ext(VIP)->>dmz(voip-srv) proto(sip) allow and have a " SIP enabled" protection profile to that policy !!
Why do you use NAT ???? your PBX than will see the " DMZ" IP as the " sender IP" - sounds useless. A VIP does DST-NAT, SRC-NAT won' t be needed i guess.
-R.
Not applicable
Created on 06-09-2008 02:06 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
red.adir,
Thank You very much for Your deep explanation of the way how sip is functioning and diag debug syntax.
Altough I have few more questions.
In Your post You mentioned " old session helper" , do You refer here to CLI command
config system setings
set sip-helper disable
or to something else. In my current setup I' m using sip session helper without any protection profiles. I was not aware of the fact that sip helper is now deprecated and
that only sip checkbox in protection profile is relevant.
I was trying to simplify the things as much as possible and that was the reason why I disabled all protection profiles and put public IP' s on all phones to avoid all possible issues with NAT.
In my setup I also don' t have local SIP server, I' m using one of the SIP service providers and all my phones connect to provider PBX.
Do You suggest to me that I should put all phones behind NAT and put VIP for the provider sip server ?
Can you please explain little bit more this sentence " A VIP does DST-NAT, SRC-NAT won' t be needed i guess. "
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
config system setings set sip-helper disableThat' s the " old" " kernel based session helper" ; exactly. I mentioned the other stuff (like local sip server) because there was another poster that i understood uses this. If you' ve public ips - even better, no NAT :) BUT something has to open the " holes" (pinholes) to pass voice (RTP). And this is what the SIP-ALG also does (as it also does the NATing of SIP Headers in case it' s needed). Your policy would be like int->ext sip allow with a " sip enabled" Protection profile attached to it. That should do the job -R.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- [Help] SD-WAN with BGP on Loopback... 175 Views
- Fortigate Rugged 60F unable to HA... 70 Views
- Unreliable SSL VPN Performance and Poor... 74 Views
- FortiEMS and AutoConnect/AlwaysUP 146 Views
- Custom DNS is not working with... 234 Views
Labels
-
FortiGate
8,465 -
FortiClient
1,713 -
5.2
801 -
FortiManager
712 -
5.4
639 -
FortiAnalyzer
547 -
FortiAP
457 -
FortiSwitch
456 -
6.0
416 -
FortiClient EMS
407 -
5.6
362 -
FortiMail
308 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
220 -
FortiWeb
199 -
5.0
196 -
IPsec
186 -
FortiNAC
176 -
FortiGuard
136 -
6.4
128 -
SD-WAN
110 -
FortiGateCloud
100 -
FortiSIEM
97 -
FortiCloud Products
96 -
FortiToken
89 -
FortiAuthenticator
84 -
Customer Service
78 -
Wireless Controller
75 -
Firewall policy
70 -
4.0MR3
64 -
FortiProxy
59 -
FortiADC
53 -
Fortivoice
52 -
High Availability
52 -
FortiEDR
50 -
vlan
47 -
ZTNA
46 -
FortiExtender
44 -
FortiSandbox
43 -
FortiDNS
42 -
DNS
40 -
Routing
39 -
BGP
38 -
LDAP
38 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
34 -
Certificate
33 -
Authentication
31 -
SSO
31 -
Interface
31 -
NAT
30 -
RADIUS
29 -
FortiConnect
27 -
FortiLink
26 -
FortiWAN
25 -
FortiConverter
25 -
VDOM
25 -
Application control
25 -
FortiGate v5.2
24 -
Logging
24 -
Web profile
23 -
FortiPAM
22 -
Virtual IP
22 -
Fortigate Cloud
20 -
FortiPortal
19 -
FortiSwitch v6.2
18 -
FortiMonitor
18 -
SSL SSH inspection
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
System settings
14 -
IP address management - IPAM
14 -
FortiSOAR
13 -
SSID
13 -
Static route
13 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Intrusion prevention
7 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
Traffic shaping profile
6 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
Web rating
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1660 | |
| 1077 | |
| 752 | |
| 443 | |
| 220 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.