Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Autumn 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiConnect
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDB
- FortiDDoS
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGuard
- FortiGate Cloud
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiPhish
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiWAN
- FortiVoice
- FortiWeb
- FortiWebCloud
- Lacework
- RMA Information and Announcements
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- RE: SIP Problem with NAT
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SIP Problem with NAT
Dear Bros!
I have deployed 1 case of SIP besides FGs, with NAT enabled, and many malfunctions were happenned.
Let me introduce about related infrastructure:
1. We have 4 sites: 1 HQ, 3 Remote sites(R1,R2,R3)
2. At HQ use FG-800F, R1,R3 use FG-60A, R2 use FG-100A. All of them have upgraded to latest build(v3.00, MR6, build 662)
3. SIP Server is located at HQ, inside FG-800F with VIP-enabled to accessible public IP address.
4. SIP clients will have 2 ways for registering to SIP Server:
a. Through WAN link(Fiber/DSL). This option use Route.
b. Through Internet public IP. This option use NAT.
The trouble at present as belows:
A. SIP Client register to SIP Srv through WAN link will work okie.
B. If force the SIP Client go through local FG, and register to SIP Srv through Internet IP, the register failed!!!However, then, the correlative SIP Client Phone also can receive calls from another phone, while can not call to others!!!
C. If by pass the local FG, and directly connect SIP Phone to ADSL modem, register successfully done...and phone can make call to other phones at HQ, however can not do the switching call follow IVR on local PBX!!!
I wonder if NAT and VIP are the problem in this case, when we use SIP over FGs?
Look foward your instructors help, bros...
Big tks to All!
Brgds
Work..40xx..Eat..40xx..Drink..40xx..
Sleep..40xx..and 9mare..also..40xx..too..
Never Stop Learning...
Work..40xx..Eat..40xx..Drink..40xx.. Sleep..40xx..and
9mare..also..40xx..too.. Never Stop Learning...
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear Bros!
Anyone help me pls...
Another trouble, when upgrade to latest build V3.00, MR6, build 662,..after SIP call established, i only can talk within 18-20 seconds...then the session will be iterrupted...hixhix...
Big tks to All!
Brgds
Work..40xx..Eat..40xx..Drink..40xx..
Sleep..40xx..and 9mare..also..40xx..too..
Never Stop Learning...
Work..40xx..Eat..40xx..Drink..40xx.. Sleep..40xx..and
9mare..also..40xx..too.. Never Stop Learning...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
a general rule in order to make a Fortigate " SIP Aware" is like:
#1 create a FW Policy (direct, NATed or VIPed) with SIP allowed (udp/5060 normally)
#2 create a Protection-profile with " SIP" ticked on under the VoIP Section
#3 apply this profile to the policy created in #1
This enables the SIP-ALG that will NAT (SIP-Header NAT) and open the RTP ports dynamically that are exchanged within SIP/SDP.
Don' t underestimate the complexitiy of SIP and its friend RTP!
-R.
Not applicable
Created on 05-23-2008 08:36 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We just spent the better part of 2 days fighting with something similar. We just deployed an Asterisk based PBX (Fonality...also known as Trixbox).
We have a Fortigate 60B w/ the latest firmware.
Phones were registering just fine, outbound calls were making it to our SIP trunk provider, but we were getting one-way audio. Obviously a problem with the RTP stream coming back. But we put the PBX in the DMZ, and left it wide open.
So, finally, here' s what we did:
1. Removed the SIP session helper entry through the CLI
2. Disabled session helper
3. Made sure NOT to enable any protection profiles that have " SIP" checked
I know the opposite is true for some other IP PBX systems based on comments I' ve seen in the forums, but this is what worked for us!
By the way, here' s a quick run down of the config we used:
DMZ-->WAN1 All allowed; NAT on; virtual IP mapping the public address to the IP of the PBX server
WAN1-->DMZ SIP (5060), UDP6600, and UDP10000-50000 Allowed
Not applicable
Created on 05-30-2008 03:24 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Same problems here, except that we didn' t manage to solve it.
We even try to make things more simplier.
We have public IP on WAN1 interface and we have public IP C class on INTERNAL interface on FG-100A and phone is able to register but no audio is passing trough FG-100A.
All protection profiles are disabled only policy which allows traffic from wan1 to internal for all traffic exist and policy which allows all traffic from INTERNAL to WAN1 exist.
And still SIP does not work..
I would say again...
We put some SSG temporarly in place of that FG-100 to enable VoIP to work.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
if i re-read my earlier posting - it doesn' t say " disable protection profile" .
In order to get VoIP (SIP/RTP) to work you normally need a Protection profile with " SIP" ticked on.
For all those that may need a recap: VoIP (SIP/RTP) consist of the signalling channel which is " SIP" (usually tcp/udp 5060) and the " packetized speech" -> RTP.
SIP only maintains the call setup etc. and it tells the peers on which RTP ports the " voice" is being sent and received. Having that said you need " something" intelligent that parses the SIP communication, takes the appropriate information out and opens the RTP ports dynamically (to maintain security).
This " something intelligent" is the protection profile, attached to a " SIP / PASS" policy that listens to SIP and magically opens RTP.
#diag debug enable
#diag debug application im 255
will show you all the freaking details during a call setup and it will also show you the dynamically opened (pinholed) RTP ports (search for pinhole).
Needless to say that this outgoing SIP-policy normally also needs NAt to be ticked on.
ALSO - DO NOT USE stuff like STUN enabled on your PBX/Phone. Google is your friend to help understand what STUN is for and why it should not be used wih Firewalls that DO understand like Fortigate does.
According to your decription (Not use either Protection profile or the (old) session helper) it cannot work. And it will not.
Either use the (Old) session-helper OR (recommended) use the protection profile with SIP enabled.
You only need
ext(VIP)->>dmz(voip-srv) proto(sip) allow and have a " SIP enabled" protection profile to that policy !!
Why do you use NAT ???? your PBX than will see the " DMZ" IP as the " sender IP" - sounds useless. A VIP does DST-NAT, SRC-NAT won' t be needed i guess.
-R.
Not applicable
Created on 06-09-2008 02:06 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
red.adir,
Thank You very much for Your deep explanation of the way how sip is functioning and diag debug syntax.
Altough I have few more questions.
In Your post You mentioned " old session helper" , do You refer here to CLI command
config system setings
set sip-helper disable
or to something else. In my current setup I' m using sip session helper without any protection profiles. I was not aware of the fact that sip helper is now deprecated and
that only sip checkbox in protection profile is relevant.
I was trying to simplify the things as much as possible and that was the reason why I disabled all protection profiles and put public IP' s on all phones to avoid all possible issues with NAT.
In my setup I also don' t have local SIP server, I' m using one of the SIP service providers and all my phones connect to provider PBX.
Do You suggest to me that I should put all phones behind NAT and put VIP for the provider sip server ?
Can you please explain little bit more this sentence " A VIP does DST-NAT, SRC-NAT won' t be needed i guess. "
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
config system setings set sip-helper disableThat' s the " old" " kernel based session helper" ; exactly. I mentioned the other stuff (like local sip server) because there was another poster that i understood uses this. If you' ve public ips - even better, no NAT :) BUT something has to open the " holes" (pinholes) to pass voice (RTP). And this is what the SIP-ALG also does (as it also does the NATing of SIP Headers in case it' s needed). Your policy would be like int->ext sip allow with a " sip enabled" Protection profile attached to it. That should do the job -R.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Do not show the policies found... 97 Views
- SDWAN (with two ISP) 114 Views
- Many SSL-VPN login failed attempts! What... 200 Views
- ZTNA within a 2 site setup... 118 Views
- Full SSL Inspection Suddenly Slowing Performance. 115 Views
Labels
-
FortiGate
8,012 -
FortiClient
1,606 -
5.2
801 -
FortiManager
677 -
5.4
639 -
FortiAnalyzer
516 -
FortiSwitch
423 -
FortiAP
421 -
6.0
416 -
5.6
362 -
FortiClient EMS
362 -
FortiMail
300 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
187 -
SSL-VPN
174 -
FortiNAC
160 -
IPsec
154 -
6.4
128 -
FortiGuard
124 -
FortiGateCloud
98 -
FortiCloud Products
94 -
FortiSIEM
93 -
SD-WAN
88 -
FortiToken
86 -
Customer Service
74 -
Wireless Controller
74 -
FortiAuthenticator
68 -
4.0MR3
64 -
FortiProxy
53 -
Firewall policy
53 -
FortiEDR
50 -
Fortivoice
49 -
FortiADC
49 -
FortiExtender
43 -
VLAN
42 -
FortiDNS
41 -
High Availability
40 -
FortiSandbox
39 -
ZTNA
37 -
FortiGate v5.4
35 -
Routing
34 -
LDAP
34 -
FortiSwitch v6.4
33 -
DNS
33 -
BGP
32 -
SAML
31 -
Certificate
30 -
Interface
29 -
SSO
27 -
NAT
27 -
FortiConnect
25 -
Authentication
25 -
FortiWAN
24 -
FortiConverter
24 -
RADIUS
24 -
FortiGate v5.2
23 -
VDOM
23 -
FortiLink
22 -
Virtual IP
20 -
Web profile
20 -
FortiSwitch v6.2
18 -
FortiPortal
18 -
Fortigate Cloud
18 -
Logging
18 -
FortiMonitor
16 -
Traffic shaping
16 -
Application control
16 -
FortiDDoS
15 -
FortiPAM
15 -
FortiGate v5.0
14 -
SSL SSH inspection
14 -
OSPF
13 -
FortiCASB
12 -
SSID
12 -
IP address management - IPAM
12 -
FortiManager v5.0
11 -
Automation
11 -
Admin
11 -
Static route
11 -
WAN optimization
11 -
Web application firewall profile
11 -
FortiRecorder
10 -
SNMP
10 -
4.0MR2
9 -
FortiSOAR
9 -
FortiWeb v5.0
9 -
FortiAP profile
9 -
FortiGate v4.0 MR3
8 -
FortiManager v4.0
8 -
FortiBridge
8 -
IPS signature
8 -
System settings
8 -
Proxy policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
RMA Information and Announcements
7 -
Traffic shaping policy
7 -
FortiCache
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Security profile
6 -
Port policy
6 -
Intrusion prevention
6 -
FortiCarrier
5 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Fabric connector
5 -
3.6
4 -
FortiDeceptor
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Antivirus profile
4 -
Traffic shaping profile
4 -
DLP sensor
4 -
Email filter profile
4 -
Web rating
4 -
Fortinet Engage Partner Program
4 -
FortiDB
3 -
FortiHypervisor
3 -
Explicit proxy
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Netflow
3 -
Replacement messages
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
API
2 -
FortiNDR
2 -
Application signature
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
Schedule
2 -
Service
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Kerberos
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
TACACS
1 -
SDN connector
1 -
Multicast policy
1 -
Cloud Management Security
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1468 | |
| 1007 | |
| 748 | |
| 443 | |
| 206 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.