Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AEK
SuperUser
SuperUser

Created on ‎02-16-2025 12:14 PM

SIP and NAT

Hi FG admins

 

From this tech tip:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Most-common-cases-of-SIP-implementation/ta...

 

I have this scenario (phones behind NAT):

 

Did all the required config, and even more:

config system settings
 set sip-expectation disable
 set sip-nat-trace disable
 set default-voip-alg-mode kernel-helper-based
end

config system session-helper
 delete 13
end

config voip profile
 edit "default"
  config sip
   set rtp disable
   set contact-fixup disable
  end
 end

...

 

Played with the above parameters and FG reboot but didn't work. I mean I have this behavior:

  • Calling from internal IP phone to external mobile cell phone (GSM): It rings but no voice
  • Calling from internal IP phone to internal IP phone: IP phone doesn't even ring

In the traffic logs I could see some "TCP reset from server" on SIP connections.

So I'm starting to think that probably on server side must be somehow configured to accept calls from IP phones behind NAT. Anyone knows something about that?

AEK
AEK
Labels:
324
0 Kudos
1 Solution
AEK
SuperUser
SuperUser

Created on ‎02-27-2025 05:29 AM

Hi BJ & MB

The issue has been fixed by enabling proxy-based inspection mode in the related firewall rule. All worked just fine after that.

Thanks again to both.

AEK

View solution in original post

AEK
123
5 REPLIES 5
BJ_Prakash_Ghising
New Contributor II

Created on ‎02-16-2025 01:11 PM

Are you using VOIP profile on firewall policy? If so then SIP traffic is processed by SIP-ALG and you have RTP disabled on your VOIP config which means it will block automatic pinhole creation for SIP traffic.

 

308
0 Kudos
AEK
SuperUser
SuperUser
In response to BJ_Prakash_Ghising

Created on ‎02-16-2025 01:16 PM

Thanks for your feedback.

Tried both, using and without using VoIP profile, but got the same result.

AEK
AEK
301
BJ_Prakash_Ghising
New Contributor II
In response to AEK

Created on ‎02-16-2025 01:22 PM

Can you share the system config of your firewall. 

 

sh full system settings

or 

config system settings

sh full

 

You can also verify if traffic is processed by SIP or SIP-ALG

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-confirm-if-FortiGate-is-using-SIP-S...

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-verify-if-SIP-traffic-is-being-insp...

 

296
MZBZ
Staff
Staff

Created on ‎02-16-2025 01:30 PM

By default, all SIP traffic is processed by the SIP ALG. If the policy that accepts the SIP traffic includes a VoIP profile, the SIP traffic is processed by that profile. If the policy does not include a VoIP profile, the SIP traffic is processed by the SIP ALG using the default VoIP profile.
https://docs.fortinet.com/document/fortigate/7.6.2/administration-guide/147933/sip-alg-and-sip-sessi...

 

M. B.
290
AEK
SuperUser
SuperUser

Created on ‎02-27-2025 05:29 AM

Hi BJ & MB

The issue has been fixed by enabling proxy-based inspection mode in the related firewall rule. All worked just fine after that.

Thanks again to both.

AEK
AEK
124
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.