Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Autumn 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDLP
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- SIP in nat configuration problem
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SIP in nat configuration problem
We have a fortinet firewall: FortiGate 311B Firmware Version v5.2.3,build670 (GA) [Update] We are working in NAT configuration Poort 1 is used for management. Poort 2 is uplink to outside world The other ports are aggregated in one pipe with each of them having there own small subnet. third digit representing the port number. Registration is not ok, due to NAT problem I attached 195.207.5.83 : public ip on the internet side. 10.40.5.135 : local ip assigned to ALU equipment Fortinet firewall should do the NAT to translate the IP. Attached trace is taken on the ALU equipment, public ip should not be seen in SIP reply messages sent to ALU equipment. See packet 4 in register_nok_fortinet_problem.pcap In packet 4 the ip in the contact header from the public side should be replaced by isam IP again. Now it is : sip.Contact == "<sip:01150900027@195.207.5.83:50177>;expires=120" It should be replaced by : sip.Contact == "<sip:01150900027@10.40.5.135:50177>;expires=120" SIP session Helper is disabled.
It seems the private IP is not translated anymore into the public ip. On the internet side we can see 10.40.5.135. I expect the public internet ip 195.207.5.83 would always be used at internet side.
Are we missing somehow a parameter in the configuration or is this still some firmware problem?
Labels:
- Labels:
-
5.2
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
23 REPLIES 23
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If NAT is enabled in policy and you see an actual packet the contains your local lan IP, it is your pbx that sends it that way.
Had same issue with Asterisk. ISP told pbx is sending packets that contain internal IP, dunno which setting that is in asterisk itself as I'm only managing firewalls.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Thanks for your response.
So if NAT is enabled, this is what is supposed to happen? I have a debug output below.
G311B3910600789 # config vdom
FG311B3910600789 (vdom) # edit voice
edit voice
current vf=voice:1
FG311B3910600789 (voice) # diag debug flow filter saddr 10.40.5.135
FG311B3910600789 (voice) # diag debug flow show function-name en
show function name
FG311B3910600789 (voice) # diag debug flow show console en
show trace messages on console
FG311B3910600789 (voice) # diag debug en
FG311B3910600789 (voice) # diag debug flow trace start
FG311B3910600789 (voice) # id=20085 trace_id=8 func=print_pkt_detail line=4378 msg="vd-voice received a packet(proto=17, 10.40.5.135:50177->200.51.171.58:5060) from port5. "
id=20085 trace_id=8 func=resolve_ip_tuple_fast line=4437 msg="Find an existing session, id-00b61ad7, original direction"
id=20085 trace_id=8 func=__ip_session_run_tuple line=2523 msg="SNAT 10.40.5.135->195.207.5.83:50177"
id=20085 trace_id=8 func=__ip_session_run_tuple line=2574 msg="run helper-sip(dir=original)"
Kind regards
Miata
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is your problem SIP registration or NAT? I think you need to clear that, but what I'm guessing is the SIP fixup for the registration is showing the inside 10net address and this is why your SIP-registration is failing.
Do you have a voice profile defined and in used on the policy ?
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
I believe the SIP registration is failing because of a NAT problem, but you're right, I need to clarify this.
Please keep an eye on this post whilst I go over a few things and talk to a few people.
Thank you very much for your help
Regards
Miata
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Miata wrote:Hello
I believe the SIP registration is failing because of a NAT problem, but you're right, I need to clarify this.
Please keep an eye on this post whilst I go over a few things and talk to a few people.
Thank you very much for your help
Regards
Miata
If you see in flow trace that fortigate does NAT for your pbx it only means that registration fails. And that is setting on pbx itself.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good stuff,
So where can I go from here?
Regards
Miata
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Miata wrote:Good stuff,
So where can I go from here?
Regards
Miata
Your PBX config... I cannot help config it, I've no knowledge in those.
Not to mention that there quite a few of those in market :)
If it's asterisk pbx I'd start with sip.conf and their wiki/forum.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Haven't done a lot with SIP-REGISTER & fortigate, but I would dump the sip method register for the UAC and see what's being sent. It probably need fixup
e.g
username@x.x.x.x ( private address ) ------changed----> username@y.y.y.y ( public address ) or something to that nature.
Contact: <sip:socpup@10.2.1.89:49318;rinstance=f5e952fda8e9a7b2> Contact URI: sip:socpup@10.2.1.89:49318;rinstance=f5e952fda8e9a7b2 Contact URI User Part: socpup Contact URI Host Part: 10.2.1.89 Contact URI Host Port: 49318 Contact URI parameter: rinstance=f5e952fda8e9a7b2 To: <sip:socpup@voice.com>
The private parts in the SIP header needs to be fixup to match the public NAT address. So start taking dump b4 and after nat.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your responses guys.
We have a NAT problem which has consequences on registrations and on calls.
We installed the Fortinet Firewall to hide our network to the public internet. So I believe that on our network we should only see our local IP addresses and on the public internet we should only see public IP addresses.
Isamv (ALU box) is connected to Fortinet Firewall via a local network. Our ALU box only is aware of local ip, internet ip are unknown for this box. So all messages (H248 or SIP) send from our box use local ip.
Fortinet Firewall is connected to the public internet. On the public internet other devices are connected but they only are aware of the public ip applied on the fortinet firewall.
So, our problem is simple. We want our fortinet firewall to make sure local ip stay local and public ip stay on the internet. We have a mirror between our box and the fortinet firewall. Regularly a public ip address inside a SIP or an H248 message is appearing on our local network. . We have also a mirror between the fortinet firewall and the internet. Regularly our local IP address is appearing on the internet inside a SIP or an H248 message.
Can you help to check the software or our configuration in order the NAT is done as expected?
This problem has also impact on our customers.
Kind regards,
Miata
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- How to Modify convergence times in... 19 Views
- Not receiving fortigate activation token 110 Views
- Web Filter issues 47 Views
- FortiProxy - how to configure no... 48 Views
- ForticlientVPN - Permission denied (-455) 76 Views
Labels
-
FortiGate
8,359 -
FortiClient
1,691 -
5.2
801 -
FortiManager
705 -
5.4
639 -
FortiAnalyzer
534 -
FortiSwitch
452 -
FortiAP
447 -
6.0
416 -
FortiClient EMS
394 -
5.6
362 -
FortiMail
308 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
208 -
5.0
196 -
FortiWeb
194 -
IPsec
177 -
FortiNAC
171 -
FortiGuard
133 -
6.4
128 -
SD-WAN
105 -
FortiGateCloud
100 -
FortiSIEM
96 -
FortiCloud Products
95 -
FortiToken
88 -
FortiAuthenticator
82 -
Customer Service
76 -
Wireless Controller
76 -
Firewall policy
68 -
4.0MR3
64 -
FortiProxy
57 -
Fortivoice
50 -
FortiEDR
50 -
FortiADC
50 -
High Availability
50 -
vlan
47 -
ZTNA
45 -
FortiSandbox
43 -
FortiExtender
43 -
FortiDNS
42 -
Routing
39 -
DNS
38 -
BGP
37 -
LDAP
37 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
32 -
Certificate
32 -
Interface
31 -
NAT
30 -
Authentication
29 -
SSO
29 -
FortiConnect
27 -
RADIUS
27 -
FortiLink
26 -
FortiWAN
25 -
FortiConverter
25 -
FortiGate v5.2
24 -
VDOM
24 -
Application control
24 -
Web profile
23 -
Virtual IP
22 -
Logging
21 -
Fortigate Cloud
19 -
FortiPAM
19 -
FortiSwitch v6.2
18 -
FortiPortal
18 -
FortiMonitor
18 -
SSL SSH inspection
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
FortiGate v5.0
14 -
WAN optimization
14 -
IP address management - IPAM
14 -
SSID
13 -
Static route
13 -
FortiCASB
12 -
SNMP
12 -
Automation
12 -
Admin
12 -
System settings
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiSOAR
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiAP profile
9 -
Proxy policy
9 -
FortiBridge
8 -
RMA Information and Announcements
8 -
Security profile
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
Traffic shaping policy
7 -
Fabric connector
7 -
Intrusion prevention
7 -
FortiCache
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
FortiCarrier
5 -
FortiToken Cloud
5 -
Explicit proxy
5 -
FortiTester
5 -
Users
5 -
Traffic shaping profile
5 -
Web rating
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Email filter profile
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiAI
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
Schedule
2 -
SDN connector
2 -
Service
2 -
Zone
2 -
Cloud Management Security
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
TACACS
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1634 | |
| 1063 | |
| 751 | |
| 443 | |
| 210 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.