We have a fortinet firewall: FortiGate 311B Firmware Version v5.2.3,build670 (GA) [Update] We are working in NAT configuration Poort 1 is used for management. Poort 2 is uplink to outside world The other ports are aggregated in one pipe with each of them having there own small subnet. third digit representing the port number. Registration is not ok, due to NAT problem I attached 195.207.5.83 : public ip on the internet side. 10.40.5.135 : local ip assigned to ALU equipment Fortinet firewall should do the NAT to translate the IP. Attached trace is taken on the ALU equipment, public ip should not be seen in SIP reply messages sent to ALU equipment. See packet 4 in register_nok_fortinet_problem.pcap In packet 4 the ip in the contact header from the public side should be replaced by isam IP again. Now it is : sip.Contact == "<sip:01150900027@195.207.5.83:50177>;expires=120" It should be replaced by : sip.Contact == "<sip:01150900027@10.40.5.135:50177>;expires=120" SIP session Helper is disabled.
It seems the private IP is not translated anymore into the public ip. On the internet side we can see 10.40.5.135. I expect the public internet ip 195.207.5.83 would always be used at internet side.
Are we missing somehow a parameter in the configuration or is this still some firmware problem?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
If NAT is enabled in policy and you see an actual packet the contains your local lan IP, it is your pbx that sends it that way.
Had same issue with Asterisk. ISP told pbx is sending packets that contain internal IP, dunno which setting that is in asterisk itself as I'm only managing firewalls.
Hi
Thanks for your response.
So if NAT is enabled, this is what is supposed to happen? I have a debug output below.
G311B3910600789 # config vdom
FG311B3910600789 (vdom) # edit voice
edit voice
current vf=voice:1
FG311B3910600789 (voice) # diag debug flow filter saddr 10.40.5.135
FG311B3910600789 (voice) # diag debug flow show function-name en
show function name
FG311B3910600789 (voice) # diag debug flow show console en
show trace messages on console
FG311B3910600789 (voice) # diag debug en
FG311B3910600789 (voice) # diag debug flow trace start
FG311B3910600789 (voice) # id=20085 trace_id=8 func=print_pkt_detail line=4378 msg="vd-voice received a packet(proto=17, 10.40.5.135:50177->200.51.171.58:5060) from port5. "
id=20085 trace_id=8 func=resolve_ip_tuple_fast line=4437 msg="Find an existing session, id-00b61ad7, original direction"
id=20085 trace_id=8 func=__ip_session_run_tuple line=2523 msg="SNAT 10.40.5.135->195.207.5.83:50177"
id=20085 trace_id=8 func=__ip_session_run_tuple line=2574 msg="run helper-sip(dir=original)"
Kind regards
Miata
Is your problem SIP registration or NAT? I think you need to clear that, but what I'm guessing is the SIP fixup for the registration is showing the inside 10net address and this is why your SIP-registration is failing.
Do you have a voice profile defined and in used on the policy ?
PCNSE
NSE
StrongSwan
Hello
I believe the SIP registration is failing because of a NAT problem, but you're right, I need to clarify this.
Please keep an eye on this post whilst I go over a few things and talk to a few people.
Thank you very much for your help
Regards
Miata
Miata wrote:Hello
I believe the SIP registration is failing because of a NAT problem, but you're right, I need to clarify this.
Please keep an eye on this post whilst I go over a few things and talk to a few people.
Thank you very much for your help
Regards
Miata
If you see in flow trace that fortigate does NAT for your pbx it only means that registration fails. And that is setting on pbx itself.
Good stuff,
So where can I go from here?
Regards
Miata
Miata wrote:Good stuff,
So where can I go from here?
Regards
Miata
Your PBX config... I cannot help config it, I've no knowledge in those.
Not to mention that there quite a few of those in market :)
If it's asterisk pbx I'd start with sip.conf and their wiki/forum.
Haven't done a lot with SIP-REGISTER & fortigate, but I would dump the sip method register for the UAC and see what's being sent. It probably need fixup
e.g
username@x.x.x.x ( private address ) ------changed----> username@y.y.y.y ( public address ) or something to that nature.
Contact: <sip:socpup@10.2.1.89:49318;rinstance=f5e952fda8e9a7b2> Contact URI: sip:socpup@10.2.1.89:49318;rinstance=f5e952fda8e9a7b2 Contact URI User Part: socpup Contact URI Host Part: 10.2.1.89 Contact URI Host Port: 49318 Contact URI parameter: rinstance=f5e952fda8e9a7b2 To: <sip:socpup@voice.com>
The private parts in the SIP header needs to be fixup to match the public NAT address. So start taking dump b4 and after nat.
PCNSE
NSE
StrongSwan
Thanks for your responses guys.
We have a NAT problem which has consequences on registrations and on calls.
We installed the Fortinet Firewall to hide our network to the public internet. So I believe that on our network we should only see our local IP addresses and on the public internet we should only see public IP addresses.
Isamv (ALU box) is connected to Fortinet Firewall via a local network. Our ALU box only is aware of local ip, internet ip are unknown for this box. So all messages (H248 or SIP) send from our box use local ip.
Fortinet Firewall is connected to the public internet. On the public internet other devices are connected but they only are aware of the public ip applied on the fortinet firewall.
So, our problem is simple. We want our fortinet firewall to make sure local ip stay local and public ip stay on the internet. We have a mirror between our box and the fortinet firewall. Regularly a public ip address inside a SIP or an H248 message is appearing on our local network. . We have also a mirror between the fortinet firewall and the internet. Regularly our local IP address is appearing on the internet inside a SIP or an H248 message.
Can you help to check the software or our configuration in order the NAT is done as expected?
This problem has also impact on our customers.
Kind regards,
Miata
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1712 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.