Created on 05-05-2010 08:07 AM
Name : Asterisk SIP server External interface : Wan1 Type : static NAT External IP address : 0.0.0.0 Mapped IP addres : 192.168.80.8 Port fowarding not ticked/checked---- HTTPS, HTTPS, PING and DNS communication from VLAN 80 to Internet do work well. Asterisk can perform DNS queries without issue. Asterisk as 1 SIP trunk to two different SIP providers. Config has been checked and work perfectly well without Fortigate Firewall in between. It works as well perfectly well with a basic Firewall forwarding appropriate port 5060 and rtp ports 10000-10008 to Asterisk. Asterisk can send calls and receive calls. However with the Fortigate 50B in between with the above described configuration, only the outgoing SIP calls/dialog from inside to SIP provider are working. Incoming SIP calls fail. So I did what was advised by the guide to perform SIP call. I added the two following policies : Firewall > Policy 1
Source interface : wan1 Source address : all Destination interface : VLAN Voice Destination address : Asterisk SIP server Schedule : always Service : SIP Action : AcceptFirewall > Policy 2
Source interface : VLAN Voice Source address : all Destination interface : wan1 Destination address : all Schedule : always Service : SIP Action : Accept NAT : enabled Protection profile : SIP_ProfileFirewall > Protection profile
Name : SIP_Profile Application Control > Application Black/White List : App_list_SIP Logging > Log Application Control : yesUTM > Application Control
Name : App_List_SIP Liste Type > White List Category : VoIP Application : SIP Limit REGISTER request : 5 Limit INVITE request : 5 Enable Logging : yes Enable Logging of Violations : YesI as well removed the SIP session-helper as adviced :
config system session-helper delete 20 end config system settings set sip-helper disable set set sip-nat-trace disable endI restarted the FortiGate for changes to take effect. The result is that VLAN Voice lose total communication with Internet. No more call, PING; or DNS querries are possible with these Policies. I tried to enable each policies on its own and it seems that the problem comes from the Policy 1 because as soon as I enable it, Astersik server can no more PING or make any DNS Querry to a public IP address. Though I still can ping my wan1 interface. It' s looks like the ping-response packets on the way back are just blocked by this policy. The problem could as well come from my " Asterisk SIP server" Virtual IP configuration. If anybody as a clue or any idea I would be gratefull as I really need this server to work. Thanks
Created on 05-20-2010 12:11 PM
Name : Asterisk SIP server UDP 5060 External interface : Wan1 Type : static NAT External IP address : 0.0.0.0 Mapped IP addres : 192.168.80.8 Port fowarding : external service port UDP 5060 map to internal port UDP 5060Firewall > Policy 1
Source interface : Wan1 Source address : all Destination interface : VLAN VOice Destination address : Asterisk SIP server UDP 5060 Schedule : always Service : ANY Action : Accept NAT : disabled Protection profile : SIP_ProfileMoreover, there was a bug in the Firmware Version 4.0 MR1 build 196. The level 2 Fortinet engineer said :
" What occured is that the VIP firewall policy was breaking the source NAt of the outgoing firewall policy. Removing the VIP firewall policy solved the problem. however this is a bad behavior from the fortigate, this problem has already been reported under id 112720. This problem is fixed in FortiOS 4.2"To make the story short, we removed the Policy 1 and it worked. But... After a reboot, this solution was no more working. So I decided to upgrade to version 4.0 MR2 Build 272. We recreated the Policy 1 and it worked. I was able to receive inbound calls. The solution was stable. After a reboot the solution was still working. By the way, the support team said that the correct use of the " Application control list" need to be a " Black list" in order to work with SIP. The engineer confirmed that it' s a strange way, but it has to be so. BUT... I saw that version 4.0 MR2 has a new feature in UTM > VoIP > Profile. So I decided to test it ! This feature create a profile that you can directly apply to a policy without the need of a " protection profile" in between. So I created it : UTM > VoIP > Profile
Name : VoIP_Pro SIP Limit REGISTER request : 100 Limit INVITE request : 100 Enable Logging : yes Enable Logging of Violations : No SCCP Limit Call Setup : 0 Enable Logging : yesYou can then add this profile directly to a Policy. You just need to enable the " UTM" checkbox, and enable the " Enable VoIP" checkbox under the " Control" section. Then select your " VoIP_Pro" voip profile you just created. After that, I disabled Policy 1 and Policy 2 from my previous test, and created two new policies : Firewall > Policy 3
Source interface : wan1 Source address : all Destination interface : VLAN Voice Destination address : Asterisk SIP server UDP 5060 Schedule : always Service : ANY Action : Accept NAT : Disabled UTM : enabled CONTROL " enable VoIP" : enabled ; List = VoIP_ProFirewall > Policy 4
Source interface : VLAN Voice Source address : all Destination interface : wan1 Destination address : all Schedule : always Service : SIP Action : Accept NAT : enabled UTM : enabled CONTROL " enable VoIP" : enabled ; List = VoIP_ProThe result was that I could receive inbound call from one of my SIP providers, but not from the other one. We searched, tested, debugged, packet captures, etc... ... after a long search it appeared that the Fortigate was behaving strangely with NAT : It was NATranslating the IP address of the " To:" field in the SIP Header. Moreover, the engineer could highlight that during the REGISTER phase of Asterisk to the SIP provider, the Fortigate was modifying the IP port of the " Contact" field in the SIP Header. The SIP Proxy server of the provider was correctly responding to this port, but the Fortigate just decided to drop the answer. This looked to be a bug, so the developpement team got involved. In the mean time the engineer noticed that Asterisk was modifying the source IP address of the SIP header. I explained him that I configured the following parameters on my Asterisk in order that it detect when there is NAT and update the source address with the correct Public IP instead of its own private IP (192.168.80.8).
localnet=192.168.80.0/24 externhost=myname.dyndns.orgWe tested then without those parameter, leaving the Fortigate handling by itself the whole NAT part. This solved the issue. It appears that letting Asterisk managing the NAT for the SIP source IP address cause the " Fortigate Version 4.0MR2 build 272" to behave strangely. For me it' s a bug. I' m still waiting the response from developpement team to know if they will consider it as a Bug and create an update to solve this issue or not. I hope my feedback will help future fans of Asterisk using a Fortigate unit as Firewall. As conclusion, if your Asterisk is behind NAT and your SIP provider or your phone are on the Internet side, just let your Fortigate unit handle the Whole NAT part including the SIP source address. [ul]
Name : VoIP_Pro SIP Limit REGISTER request : 100 Limit INVITE request : 100 Enable Logging : yes Enable Logging of Violations : No SCCP Limit Call Setup : 0 Enable Logging : yes
Name : Asterisk SIP server UDP 5060 External interface : Wan1 Type : static NAT External IP address : 0.0.0.0 (this for a wan interface that get a dynamic IP address from your ISP) Mapped IP addres : 192.168.80.8 (This is your Asterisk NATed private IP address) Port fowarding : external service port UDP 5060 map to internal port UDP 5060 (you could instead create a VIP with TCP port 5060 but it' s useless most of the time. This depends from your SIP provider in fact. Use Wireshark to check how is your SIP provider server behaving.)
Source interface : wan1 Source address : all Destination interface : VLAN Voice Destination address : Asterisk SIP server UDP 5060 Schedule : always Service : ANY Action : Accept NAT : Disabled UTM : enabled CONTROL " enable VoIP" : enabled ; List = VoIP_ProFirewall > outbound Policy
Source interface : VLAN Voice Source address : all Destination interface : wan1 Destination address : all Schedule : always Service : SIP Action : Accept NAT : enabled UTM : enabled CONTROL " enable VoIP" : enabled ; List = VoIP_Pro[/ul]Good luck with your Asterisk-Fortigate love story !
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1735 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.