Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Not applicable

Created on ‎05-05-2010 08:07 AM

[solved] How to configure Fortigate with SIP for an Asterisk server

Hi everyone, I' m trying to configure my Fortigate in order that it let my Asterisk server perform VoIP call on the Internet. My Fortigate 50B is connected to Internet with interface WAN1 via a Modem in transparent Mode (so the Firewall get a public IP from my ISP). On the Internal interface of the Fortigate, a Nortel Business Ethernet switch 50 is connected. VLAN " 80" (192.168.80.1) is configured on the internal port of the Firewall and on the switch port where it is connected to. On the Nortel switch ports of the VLAN " 80" an Asterisk server (192.168.80.8) and 2 IP phones are connected (192.168.80.51 and 192.168.80.52). Internal interface is set with 192.168.2.1 / 24. Concerning Policies, I juste open everything from inside to outside. This mean Source=all, Destination=all, Services=any for the following interfaces : VLAN 80 to wan1 Internal to Wan1 I setup a Virtual IP : Firewall > VIP 
Name : Asterisk SIP server
 External interface : Wan1
 Type : static NAT
 External IP address : 0.0.0.0
 Mapped IP addres : 192.168.80.8
 Port fowarding not ticked/checked
---- HTTPS, HTTPS, PING and DNS communication from VLAN 80 to Internet do work well. Asterisk can perform DNS queries without issue. Asterisk as 1 SIP trunk to two different SIP providers. Config has been checked and work perfectly well without Fortigate Firewall in between. It works as well perfectly well with a basic Firewall forwarding appropriate port 5060 and rtp ports 10000-10008 to Asterisk. Asterisk can send calls and receive calls. However with the Fortigate 50B in between with the above described configuration, only the outgoing SIP calls/dialog from inside to SIP provider are working. Incoming SIP calls fail. So I did what was advised by the guide to perform SIP call. I added the two following policies : Firewall > Policy 1 
Source interface : wan1
 Source address : all
 Destination interface : VLAN Voice
 Destination address : Asterisk SIP server
 Schedule : always
 Service : SIP
 Action : Accept
Firewall > Policy 2 
Source interface : VLAN Voice
 Source address : all
 Destination interface : wan1
 Destination address : all
 Schedule : always
 Service : SIP
 Action : Accept
 NAT : enabled
 Protection profile : SIP_Profile
Firewall > Protection profile 
Name : SIP_Profile
 Application Control > Application Black/White List : App_list_SIP
 Logging > Log Application Control : yes
UTM > Application Control 
Name : App_List_SIP
 Liste Type > White List
 
 Category : VoIP
 Application : SIP
 Limit REGISTER request : 5
 Limit INVITE request : 5
 Enable Logging : yes
 Enable Logging of Violations : Yes
I as well removed the SIP session-helper as adviced : 
config system session-helper
 delete 20
 end
 
 config system settings
 set sip-helper disable
 set set sip-nat-trace disable
 end
I restarted the FortiGate for changes to take effect. The result is that VLAN Voice lose total communication with Internet. No more call, PING; or DNS querries are possible with these Policies. I tried to enable each policies on its own and it seems that the problem comes from the Policy 1 because as soon as I enable it, Astersik server can no more PING or make any DNS Querry to a public IP address. Though I still can ping my wan1 interface. It' s looks like the ping-response packets on the way back are just blocked by this policy. The problem could as well come from my " Asterisk SIP server" Virtual IP configuration. If anybody as a clue or any idea I would be gratefull as I really need this server to work. Thanks
20875
0 Kudos
11 REPLIES 11
Not applicable

Created on ‎05-20-2010 12:11 PM

Hello guys, Finaly I end up with a solution from the Fortinet support team after more than two weeks of research and debbuging. I had to escalate it up to level 3 developpement support team. Thanks to Xavier Galbois. It was nice to solve this case in french (would have been a nightmare in english). To be short, it appeared that : - The VIP and Policy 1 were not complete and incorrect. We had to modify them. Firewall > VIP 
Name : Asterisk SIP server UDP 5060
 External interface : Wan1
 Type : static NAT
 External IP address : 0.0.0.0
 Mapped IP addres : 192.168.80.8
 Port fowarding : external service port UDP 5060 map to internal port UDP 5060
Firewall > Policy 1 
Source interface : Wan1
 Source address : all
 Destination interface : VLAN VOice
 Destination address : Asterisk SIP server UDP 5060
 Schedule : always
 Service : ANY
 Action : Accept
 NAT : disabled
 Protection profile : SIP_Profile
Moreover, there was a bug in the Firmware Version 4.0 MR1 build 196. The level 2 Fortinet engineer said :
" What occured is that the VIP firewall policy was breaking the source NAt of the outgoing firewall policy. Removing the VIP firewall policy solved the problem. however this is a bad behavior from the fortigate, this problem has already been reported under id 112720. This problem is fixed in FortiOS 4.2"
To make the story short, we removed the Policy 1 and it worked. But... After a reboot, this solution was no more working. So I decided to upgrade to version 4.0 MR2 Build 272. We recreated the Policy 1 and it worked. I was able to receive inbound calls. The solution was stable. After a reboot the solution was still working. By the way, the support team said that the correct use of the " Application control list" need to be a " Black list" in order to work with SIP. The engineer confirmed that it' s a strange way, but it has to be so. BUT... I saw that version 4.0 MR2 has a new feature in UTM > VoIP > Profile. So I decided to test it ! This feature create a profile that you can directly apply to a policy without the need of a " protection profile" in between. So I created it : UTM > VoIP > Profile 
Name : VoIP_Pro
 SIP
 Limit REGISTER request : 100
 Limit INVITE request : 100
 Enable Logging : yes
 Enable Logging of Violations : No
 SCCP
 Limit Call Setup : 0
 Enable Logging : yes
You can then add this profile directly to a Policy. You just need to enable the " UTM" checkbox, and enable the " Enable VoIP" checkbox under the " Control" section. Then select your " VoIP_Pro" voip profile you just created. After that, I disabled Policy 1 and Policy 2 from my previous test, and created two new policies : Firewall > Policy 3 
Source interface : wan1
 Source address : all
 Destination interface : VLAN Voice
 Destination address : Asterisk SIP server UDP 5060
 Schedule : always
 Service : ANY
 Action : Accept
 NAT : Disabled
 UTM : enabled
 CONTROL " enable VoIP"  : enabled ; List = VoIP_Pro
Firewall > Policy 4 
Source interface : VLAN Voice
 Source address : all
 Destination interface : wan1
 Destination address : all
 Schedule : always
 Service : SIP
 Action : Accept
 NAT : enabled
 UTM : enabled
 CONTROL " enable VoIP"  : enabled ; List = VoIP_Pro
The result was that I could receive inbound call from one of my SIP providers, but not from the other one. We searched, tested, debugged, packet captures, etc... ... after a long search it appeared that the Fortigate was behaving strangely with NAT : It was NATranslating the IP address of the " To:" field in the SIP Header. Moreover, the engineer could highlight that during the REGISTER phase of Asterisk to the SIP provider, the Fortigate was modifying the IP port of the " Contact" field in the SIP Header. The SIP Proxy server of the provider was correctly responding to this port, but the Fortigate just decided to drop the answer. This looked to be a bug, so the developpement team got involved. In the mean time the engineer noticed that Asterisk was modifying the source IP address of the SIP header. I explained him that I configured the following parameters on my Asterisk in order that it detect when there is NAT and update the source address with the correct Public IP instead of its own private IP (192.168.80.8). 
 localnet=192.168.80.0/24
 externhost=myname.dyndns.org
We tested then without those parameter, leaving the Fortigate handling by itself the whole NAT part. This solved the issue. It appears that letting Asterisk managing the NAT for the SIP source IP address cause the " Fortigate Version 4.0MR2 build 272" to behave strangely. For me it' s a bug. I' m still waiting the response from developpement team to know if they will consider it as a Bug and create an update to solve this issue or not. I hope my feedback will help future fans of Asterisk using a Fortigate unit as Firewall. As conclusion, if your Asterisk is behind NAT and your SIP provider or your phone are on the Internet side, just let your Fortigate unit handle the Whole NAT part including the SIP source address. [ul]
  • 0) Upgrade your Fortigate box at least to 4.0 MR2 Build 272.
  • 1) Do not use the " localnet=" and the " externhost=" parameter in the SIP.CONF Asterisk file.
  • 2) Create a VoIP profile in UTM > VoIP > Profile. UTM > VoIP > Profile 
    Name : VoIP_Pro
 SIP
 Limit REGISTER request : 100
 Limit INVITE request : 100
 Enable Logging : yes
 Enable Logging of Violations : No
 SCCP
 Limit Call Setup : 0
 Enable Logging : yes
  • 3) Create a VIP in Firewall > VIP pointing to your Asterisk IP address and UDP port 5060 If you don' t do this your Asterisk server will NEVER receive inbound call, as the Firewall would never know whom to forward the SIP " INVITE" messages coming on port 5060 of its wan interface. Firewall > VIP 
    Name : Asterisk SIP server UDP 5060
 External interface : Wan1
 Type : static NAT
 External IP address : 0.0.0.0 (this for a wan interface that get a dynamic IP address from your ISP)
 Mapped IP addres : 192.168.80.8 (This is your Asterisk NATed private IP address)
 Port fowarding : external service port UDP 5060 map to internal port UDP 5060
 (you could instead create a VIP with TCP port 5060 but it' s useless most of the time. This depends from your SIP provider in fact. Use Wireshark to check how is your SIP provider server behaving.)
  • 4) create two firewall policies (one from wan-to-internal interface, and another from internal-to-wan interface) and apply the VoIP profile : Inbound policy is needed to allow calls to the outside internet world. Outbound policy is needed to allow reception of calls from the outside internet world. Firewall > inbound Policy 
    Source interface : wan1
 Source address : all
 Destination interface : VLAN Voice
 Destination address : Asterisk SIP server UDP 5060
 Schedule : always
 Service : ANY
 Action : Accept
 NAT : Disabled
 UTM : enabled
 CONTROL " enable VoIP"  : enabled ; List = VoIP_Pro
    Firewall > outbound Policy 
    Source interface : VLAN Voice
 Source address : all
 Destination interface : wan1
 Destination address : all
 Schedule : always
 Service : SIP
 Action : Accept
 NAT : enabled
 UTM : enabled
 CONTROL " enable VoIP"  : enabled ; List = VoIP_Pro
    [/ul]Good luck with your Asterisk-Fortigate love story !
    • 1820
    0 Kudos
    lmuir
    New Contributor

    Created on ‎05-20-2010 04:34 PM

    Never had the problems you describe.. *shrug* Asterisk debug output is your friend.
    1820
    0 Kudos
    Announcements

    Select Forum Responses to become Knowledge Articles!

    Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

    Labels
    Top Kudoed Authors
    View all
    Broad. Integrated. Automated.

    The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

    Social Media
    Security Research
    Company
    News & Articles
    Contact Us

    Copyright 2024 Fortinet, Inc. All Rights Reserved.