Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
tk34
New Contributor

beating my head against a wall.

I' ve been reading through documentation to figure out where I' ve gone wrong since yesterday morning. My eyes hurt. Forgitgate 100D 2 with 5.0 OS. Two WAN connections. What I needed: two subnets, 1 for PCs and Servers the other for our new VOIP system. offsite phones allowed to come through Wan2 to the phone system. SIP providers coming through Wan2. What I did: I set physical port 16 up as an interface with it' s IP 192.168.0.1, I grouped all other physical ports to 192.168.1.1 192.168.1.1 is PC/Servers = lan 192.168.0.1 is the phone system = phnsys Policy - lan > phnsys allow all traffic always NAT OFF phnsys > lan all all traffic always NAT OFF Wan2 > phnsys allow SIP, RTP, branch office to VIP Group NAT ON phnsys > Wan2 all all traffic always NAT ON lan > Wan2 allow all traffic always NAT ON Policy Route 192.168.1.1 > 192.168.0.1 GW 0.0.0.0 192.168.0.1 > 192.168.1.1 GW 0.0.0.0 Any Port 80 > Wan2 GW Public IP Wan2 Anything else > Wan1 GW Public IP of Wan1 Virtual IPs for SIP, RTP, branch office ports then grouped into a VIP Group. Virtual IP was not WAN2 Public IP, it was another IP provided by WAN2 ISP but same subnet. The issue: SIP connections from WAN2 > Phnsys had many problems. Playing with the options within this configuration would eventually get it to connect again. However routing softphones via SIP from lan > phnsys wouldn' t not work even though I was allowing all traffic between the two. Phones on the phnsys switch worked fine. It seemed only 1 SIP provider could connect in at a time. We have two SIP providers and only the failover provider could get past the firewall. I have actually deleted all policies, VIP' s, policy routes, etc from the firewall to start over. With Fortinet is it better to use VLANS or dedicate a port to a subnet? either way fortinet seems to interfere with SIP and disabling policy-helper didn' t fix anything. Any suggestions? as I' m bumfuzzled... next stop is support call.

Fortigate 100D 5.6

4 REPLIES 4
emnoc
Esteemed Contributor III

1st steps in these case are the excution of either udp/tcp traceroutes that mimic' ing the PBR(s) you have. 2nd step is the best tool on fortigate; diag debug flow This will give you many clues on traffic matching or not-matching the suspect policy(s), & route table to include PBR I would try those 2 first and a simple topology map of what you want the network to look like. reading your summary is confusing as to what your doing and the understanding of 2 SIP providers is beyond me. oh I forgot,
Wan2 > phnsys allow SIP, RTP, branch office to VIP Group NAT ON
I suspect nat-enable on a VIP is not required for DNAT.

PCNSE 

NSE 

StrongSwan  

rwpatterson
Valued Contributor III

beating my head against a wall.
From the subject, I though you may be working where I am...

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

ede_pfau
Esteemed Contributor III

I suspect nat-enable on a VIP is not required for DNAT.
The NAT enable box activates source address translation. You can use it in addition to DNAT (via VIP) or independently but it is not required for DNAT.

Ede

"Kernel panic: Aiee, killing interrupt handler!"
tk34
New Contributor

thanks for all the replies. I realized after looking at the forwarding log that it said I was double nat, which would make sense if you setup a static NAT via port forwarding and enable nat via the policy. So now after re-setting everything up 1 of 3 SIP providers are connecting correctly. The other two are still blaming the firewall... which is hard for me to argue since it was my original config causing the issue previously. But now I can register a SIP phone from an outside network and place calls. Oddly all three providers show connected via the phone system interface but only one can be used to make calls. The other two they say the 100D is interfering... multivendor troubleshooting... [:' (] Is there anything that needs to be done special for SIP on a Fortigate? I' m allowing all sources to my VIP group for the phone system (SIP, RTP, etc).

Fortigate 100D 5.6