[asterisk-users] NAT issue with Fortinet Firewall
I have a customer with a Fortinet Firewall that is having stability issues with Asterisk and SIP endpoints (PAP2T) outside his network. The first issue I see is that Asterisk sees all phones as the IP address of the Fortinet. Since the parameter localnet defines the local network and that address falls in that range, how will Asterisk treat the endpoints? I have nat=yes for all phones and canreinvite=no as well. The externip parameter is set to the outside public IP address. Still we have calls with one way audio. This is the first setup with a firewall that rewrites the IP address of the endpoint so I do not know how that is affecting the packet flow. On my other servers I can always see the public IP of the endpoint. -- Telecomunicaciones Abiertas de México S.A. de C.V. Carlos Chávez Prats Director de Tecnología +52-55-91169161 ext 2001 signature.asc Description: This is a digitally signed message part ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] NAT issue with Fortinet Firewall
Fortinets have a SIP session-helper. Sometime this causes issues, try turning it off. To do this you need to enable telnet on the forinet management interface. Telnet into the cli and type the following config system session-helper edit 12 set port 5066 end Instead of turning this off or taking it out I am changing the port so it will not affect 5060 anymore. This way you can put it back if this doesn't work for you. John Bittner Simlab.net -Original Message- I have a customer with a Fortinet Firewall that is having stability issues with Asterisk and SIP endpoints (PAP2T) outside his network. The first issue I see is that Asterisk sees all phones as the IP address of the Fortinet. Since the parameter localnet defines the local network and that address falls in that range, how will Asterisk treat the endpoints? I have nat=yes for all phones and canreinvite=no as well. The externip parameter is set to the outside public IP address. Still we have calls with one way audio. This is the first setup with a firewall that rewrites the IP address of the endpoint so I do not know how that is affecting the packet flow. On my other servers I can always see the public IP of the endpoint. -- Telecomunicaciones Abiertas de México S.A. de C.V. Carlos Chávez Prats Director de Tecnología +52-55-91169161 ext 2001 ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] NAT issue with Fortinet Firewall
FYI, I have probably 10 Fortinet units with multiple SIP phones behind each and all of the phones work flawlessly. As long as the Fortinet is ver 3.0 or newer, it does NAT so that you don't need to have nat=yes on *. No pinholes or static nat or anything, it just works. As a side note, I probably have 20+ Cisco PIX's with the same setup and they work flawlessly too. I've seen a lot of people saying fixup sip breaks phones, but not that I have seen. I just let the PIX do nat and it works fine. Carlos Chavez wrote: I have a customer with a Fortinet Firewall that is having stability issues with Asterisk and SIP endpoints (PAP2T) outside his network. The first issue I see is that Asterisk sees all phones as the IP address of the Fortinet. Since the parameter localnet defines the local network and that address falls in that range, how will Asterisk treat the endpoints? I have nat=yes for all phones and canreinvite=no as well. The externip parameter is set to the outside public IP address. Still we have calls with one way audio. This is the first setup with a firewall that rewrites the IP address of the endpoint so I do not know how that is affecting the packet flow. On my other servers I can always see the public IP of the endpoint. ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users