Fortigate restrict traffic through one external IP

Question

I've got a fortigate 400A at a client's site. They've got a /26 from British Telecom, and we're using 4 of those IPs as a NAT Pool.

Is there a way to say that traffic from 172.18.4.40-45 can only ever come out of (and hence go back into) x.x.x.140 as the external IP?

We're having some problems with SIP which looks like it's coming out of one, and trying to go back into another.

I tried enabling asymmetric routing, didn't work.

I tried setting a VIP, but even when I did that, it didn't appear to do anything.

Any ideas? I can probably post some firewall snippets if need be.. Tell me what you want to see.

SIP ALG

config system settings
    set sip-helper disable
    set sip-nat-trace disable
    set sip-tcp-port 5061
    set sip-udp-port 5061
    set multicast-forward enable
end

Interesting Sidenote

VoIP phones, with no special configuration can register fine to proxy.sipgate.co.uk, which has an IP address of 217.10.79.16. Which is cool.

Two phones are using a different provider, whose proxy IP address is 178.255.x.x.
These phones can register for outbound, but inbound INVITEs never make it to the phone.

Is it possible that the Fortigate is having trouble with 178.255.x.x as it's got a 255 in it? Or am I just imagining things?

Most firewalls have a SIP ALG to make sure that packets get re-written and this isn't an issue. Do you really need to pool? How many users are behind this thing? — SpacemanSpiff, Dec 19 '12 at 14:12
There's about 200 users (or 400 devices) behind the whole thing. — Tom O'Connor, Dec 19 '12 at 14:16
The plot thickens in that this configuration with the ALG disabled works for one SIP provider, namely sipgate.co.uk, and not for the other one.. I'm almost prepared to tell everyone to switch to sipgate! — Tom O'Connor, Dec 19 '12 at 15:12

score 1 · Answer 1 · answered Dec 19 '12 at 14:21

1

I would first try enabling the ALGs in the configuration snippet above. It should be compatible with source NAT pooling.

If that doesn't work so well, create a superseding source NAT rule that matches on a group that includes either the subnet or direct address objects of the telephones. Let these devices source NAT off a single IP address.

Either way, I'm pretty sure you'll need to enable the ALG if multiple devices are behind the NAT or NAT pool.

answered Dec 19 '12 at 14:21

SpacemanSpiff

8,753
1
24
35

I was told by the voip vendor to disable the ALG.. How confusing. – Tom O'Connor Dec 19 '12 at 14:21
If it's just a few phones, you could static NAT each one, but that's way too much manual management. Try the dedicated SNAT first without the ALG, then try enabling it. – SpacemanSpiff Dec 19 '12 at 14:24

Fortigate restrict traffic through one external IP

1 Answers1