I've got a fortigate 400A at a client's site. They've got a /26 from British Telecom, and we're using 4 of those IPs as a NAT Pool.
Is there a way to say that traffic from 172.18.4.40-45 can only ever come out of (and hence go back into) x.x.x.140 as the external IP?
We're having some problems with SIP which looks like it's coming out of one, and trying to go back into another.
I tried enabling asymmetric routing, didn't work.
I tried setting a VIP, but even when I did that, it didn't appear to do anything.
Any ideas? I can probably post some firewall snippets if need be.. Tell me what you want to see.
SIP ALG
config system settings
set sip-helper disable
set sip-nat-trace disable
set sip-tcp-port 5061
set sip-udp-port 5061
set multicast-forward enable
end
Interesting Sidenote
VoIP phones, with no special configuration can register fine to proxy.sipgate.co.uk, which has an IP address of 217.10.79.16. Which is cool.
Two phones are using a different provider, whose proxy IP address is 178.255.x.x.
These phones can register for outbound, but inbound INVITEs never make it to the phone.
Is it possible that the Fortigate is having trouble with 178.255.x.x as it's got a 255 in it? Or am I just imagining things?
Best Answer
I would first try enabling the ALGs in the configuration snippet above. It should be compatible with source NAT pooling.
If that doesn't work so well, create a superseding source NAT rule that matches on a group that includes either the subnet or direct address objects of the telephones. Let these devices source NAT off a single IP address.
Either way, I'm pretty sure you'll need to enable the ALG if multiple devices are behind the NAT or NAT pool.