mklippel
asked on
Connecting SIP phone to an NEC SV8100 behind a firewall
We have a new NEC SV8100 that is behind our corporate firewall that I have having trouble connecting to using an IP phone. The corporate firewall is a Fortigate 200A with virtual IPs mapping the ports needed to the SV8100. NATP is enabled on the SV8100. When testing this configuration I can successfully connect an IP phone from the outside to the phone system. I’ve also tested the configuration with the IP phone behind a Netgear FVG318 firewall with success. I am having trouble connecting the IP phone to our SV8100 when the phone is behind a Fortigate 60 firewall. Here’s the config:
Phone system – NEC SV8100 running 3.12a code
Corporate firewall – Fortigate 200A running 4.0 build 185 (MR1 Patch1)
Virtual IPs mappings: (note: VOIP 1-3 are all using the same public IP address)
VOIP1 -> 192.168.X.40 udp 5080-5081
VOIP2 -> 192.168.X.41 udp 10020-10051
VOIP3 -> 192.168.X.42 udp 10052-10083
Inbound rule from wan2 to internal1
From any to VOIP-Group all ports
Remote Office firewall – Fortigate 60 running 3.00 build 753 (MR7 Patch 9).
SIP helper has been disabled
SIP nat-trace has been disabled
SIP session helper #12 has been deleted
A protection profile for VOIP has been created and added to the outbound rule on the FG60.
When the phone is plugged in it attempts to connect to the SV8100 and eventually errors out with “Cannot contact SIP server” message.
Phone system – NEC SV8100 running 3.12a code
Corporate firewall – Fortigate 200A running 4.0 build 185 (MR1 Patch1)
Virtual IPs mappings: (note: VOIP 1-3 are all using the same public IP address)
VOIP1 -> 192.168.X.40 udp 5080-5081
VOIP2 -> 192.168.X.41 udp 10020-10051
VOIP3 -> 192.168.X.42 udp 10052-10083
Inbound rule from wan2 to internal1
From any to VOIP-Group all ports
Remote Office firewall – Fortigate 60 running 3.00 build 753 (MR7 Patch 9).
SIP helper has been disabled
SIP nat-trace has been disabled
SIP session helper #12 has been deleted
A protection profile for VOIP has been created and added to the outbound rule on the FG60.
When the phone is plugged in it attempts to connect to the SV8100 and eventually errors out with “Cannot contact SIP server” message.
5080 and 5081 . . . not 5060 and 5061?
Steve
Steve
ASKER
OOPS@ Typo on my part. The ports I have open are udp 5080 and 5081.
ASKER
I'll double check the ports.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
It turns out that NEC uses 5080 and 5081 instead of 5060 and 5061. They probably do this to get around firewalls that mess with SIP traffic would be my guess. I've reset everything to use 5080 and still nothing. I'll keep trying.
ASKER
I ended up building a VPN tunnel between the devices and routed the phone traffic over the VPN tunnel. Fortigate is still looking into the problem but SteveJ was the only person to help out so SteveJ gets the points.
I'm not sure what the points mean and wanted to know if Fortinet ever got this problem solved?
I am working the same issue. I have a case open with fortinet.
I will update this if/when I get it resolved
I will update this if/when I get it resolved
ASKER