Connecting SIP phone to an NEC SV8100 behind a firewall

We have a new NEC SV8100 that is behind our corporate firewall that I have having trouble connecting to using an IP phone. The corporate firewall is a Fortigate 200A with virtual IPs mapping the ports needed to the SV8100. NATP is enabled on the SV8100. When testing this configuration I can successfully connect an IP phone from the outside to the phone system. I’ve also tested the configuration with the IP phone behind a Netgear FVG318 firewall with success. I am having trouble connecting the IP phone to our SV8100 when the phone is behind a Fortigate 60 firewall. Here’s the config:

Phone system – NEC SV8100 running 3.12a code

Corporate firewall – Fortigate 200A running 4.0 build 185 (MR1 Patch1)

Virtual IPs mappings: (note: VOIP 1-3 are all using the same public IP address)
      VOIP1 -> 192.168.X.40 udp 5080-5081
      VOIP2 -> 192.168.X.41 udp 10020-10051
      VOIP3 -> 192.168.X.42 udp 10052-10083
Inbound rule from wan2 to internal1
      From any to VOIP-Group all ports

Remote Office firewall – Fortigate 60 running 3.00 build 753 (MR7 Patch 9).
SIP helper has been disabled
SIP nat-trace has been disabled
SIP session helper #12 has been deleted

A protection profile for VOIP has been created and added to the outbound rule on the FG60.
When the phone is plugged in it attempts to connect to the SV8100 and eventually errors out with “Cannot contact SIP server” message.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

mklippelAuthor Commented:
Thanks. We'll see if this helps.
Steve JenningsSr Manager Cloud Networking OpsCommented:
5080 and 5081 . . . not 5060 and 5061?

mklippelAuthor Commented:
OOPS@ Typo on my part. The ports I have open are udp 5080 and 5081.
SolarWinds® IP Control Bundle (IPCB)

Combines SolarWinds IP Address Manager and User Device Tracker to help detect IP conflicts, quickly identify affected systems, and help your team take near instantaneous action. Help improve visibility and enhance reliability with SolarWinds IP Control Bundle.

mklippelAuthor Commented:
I'll double check the ports.
Steve JenningsSr Manager Cloud Networking OpsCommented:
With luck, that will fix it!!

Good luck,

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mklippelAuthor Commented:
It turns out that NEC uses 5080 and 5081 instead of 5060 and 5061. They probably do this to get around firewalls that mess with SIP traffic would be my guess. I've reset everything to use 5080 and still nothing. I'll keep trying.
mklippelAuthor Commented:
I ended up building a VPN tunnel between the devices and routed the phone traffic over the VPN tunnel. Fortigate is still looking into the problem but SteveJ was the only person to help out so SteveJ gets the points.
I'm not sure what the points mean and wanted to know if Fortinet ever got this problem solved?
I am working the same issue. I have a case open with fortinet.
I will update this if/when I get it resolved
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
IP Telephony

From novice to tech pro — start learning today.