Fortigate restrict traffic through one external IP

Posted by Tom O'Connor on Server Fault See other posts from Server Fault or by Tom O'Connor
Published on 2012-12-19T13:29:14Z Indexed on 2012/12/20 11:04 UTC
Read the original article Hit count: 242

Filed under:
|
|
|

I've got a fortigate 400A at a client's site. They've got a /26 from British Telecom, and we're using 4 of those IPs as a NAT Pool.

Is there a way to say that traffic from 172.18.4.40-45 can only ever come out of (and hence go back into) x.x.x.140 as the external IP?

We're having some problems with SIP which looks like it's coming out of one, and trying to go back into another.

I tried enabling asymmetric routing, didn't work.

I tried setting a VIP, but even when I did that, it didn't appear to do anything.

Any ideas? I can probably post some firewall snippets if need be.. Tell me what you want to see.

SIP ALG

config system settings
    set sip-helper disable
    set sip-nat-trace disable
    set sip-tcp-port 5061
    set sip-udp-port 5061
    set multicast-forward enable
end

Interesting Sidenote

VoIP phones, with no special configuration can register fine to proxy.sipgate.co.uk, which has an IP address of 217.10.79.16. Which is cool.

Two phones are using a different provider, whose proxy IP address is 178.255.x.x.
These phones can register for outbound, but inbound INVITEs never make it to the phone.

Is it possible that the Fortigate is having trouble with 178.255.x.x as it's got a 255 in it? Or am I just imagining things?

© Server Fault or respective owner

Related posts about firewall

Related posts about routing