Fortigate restrict traffic through one external IP
Posted
by
Tom O'Connor
on Server Fault
See other posts from Server Fault
or by Tom O'Connor
Published on 2012-12-19T13:29:14Z
Indexed on
2012/12/20
11:04 UTC
Read the original article
Hit count: 242
I've got a fortigate 400A at a client's site. They've got a /26 from British Telecom, and we're using 4 of those IPs as a NAT Pool.
Is there a way to say that traffic from 172.18.4.40-45 can only ever come out of (and hence go back into) x.x.x.140 as the external IP?
We're having some problems with SIP which looks like it's coming out of one, and trying to go back into another.
I tried enabling asymmetric routing, didn't work.
I tried setting a VIP, but even when I did that, it didn't appear to do anything.
Any ideas? I can probably post some firewall snippets if need be.. Tell me what you want to see.
SIP ALG
config system settings
set sip-helper disable
set sip-nat-trace disable
set sip-tcp-port 5061
set sip-udp-port 5061
set multicast-forward enable
end
Interesting Sidenote
VoIP phones, with no special configuration can register fine to proxy.sipgate.co.uk, which has an IP address of 217.10.79.16
. Which is cool.
Two phones are using a different provider, whose proxy IP address is 178.255.x.x
.
These phones can register for outbound, but inbound INVITEs never make it to the phone.
Is it possible that the Fortigate is having trouble with 178.255.x.x
as it's got a 255 in it? Or am I just imagining things?
© Server Fault or respective owner