Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 13 replies
  • Subscribers 6 subscribers
  • Views 14037 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VOIP is only one way. Please help me on firewall rules especially NAT.

Daniel Papa

Hi Guys,

 

I have a working PBX system (Alcatel) inside my SG450.  Here is the connection.  

Static routing between SG450 and core switch.  VOIP is on 172.16.16.0/24 subnet.

SG450 >> Core Switch >> VOIP Server..

172.16.2.2/30 >> 172.16.2.1/30 >> 172.16.16.0/21 subnet for VOIP.

 

I have SSL VPN pool on SG450 which is 172.16.200.0/22.  VOIP server is 172.16.16.2

 

Now, i have working SSL VPNs on mobile phones.  Successfuly registered it on the VOIP server.  When I call either from outside (remote SSL VPN user) calling in, or inside calling out (remote SSL VPN Users), I can here the person inside the network, but they cannot here me (SSL VPN user).

I was asked to enable NAT Traversal, but Sophos does not have it.

Can you tell me how should I fix this NAT problem?  Thanks.

 

Rgds,

Dan



This thread was automatically locked due to age.
Parents
  • 0

    First, let me see if I understand your environment:

    You core switch (IP 172.16.2.1) handles all routing between networks.

    You have a static route on your UTM pointing traffic with destination 172.16.16.0/21 to 172.16.2.1

    You are NATing requests from your VPN SSL Pool to the 172.16.16.0/21 (SIP) network.

    Is that it?

    Regards,

    Giovani

     

Reply
  • 0

    First, let me see if I understand your environment:

    You core switch (IP 172.16.2.1) handles all routing between networks.

    You have a static route on your UTM pointing traffic with destination 172.16.16.0/21 to 172.16.2.1

    You are NATing requests from your VPN SSL Pool to the 172.16.16.0/21 (SIP) network.

    Is that it?

    Regards,

    Giovani

     

Children
  • 0 in reply to giomoda

    Hi Giovani,

    The first two points are correct.   Im not really a NAT guy so i dont know if i understand the third point.  I think there is no NAT between ssl vpn and inside local network... I tried snat and dnat but i dont know if the variables are correct..  I dont know exactly what to put..

    Rgds,

    Dan

  • 0 in reply to Daniel Papa

    I'm thinking that the only way this communication would happen without masquerading packets from the SSL VPN is if you core switch also has a route pointing  172.16.200.0/22 (SSL VPN Pool) to 172.16.2.2 (UTM). Is that the case?

    Could you provide us with some screenshots of your firewall rules allowing SSL VPN -> SIP communication so we can get a feel of your setup? Also, do you see any blocked packets at the firewall log when doing a SIP call from an endpoint connected to the SSL VPN? If you do, sharing some of these logs would be nice. 

    Anyway, I don't think this is firewall related as you appear to be able to reach your SIP server without issues from the SSL VPN. I would bet rsenio's suggestion is most likely to be the answer to your issue. I have very little experience with VoIP, but his suggestion just makes sense to me.

    Regards,

    Giovani

  • 0 in reply to giomoda

    You'll want to ensure the traffic is flowing properly without a firewall issue on the VPN for sure. But the PBX is going to need that entry in the sip config files. I've encountered this many times.

  • 0 in reply to giomoda

    Hi Giovani,

     

    Yes the core switch has a working route to 172.16.200.0/22 to 172.16.2.2. 

     

    Here is a screen shot of my firewall rules.

     

     

    Im still checking out with my voip guy regarding Rsenio's suggestion.  Thanks.

     

    Rgds,
    Dan

  • 0 in reply to rsenio

    I will need to check with my voip guy.  Thanks rsenio.

     

    Rgds,

    Dan

  • 0 in reply to Daniel Papa

    Well, then I think you got the firewall and routing part nailed down and the issue is most definitely not with UTM. Follow up with your VoIP guy as the solution is most likely what rsenio suggested.

    Regards - Giovani

  • 0 in reply to giomoda

    Hi, Daniel, and welcome to the UTM Community!

    To see if Giovanni's conclusion is your answer here, do #1 in Rulz.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML