Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 13 replies
  • Subscribers 6 subscribers
  • Views 14039 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VOIP is only one way. Please help me on firewall rules especially NAT.

Daniel Papa

Hi Guys,

 

I have a working PBX system (Alcatel) inside my SG450.  Here is the connection.  

Static routing between SG450 and core switch.  VOIP is on 172.16.16.0/24 subnet.

SG450 >> Core Switch >> VOIP Server..

172.16.2.2/30 >> 172.16.2.1/30 >> 172.16.16.0/21 subnet for VOIP.

 

I have SSL VPN pool on SG450 which is 172.16.200.0/22.  VOIP server is 172.16.16.2

 

Now, i have working SSL VPNs on mobile phones.  Successfuly registered it on the VOIP server.  When I call either from outside (remote SSL VPN user) calling in, or inside calling out (remote SSL VPN Users), I can here the person inside the network, but they cannot here me (SSL VPN user).

I was asked to enable NAT Traversal, but Sophos does not have it.

Can you tell me how should I fix this NAT problem?  Thanks.

 

Rgds,

Dan



This thread was automatically locked due to age.
Parents
  • 0

    First, let me see if I understand your environment:

    You core switch (IP 172.16.2.1) handles all routing between networks.

    You have a static route on your UTM pointing traffic with destination 172.16.16.0/21 to 172.16.2.1

    You are NATing requests from your VPN SSL Pool to the 172.16.16.0/21 (SIP) network.

    Is that it?

    Regards,

    Giovani

     

  • 0 in reply to giomoda

    Hi Giovani,

    The first two points are correct.   Im not really a NAT guy so i dont know if i understand the third point.  I think there is no NAT between ssl vpn and inside local network... I tried snat and dnat but i dont know if the variables are correct..  I dont know exactly what to put..

    Rgds,

    Dan

  • 0 in reply to Daniel Papa

    I'm thinking that the only way this communication would happen without masquerading packets from the SSL VPN is if you core switch also has a route pointing  172.16.200.0/22 (SSL VPN Pool) to 172.16.2.2 (UTM). Is that the case?

    Could you provide us with some screenshots of your firewall rules allowing SSL VPN -> SIP communication so we can get a feel of your setup? Also, do you see any blocked packets at the firewall log when doing a SIP call from an endpoint connected to the SSL VPN? If you do, sharing some of these logs would be nice. 

    Anyway, I don't think this is firewall related as you appear to be able to reach your SIP server without issues from the SSL VPN. I would bet rsenio's suggestion is most likely to be the answer to your issue. I have very little experience with VoIP, but his suggestion just makes sense to me.

    Regards,

    Giovani

  • 0 in reply to giomoda

    You'll want to ensure the traffic is flowing properly without a firewall issue on the VPN for sure. But the PBX is going to need that entry in the sip config files. I've encountered this many times.

  • 0 in reply to giomoda

    Hi Giovani,

     

    Yes the core switch has a working route to 172.16.200.0/22 to 172.16.2.2. 

     

    Here is a screen shot of my firewall rules.

     

     

    Im still checking out with my voip guy regarding Rsenio's suggestion.  Thanks.

     

    Rgds,
    Dan

  • 0 in reply to rsenio

    I will need to check with my voip guy.  Thanks rsenio.

     

    Rgds,

    Dan

Reply Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML