Firewall blocks NAT traffic for specific source address



  • Dear community members,

    I wanted to configure an additional SIP Trunk for inbound traffic yesterday but all traffic from this specific host gets dropped on the firewall despite matching the firewall rule… I looked in the forums and reconfigured yesterday evening and don't see the problem.

    Here is the configuration of the NAT:

    Interface Protocol Source Address Source Ports Dest. Address Dest. Ports NAT IP NAT Ports Description Actions
    WAN TCP/UDP SIP Trunks * WAN address 5060 (SIP) 192.168.1.15 5060 (SIP) Base RTP

    The IP address was added to the "SIP Trunks" network alias group. The other SIP trunk in this alias group works perfectly fine and gets the traffic NATed to 192.168.1.15. For the new SIP trunk traffic is dropped by the "Default deny rule IPv4".

    Here are the connected firewall rules:

    Protocol Source Port Destination Port Gateway Queue Schedule Description
    IPv4 TCP/UDP SIP Trunks * 192.168.1.15 5060 (SIP) * none NAT Base RTP Sipgate

    Here is a (redacted) package log:

    16:42:32.177741 AF IPv4 (2), length 234: (tos 0x68, ttl 58, id 15059, offset 1480, flags [none], proto UDP (17), length 230)
        NEW_SIP_TRUNK > WAN_IP: ip-proto-17
    16:42:32.178163 AF IPv4 (2), length 1496: (tos 0x68, ttl 58, id 15059, offset 0, flags [ +], proto UDP (17), length 1492)
        NEW_SIP_TRUNK.5060 > WAN_IP.5060: SIP, length: 1464
    INVITE sip:NUMBER@WAN_IP:5060;transport=udp SIP/2.0
    Via: SIP/2.0/UDP NEW_SIP_TRUNK:5060;branch=z9hG4bK125d.95cdbc209d9fffeffb7e52b079fec56a.0;i=be0152
    Contact: sip:number@new_sip_trunk:5060;transport=udpTo: sip:number@wan_ip:5060;transport=udp

    Your help is very much appreciated!

    Have a great day and all the best,
    moritz</sip:number@wan_ip:5060;transport=udp></sip:number@new_sip_trunk:5060;transport=udp>


Log in to reply