Booting a Cisco VoIP phone behind a Fortigate firewall

I have a Cisco VoIP phone that I use remotely and to do that, it of course needs to be able to boot up and interact with its mother Call Manager, I mean Cisco Unified Communications Manager, server.  On a Cisco router this is easy; add a dhcp server and hand out option 150 ip-address x.x.x.x as part of the DHCP scope.  With a Fortigate device, not so easy I learned.

For whatever reason, you cannot set DHCP options within the web interface, it requires the command line.  Not a huge deal, their command line isn’t horrible, but it is tiresome if you’re trying to find something specific.  Anyway, where it gets stupid is that Fortinet wants you to plug DHCP option parameters in using hexadecimal encoding of the parameter value.  Huh?!

I’ll save you from the long story of figuring out just what I had to put in to make everyone happy, but the end result is that you do NOT turn your IP address string into a hexadecimal string like you might be thinking, and like you’d do for any other string you want passed as a DHCP parameter to an option.  You need to turn your IP address into hexadecimal numerically.  Why?  Because that’s what IP (IPv4 of course) addresses are to begin with, just a single 32-bit number.   You don’t want the periods as part of your string.  For example, as a string, in hex, is 3139322e302e322e313030.  I tried setting that on my Fortigate and the phone tried talking to a server in Thailand because it started converting just enough characters to make a 32-bit number into its first TFTP server.

If you turn into decimal, then to hex, your value is C0000264.  An easy converter I found to do this is:

Thus, the correct setup on the Fortigate is:

config system dhcp server
    edit 1
        set default-gateway
        set interface "lan4"
            config ip-range
                edit 1
                    set end-ip
                    set start-ip
        set netmask
        set option1 150 'C0000264'
        set dns-server1

You will of course need to change the “edit 1” to the correct number for the DHCP server instance you want to add the option to, and all the addresses, etc as necessary.  With this change, and my Fortigate already configured for VPN to my Cisco Communications Manager install, my phone is able to boot up and load its image from wherever I am.

2 Replies to “Booting a Cisco VoIP phone behind a Fortigate firewall”

    • Your Mom Post author

      Nothing special, just static routes in the relevant places. What I did most recently was carved out a large address space which all remote networks were contained within, and then every remote phone got a chunk of space within that supernet. Then, only one route was needed in each corporate location pointing that remote VoIP traffic to a specific firewall, and that firewall had static routes for all the remote users. This would get a lot more complicated if different firewalls were handling the VPN duties for different remote users.


Leave a Reply

Your email address will not be published. Required fields are marked *