topic Re: Port mapping for SIP services (3CX) in Spark Firewall (SMB)

Port mapping for SIP services (3CX)

apatrick88 — Tue, 17 Nov 2020 23:31:13 GMT

Hi All,

I'm new to this checkpoint firewall. I worked on juniper networks and the settings there are pretty different to checkpoint. I have a 3cx phone system which uses port 5060 (TCP and UDP inbound) , Port 5090 (inbound, UDP and TCP) for the 3CX tunnel and Port 9000-10999 (inbound, UDP) for RTP (Audio) communications and 5001 for inbound TCP.

Currently on the Checkpoint there are 4 subnets and the phone system is on one of them.

When I run a firewall checker from 3cx management console. The test results say that the port mapping from 5060 is incorrectly mapping to a different port. From my understanding here is that the source ports are not matching the destination ports. This happens for all the ports mentioned above.

So I'm taking it one issue at a time. Currently trying to troubleshoot one of the ports (Port 5060 TCP and UDP)

I'm having trouble create a NAT for the same.

- Disabled SIP Alg on all SIP services.

- Also on each of the sip services, I force the service to use the source port, which is the same (eg. on the SIP_UDP service, in the advanced tab, I checked the option to use the source port and entered the 5060)

Things I have tried on the NAT

1. Translate traffic from the phone system to any destination on SIP ports as if the traffic is from the external IP (ours) to the original destination on the original service

2. Translate traffic from any source to our external IP on SIP UDP Ports as if the traffic is from Original source to the Phone System on the original service

3. Translate traffic from any source to our external IP on SIP TCP Ports as if the traffic is from Original source to the Phone System on the original service

On the firewall policy:

Outgoing - Allow outgoing traffic from the phone system to the internet on SIP tcp and SIP udp (using the SIP service group)

Incoming - Allow incoming traffic on SIP services to our external IP

I'm following the documentation provided by 3cx- https://www.3cx.com/docs/manual/firewall-router-configuration/

Any help here would be appreciated.

Regards

Andrew P.

Re: Port mapping for SIP services (3CX)

PhoneBoy — Wed, 18 Nov 2020 00:39:51 GMT

You can't NAT SIP traffic without enabling deep inspection of SIP.

Based on the tags in this message, I'm assuming this is a 1550 appliance, which is one of our SMB appliances.
Is this managed via the WebUI or is policy being pushed via external management?

Re: Port mapping for SIP services (3CX)

apatrick88 — Wed, 18 Nov 2020 00:53:11 GMT

Hi Thanks for your prompt reply. The policy is managed using the webUI. As per 3cx, I disabled deep inspection of SIP..

Re: Port mapping for SIP services (3CX)

PhoneBoy — Wed, 18 Nov 2020 04:28:00 GMT

Did you disable SIP inspection per the following?
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk120555&partition=Advanced&product=Small

Re: Port mapping for SIP services (3CX)

apatrick88 — Fri, 20 Nov 2020 04:36:40 GMT

I have disabled Sip alg. that is the first thing we need to do. I configured the policy and the NAT. Now everything is working. Thanks for your help.

Basically I needed to allow inbound traffic from the SIP provider to the firewall and then create specific NAT rules and use bare ports and then force the nat rule to translate as per the original packet. After the the phone system's firewall passed a full cone test.

Thanks

Re: Port mapping for SIP services (3CX)

obaghishvili — Sun, 17 Jan 2021 22:13:39 GMT

Hi,

Could you pls share yr config. I got 3CX and 1450 Appliance and it literally turned me crazy. Probably general idea of yr settings would push me right way.

Thanks is advance

Re: Port mapping for SIP services (3CX)

Bavesh_MT — Thu, 04 Feb 2021 12:21:00 GMT

I have been trying everything on a VSX without success. 3CX works but Full Cone failed.

Can you please share a screenshot of your NAT config which is working

Re: Port mapping for SIP services (3CX)

KistersSolu — Thu, 01 Apr 2021 09:04:40 GMT

Hi,

has anybody a working configuration for the checkpoint and a 3cx PBX ?

Re: Port mapping for SIP services (3CX)

KistersSolu — Thu, 01 Apr 2021 09:12:44 GMT

Hi,

can anybody share a screenshot with a working NAT configuration for a 3cx PBX?

Re: Port mapping for SIP services (3CX)

_Val_ — Thu, 01 Apr 2021 10:44:44 GMT

Did you already look into sk95369?

Re: Port mapping for SIP services (3CX)

KistersSolu — Thu, 01 Apr 2021 10:46:36 GMT

These resolved my problem:

https://community.checkpoint.com/t5/SMB-Gateways-Spark/3CX-Phone-System-behind-1450-Appliance/m-p/108280#M4708