Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
obaghishvili
Participant

3CX Phone System behind 1450 Appliance

Jump to solution

Hello

Has anybody ever made 3CXPhone System work behind 1450 Appliance.

I tried probably billion of options found here or over the internet but 3CX firewall checker fails every time.

ports  used by 3CX

SIP: TCP 5060-5061, UDP 5060

Tunnel: TCP 5090-5091, UDP 5090

RPT/WebRTC: UDP 9000-10999

WebUI: TCP 5000-5001

Server VoIP3CX services are added and set to manual access policy.

Outbound Policy: Traffic from Voip3CX (server) o the internet of any application is accepted

Inbound Policy: Traffic from any course to This Gateway on Voip3CX (services) is accepted

Manual NAT: Translate traffic from any source to this gateway on Voip3CX (services) as if the traffic is from original source to VoIP3CX (server) on original service

Everything I could get configured is 5000-5001 (to reach the web interface from outside)

Other things do not work.

Phone System firewall checker says (briefly) :

    • bla bla
    • detecting SIP ALG... not detecteda
    • testing port 5060... Mapping does not match 5060. Mapping is 20112.
    • testing port 5090... Mapping does not match 5090. Mapping is 20116.
    • testing ports [9000..9398]... failed
      • testing port 9000... Mapping does not match 9000. Mapping is 20119.
      • testing port 9002... Mapping does not match 9002. Mapping is 20120.
      • testing port 9004... Mapping does not match 9004. Mapping is 20121.
      • testing port 9006... Mapping does not match 9006. Mapping is 20122.

and so on down to port 10999

I'm advanced with 3CX but pretty new to checkpoint. So any suggestion would be appreciated

0 Kudos
Reply
1 Solution

Accepted Solutions
_Val_
Admin
Admin

With manual static NAT, that should not happen. Are you sure you use SIP and not just ANY service in the rulebase?

View solution in original post

0 Kudos
Reply
17 Replies
_Val_
Admin
Admin

what is in the logs when mapping fails?

0 Kudos
Reply
obaghishvili
Participant

Which log? check point or 3CX

 

0 Kudos
Reply
G_W_Albrecht
Champion
Champion

I would assume: both. 😎 Did you look at VoIP Issue and SMB Appliance (600/1000/1200/1400) already ? BAsic is sk113573: How to configure VoIP on Locally Managed 600 / 700 / 910 / 1100 / 1200R / 1400 appliances, this is the most important source for a working configuration of VoIP on SMB Appliances.

0 Kudos
Reply
ottawacanada150
Advisor

Can you send us both logs? Also, maybe on CP firewall while testing, do command fw ctl zdebug + drop | grep x.x.x.x (just make sure you test correct IP). It would be helpful to see if anything is getting dropped on kernel level.

Andy

0 Kudos
Reply
obaghishvili
Participant

I already checked guides and suggestions. Opened ticket and talked to supports. They also dont know.

There is nothing blocked or dropped. Logs show that at least 5060 is accepted by CP. 

The problem is that original ports ie 5060-5061,5090-5091,9000-10999 are replaced by random ports.

I there any way to FORCE cp use original ports, without enabling deep inspection?

0 Kudos
Reply
_Val_
Admin
Admin

With manual static NAT, that should not happen. Are you sure you use SIP and not just ANY service in the rulebase?

View solution in original post

0 Kudos
Reply
obaghishvili
Participant

Dude!!!

It was NOT set to ANY, but your words pushed me in right direction.

Here's config that did a magic. WAN IP in static NAT. Hide outgoing traffic and Force translate. Access from all and properly configured Policy.

All tests passed green.

Capture.PNGCapture.PNG

0 Kudos
Reply
_Val_
Admin
Admin

I am glad it works for you now.

0 Kudos
Reply
Vladimir
Champion
Champion

From your post, it looks like you have defined the Manual NAT for the Inbound portion only.

In this case, for the outbound traffic, 3CX will likely use dynamic port assignments and thus showing you the mismatched mapping.

Check if you can define Manual outbound NAT for original 3CX services.

obaghishvili
Participant

Thanks for reply

added manual rule as

translate traffic from VoIP3CX (server) to External IP on Voip3CX (services) as if the traffic is from original source to VoIP3CX (server) on original service

nothing changed.

 

0 Kudos
Reply
G_W_Albrecht
Champion
Champion

TAC should be able to resolve that in short RAS very quickly!

0 Kudos
Reply
obaghishvili
Participant

eemmm what?

0 Kudos
Reply
_Val_
Admin
Admin

He means, technical assistance should be able to help you with a short remote session. In other words, please open a support case for this.

0 Kudos
Reply
obaghishvili
Participant

ah ) Already did.  Spent over 4 hours in zoom with technician. No result. The ticket is still open.

0 Kudos
Reply
Vladimir
Champion
Champion

If you have all 3CX services used in a single NAT rule as a composite group, please try following:

Create individual NAT rules each containing a single defined service and test again.

0 Kudos
Reply
Jason_Elmore1
Explorer

Don't know if this could be related, but I had trouble getting a VoIP phone provided by a third party working on our network, connecting out through our firewall.

They asked for TCP/5061, which I added the service "sip_tls_authentication".

It never worked.

I found there was also a service "sip_tls_not_inspected", once I added that it worked, both are port 5061.

Not sure what the differences are other than one has a protocol associated with it the other didn't.

 

Jason

0 Kudos
Reply
ottawacanada150
Advisor

There is your key word "NOT INSPECTED"...that would totally explained why it worked. Technically, any service where protocol is set to "none" would not be inspected by anything or for anything. So, thats the main difference...NOT inspected. Think hard if thats what you want to use...

0 Kudos
Reply