This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
obaghishvili
Participant
‎2021-01-18 12:09 PM
Jump to solution

3CX Phone System behind 1450 Appliance

Hello

Has anybody ever made 3CXPhone System work behind 1450 Appliance.

I tried probably billion of options found here or over the internet but 3CX firewall checker fails every time.

ports  used by 3CX

SIP: TCP 5060-5061, UDP 5060

Tunnel: TCP 5090-5091, UDP 5090

RPT/WebRTC: UDP 9000-10999

WebUI: TCP 5000-5001

Server VoIP3CX services are added and set to manual access policy.

Outbound Policy: Traffic from Voip3CX (server) o the internet of any application is accepted

Inbound Policy: Traffic from any course to This Gateway on Voip3CX (services) is accepted

Manual NAT: Translate traffic from any source to this gateway on Voip3CX (services) as if the traffic is from original source to VoIP3CX (server) on original service

Everything I could get configured is 5000-5001 (to reach the web interface from outside)

Other things do not work.

Phone System firewall checker says (briefly) :

    • bla bla
    • detecting SIP ALG... not detecteda
    • testing port 5060... Mapping does not match 5060. Mapping is 20112.
    • testing port 5090... Mapping does not match 5090. Mapping is 20116.
    • testing ports [9000..9398]... failed
      • testing port 9000... Mapping does not match 9000. Mapping is 20119.
      • testing port 9002... Mapping does not match 9002. Mapping is 20120.
      • testing port 9004... Mapping does not match 9004. Mapping is 20121.
      • testing port 9006... Mapping does not match 9006. Mapping is 20122.

and so on down to port 10999

I'm advanced with 3CX but pretty new to checkpoint. So any suggestion would be appreciated

0 Kudos
1 Solution

Accepted Solutions
_Val_
Admin
Admin
‎2021-01-20 02:57 AM
In response to obaghishvili
Jump to solution

With manual static NAT, that should not happen. Are you sure you use SIP and not just ANY service in the rulebase?

View solution in original post

0 Kudos
18 Replies
_Val_
Admin
Admin
‎2021-01-19 03:24 AM
Jump to solution

what is in the logs when mapping fails?

0 Kudos
obaghishvili
Participant
‎2021-01-19 08:14 AM
In response to _Val_
Jump to solution

Which log? check point or 3CX

 

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2021-01-19 11:07 AM
In response to obaghishvili
Jump to solution

I would assume: both. 8) Did you look at VoIP Issue and SMB Appliance (600/1000/1200/1400) already ? BAsic is sk113573: How to configure VoIP on Locally Managed 600 / 700 / 910 / 1100 / 1200R / 1400 appliances, this is the most important source for a working configuration of VoIP on SMB Appliances.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
the_rock
Legend
Legend
‎2021-01-19 11:16 AM
In response to obaghishvili
Jump to solution

Can you send us both logs? Also, maybe on CP firewall while testing, do command fw ctl zdebug + drop | grep x.x.x.x (just make sure you test correct IP). It would be helpful to see if anything is getting dropped on kernel level.

Andy

0 Kudos
obaghishvili
Participant
‎2021-01-20 02:54 AM
In response to the_rock
Jump to solution

I already checked guides and suggestions. Opened ticket and talked to supports. They also dont know.

There is nothing blocked or dropped. Logs show that at least 5060 is accepted by CP. 

The problem is that original ports ie 5060-5061,5090-5091,9000-10999 are replaced by random ports.

I there any way to FORCE cp use original ports, without enabling deep inspection?

0 Kudos
_Val_
Admin
Admin
‎2021-01-20 02:57 AM
In response to obaghishvili
Jump to solution

With manual static NAT, that should not happen. Are you sure you use SIP and not just ANY service in the rulebase?

0 Kudos
obaghishvili
Participant
‎2021-01-20 11:01 PM
In response to _Val_
Jump to solution

Dude!!!

It was NOT set to ANY, but your words pushed me in right direction.

Here's config that did a magic. WAN IP in static NAT. Hide outgoing traffic and Force translate. Access from all and properly configured Policy.

All tests passed green.

Capture.PNGCapture.PNG

0 Kudos
_Val_
Admin
Admin
‎2021-01-20 11:53 PM
In response to obaghishvili
Jump to solution

I am glad it works for you now.

0 Kudos
GTurner04
Explorer
‎2022-06-17 09:13 AM
In response to _Val_
Jump to solution

I have a 1550 instead of a 1450 and I am not able to find the dialogue box he showed below. Where do I prevent the firewall from changing the ports on the way back?

0 Kudos
Vladimir
Champion
Champion
‎2021-01-19 11:26 AM
Jump to solution

From your post, it looks like you have defined the Manual NAT for the Inbound portion only.

In this case, for the outbound traffic, 3CX will likely use dynamic port assignments and thus showing you the mismatched mapping.

Check if you can define Manual outbound NAT for original 3CX services.

obaghishvili
Participant
‎2021-01-20 12:49 AM
In response to Vladimir
Jump to solution

Thanks for reply

added manual rule as

translate traffic from VoIP3CX (server) to External IP on Voip3CX (services) as if the traffic is from original source to VoIP3CX (server) on original service

nothing changed.

 

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2021-01-20 12:51 AM
In response to obaghishvili
Jump to solution

TAC should be able to resolve that in short RAS very quickly!

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
_Val_
Admin
Admin
‎2021-01-20 04:30 AM
In response to obaghishvili
Jump to solution

He means, technical assistance should be able to help you with a short remote session. In other words, please open a support case for this.

0 Kudos
obaghishvili
Participant
‎2021-01-20 07:10 AM
In response to _Val_
Jump to solution

ah ) Already did.  Spent over 4 hours in zoom with technician. No result. The ticket is still open.

0 Kudos
Vladimir
Champion
Champion
‎2021-01-20 09:49 AM
In response to obaghishvili
Jump to solution

If you have all 3CX services used in a single NAT rule as a composite group, please try following:

Create individual NAT rules each containing a single defined service and test again.

0 Kudos
Jason_Elmore1
Participant
‎2021-01-20 01:12 PM
Jump to solution

Don't know if this could be related, but I had trouble getting a VoIP phone provided by a third party working on our network, connecting out through our firewall.

They asked for TCP/5061, which I added the service "sip_tls_authentication".

It never worked.

I found there was also a service "sip_tls_not_inspected", once I added that it worked, both are port 5061.

Not sure what the differences are other than one has a protocol associated with it the other didn't.

 

Jason

0 Kudos
the_rock
Legend
Legend
‎2021-01-20 03:01 PM
In response to Jason_Elmore1
Jump to solution

There is your key word "NOT INSPECTED"...that would totally explained why it worked. Technically, any service where protocol is set to "none" would not be inspected by anything or for anything. So, thats the main difference...NOT inspected. Think hard if thats what you want to use...

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Tue 18 Mar 2025 @ 09:30 AM (EET)

    CheckMates Live Greece
    In-Person

    Tue 25 Mar 2025 @ 09:00 AM (EDT)

    Canada In-Person Cloud Security with Hands-On CloudGuard Workshops!
    In-Person

    Tue 25 Mar 2025 @ 12:00 PM (MDT)

    Salt Lake City: CPX 2025 Recap
    In-Person

    Tue 08 Apr 2025 @ 12:00 PM (MDT)

    Denver: CPX 2025 Recap
    CheckMates Events
    Top