Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
apatrick88
Participant

Port mapping for SIP services (3CX)

Hi All,

I'm new to this checkpoint firewall. I worked on juniper networks and the settings there are pretty different to checkpoint. I have a 3cx phone system which uses port 5060 (TCP and UDP inbound) , Port 5090 (inbound, UDP and TCP) for the 3CX tunnel and Port 9000-10999 (inbound, UDP) for RTP (Audio) communications and 5001 for inbound TCP.

Currently on the Checkpoint there are 4 subnets and the phone system is on one of them. 

When I run a firewall checker from 3cx management console. The test results say that the port mapping from 5060 is incorrectly mapping to a different port. From my understanding here is that the source ports are not matching the destination ports. This happens for all the ports mentioned above. 

So I'm taking it one issue at a time. Currently trying to troubleshoot one of the ports (Port 5060 TCP and UDP)

I'm having trouble create a NAT for the same. 

- Disabled SIP Alg on all SIP services. 

- Also on each of the sip services, I force the service to use the source port, which is the same  (eg. on the SIP_UDP service, in the advanced tab, I checked the option to use the source port and entered the 5060)

Things I have tried on the NAT

1. Translate traffic from the phone system to any destination on SIP ports as if the traffic is from the external IP (ours) to the original destination on the original service

2. Translate traffic from any source to our external IP on SIP UDP Ports  as if the traffic is from Original source to the Phone System on the original service

3. Translate traffic from any source to our external IP on SIP TCP Ports  as if the traffic is from Original source to the Phone System on the original service

On the firewall policy:

Outgoing - Allow outgoing traffic from the phone system to the internet on SIP tcp and SIP udp (using the SIP service group)

Incoming - Allow incoming traffic on SIP services to our external IP

I'm following the documentation provided by 3cx- https://www.3cx.com/docs/manual/firewall-router-configuration/

Any help here would be appreciated. 

 

Regards

Andrew P.

0 Kudos
Reply
6 Replies
PhoneBoy
Admin
Admin

You can't NAT SIP traffic without enabling deep inspection of SIP.

Based on the tags in this message, I'm assuming this is a 1550 appliance, which is one of our SMB appliances.
Is this managed via the WebUI or is policy being pushed via external management?

0 Kudos
Reply
apatrick88
Participant

Hi Thanks for your prompt reply. The policy is managed using the webUI. As per 3cx, I disabled deep inspection of SIP.. 

0 Kudos
Reply
PhoneBoy
Admin
Admin

0 Kudos
Reply
apatrick88
Participant

I have disabled Sip alg. that is the first thing we need to do. I configured the policy and the NAT. Now everything is working. Thanks for your help. 

Basically I needed to allow inbound traffic from the SIP provider to the firewall and then create specific NAT rules and use bare ports and then force the nat rule to translate as per the original packet. After the the phone system's firewall passed a full cone test.

 

Thanks

obaghishvili
Participant

Hi,

Could you pls share yr config. I got 3CX and 1450 Appliance and it literally turned me crazy. Probably general idea of yr settings would push me right way. 

Thanks is advance

0 Kudos
Reply
Bavesh_MT
Explorer

I have been trying everything on a VSX without success. 3CX works but Full Cone failed.

Can you please share a screenshot of your NAT config which is working

0 Kudos
Reply