I'm new to this checkpoint firewall. I worked on juniper networks and the settings there are pretty different to checkpoint. I have a 3cx phone system which uses port 5060 (TCP and UDP inbound) , Port 5090 (inbound, UDP and TCP) for the 3CX tunnel and Port 9000-10999 (inbound, UDP) for RTP (Audio) communications and 5001 for inbound TCP.
Currently on the Checkpoint there are 4 subnets and the phone system is on one of them.
When I run a firewall checker from 3cx management console. The test results say that the port mapping from 5060 is incorrectly mapping to a different port. From my understanding here is that the source ports are not matching the destination ports. This happens for all the ports mentioned above.
So I'm taking it one issue at a time. Currently trying to troubleshoot one of the ports (Port 5060 TCP and UDP)
I'm having trouble create a NAT for the same.
- Disabled SIP Alg on all SIP services.
- Also on each of the sip services, I force the service to use the source port, which is the same (eg. on the SIP_UDP service, in the advanced tab, I checked the option to use the source port and entered the 5060)
Things I have tried on the NAT
1. Translate traffic from the phone system to any destination on SIP ports as if the traffic is from the external IP (ours) to the original destination on the original service
2. Translate traffic from any source to our external IP on SIP UDP Ports as if the traffic is from Original source to the Phone System on the original service
3. Translate traffic from any source to our external IP on SIP TCP Ports as if the traffic is from Original source to the Phone System on the original service
On the firewall policy:
Outgoing - Allow outgoing traffic from the phone system to the internet on SIP tcp and SIP udp (using the SIP service group)
Incoming - Allow incoming traffic on SIP services to our external IP
I'm following the documentation provided by 3cx- https://www.3cx.com/docs/manual/firewall-router-configuration/
Any help here would be appreciated.