This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
apatrick88
Participant
‎2020-11-17 03:31 PM

Port mapping for SIP services (3CX)

Hi All,

I'm new to this checkpoint firewall. I worked on juniper networks and the settings there are pretty different to checkpoint. I have a 3cx phone system which uses port 5060 (TCP and UDP inbound) , Port 5090 (inbound, UDP and TCP) for the 3CX tunnel and Port 9000-10999 (inbound, UDP) for RTP (Audio) communications and 5001 for inbound TCP.

Currently on the Checkpoint there are 4 subnets and the phone system is on one of them. 

When I run a firewall checker from 3cx management console. The test results say that the port mapping from 5060 is incorrectly mapping to a different port. From my understanding here is that the source ports are not matching the destination ports. This happens for all the ports mentioned above. 

So I'm taking it one issue at a time. Currently trying to troubleshoot one of the ports (Port 5060 TCP and UDP)

I'm having trouble create a NAT for the same. 

- Disabled SIP Alg on all SIP services. 

- Also on each of the sip services, I force the service to use the source port, which is the same  (eg. on the SIP_UDP service, in the advanced tab, I checked the option to use the source port and entered the 5060)

Things I have tried on the NAT

1. Translate traffic from the phone system to any destination on SIP ports as if the traffic is from the external IP (ours) to the original destination on the original service

2. Translate traffic from any source to our external IP on SIP UDP Ports  as if the traffic is from Original source to the Phone System on the original service

3. Translate traffic from any source to our external IP on SIP TCP Ports  as if the traffic is from Original source to the Phone System on the original service

On the firewall policy:

Outgoing - Allow outgoing traffic from the phone system to the internet on SIP tcp and SIP udp (using the SIP service group)

Incoming - Allow incoming traffic on SIP services to our external IP

I'm following the documentation provided by 3cx- https://www.3cx.com/docs/manual/firewall-router-configuration/

Any help here would be appreciated. 

 

Regards

Andrew P.

0 Kudos
10 Replies
PhoneBoy
Admin
Admin
‎2020-11-17 04:39 PM

You can't NAT SIP traffic without enabling deep inspection of SIP.

Based on the tags in this message, I'm assuming this is a 1550 appliance, which is one of our SMB appliances.
Is this managed via the WebUI or is policy being pushed via external management?

0 Kudos
apatrick88
Participant
‎2020-11-17 04:53 PM
In response to PhoneBoy

Hi Thanks for your prompt reply. The policy is managed using the webUI. As per 3cx, I disabled deep inspection of SIP.. 

0 Kudos
PhoneBoy
Admin
Admin
‎2020-11-17 08:28 PM
In response to apatrick88

Did you disable SIP inspection per the following?
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

0 Kudos
apatrick88
Participant
‎2020-11-19 08:36 PM
In response to PhoneBoy

I have disabled Sip alg. that is the first thing we need to do. I configured the policy and the NAT. Now everything is working. Thanks for your help. 

Basically I needed to allow inbound traffic from the SIP provider to the firewall and then create specific NAT rules and use bare ports and then force the nat rule to translate as per the original packet. After the the phone system's firewall passed a full cone test.

 

Thanks

obaghishvili
Participant
‎2021-01-17 02:13 PM
In response to apatrick88

Hi,

Could you pls share yr config. I got 3CX and 1450 Appliance and it literally turned me crazy. Probably general idea of yr settings would push me right way. 

Thanks is advance

0 Kudos
Bavesh_MT
Explorer
‎2021-02-04 04:21 AM
In response to obaghishvili

I have been trying everything on a VSX without success. 3CX works but Full Cone failed.

Can you please share a screenshot of your NAT config which is working

0 Kudos
KistersSolu
Participant
‎2021-04-01 02:04 AM
In response to Bavesh_MT

Hi, 

has anybody a working configuration for the checkpoint and a 3cx PBX ?

0 Kudos
KistersSolu
Participant
‎2021-04-01 02:12 AM

Hi, 

can anybody share a screenshot with a working NAT configuration for a 3cx PBX?

0 Kudos
_Val_
Admin
Admin
‎2021-04-01 03:44 AM
In response to KistersSolu

Did you already look into sk95369?

0 Kudos
KistersSolu
Participant
‎2021-04-01 03:46 AM
In response to _Val_

These resolved my problem:

 

https://community.checkpoint.com/t5/SMB-Gateways-Spark/3CX-Phone-System-behind-1450-Appliance/m-p/10...

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events