Skip to main content
bashrael
bashrael
New Member
January 21, 2017
Question

3cx full cone nat

  • January 21, 2017
  • 2 replies
  • 31760 views

Hi,

I have a 3cx pbx behind a fortigate 60c (FGT60C-5.02-FW-build742)

I disabled the sip helper (http://www.3cx.com/blog/docs/disable-sip-alg-on-fortigate/)

I made vip with static nat for port 5060(tcp/udp), 5090(tcp/udp) an 9000-9500(udp)

I created a policy for these vip's from wan to my pbx on my lan

From the lan everything is working. I can call outside, calls are coming in sound is good.

 

But I need to setup some remote ip phone.  They make contact with my pbc and are able to register but there is no sound.

I did the firewall check from the 3cx pbx and it says port 5060 is not full cone nat.

 

Anyone has an idea how to set up full cone nat?

Thanks!

    2 replies

    bashrael
    bashraelAuthor
    New Member
    February 3, 2017

    no one?

    Not enough info or?

    Jeff_FTNT
    Staff
    Jeff_FTNT
    Staff
    February 6, 2017

    Try CLI:

    config firewall policy

    edit 1

    set nat enable

    set permit-any-host enable

    end

    MikePruett
    MikePruett
    New Member
    February 6, 2017

    Have you switched the alg-mode to kernel based from the default proxy mode?

    bashrael
    bashraelAuthor
    New Member
    February 18, 2017

    hi all,

    sry for the late answer.

    I have been doing tests with fortinet about this case and seems like MikePruett has got it right.

    If you follow the 3cx instructions for fortigate ful cone nat will not be working: https://www.3cx.com/blog/docs/disable-sip-alg-on-fortigate/

    It's important to add the last command as mikepruet suggested.

     

    So if you have a 3cx pbx and a fortigate firewall you need to execute following commands in the fortigate:

    Open the Fortigate CLI from the dashboard.

    Enter the following commands in FortiGate’s CLI:

    config system settings set sip-helper disable set sip-nat-trace disable

     

    reboot the device

     

    Reopen CLI and enter the following commands – do not enter the text after //:

    config system session-helper show //locate the SIP entry, usually 12, but can vary. delete 12 //or the number that you identified from the previous command.

    Disable RTP processing as follows: config voip profile edit default config sip set rtp disable

     

    config system settings set default-voip kernel-helper-based end

     

    grts!

    Terms & ConditionsAccessibility statement