Hi,
I have a 3cx pbx behind a fortigate 60c (FGT60C-5.02-FW-build742)
I disabled the sip helper (http://www.3cx.com/blog/docs/disable-sip-alg-on-fortigate/)
I made vip with static nat for port 5060(tcp/udp), 5090(tcp/udp) an 9000-9500(udp)
I created a policy for these vip's from wan to my pbx on my lan
From the lan everything is working. I can call outside, calls are coming in sound is good.
But I need to setup some remote ip phone. They make contact with my pbc and are able to register but there is no sound.
I did the firewall check from the 3cx pbx and it says port 5060 is not full cone nat.
Anyone has an idea how to set up full cone nat?
Thanks!
no one?
Not enough info or?
Try CLI:
config firewall policy
edit 1
set nat enable
set permit-any-host enable
end
Have you switched the alg-mode to kernel based from the default proxy mode?
Mike Pruett
hi all,
sry for the late answer.
I have been doing tests with fortinet about this case and seems like MikePruett has got it right.
If you follow the 3cx instructions for fortigate ful cone nat will not be working: https://www.3cx.com/blog/docs/disable-sip-alg-on-fortigate/
It's important to add the last command as mikepruet suggested.
So if you have a 3cx pbx and a fortigate firewall you need to execute following commands in the fortigate:
Open the Fortigate CLI from the dashboard.
Enter the following commands in FortiGate’s CLI:
config system settings set sip-helper disable set sip-nat-trace disable
reboot the device
Reopen CLI and enter the following commands – do not enter the text after //:
config system session-helper show //locate the SIP entry, usually 12, but can vary. delete 12 //or the number that you identified from the previous command.
Disable RTP processing as follows: config voip profile edit default config sip set rtp disable
config system settings set default-voip kernel-helper-based end
grts!
I did all of the task required as mentioned above such VIP mapping, policy, changes required via CLI, etc. but still getting "testing port 5060... full cone test failed" but the rest is green.
Below is a quick documentation of the steps i did: Prerequisite: LAN Interface – Where the PBX is sitting (lan) WAN Interface – Where the Public IP is assigned, goes out to internet (wan1) LAN IP Address of PBX (ex. 192.168.1.100) WAN IP Address of PBX (ex. 10.11.12.13) Ports to Allow: (VIP mapping) 5060 | TCP - General SIP access 5060 | UDP - General SIP access 5061 | TCP - Secure SIP 5090 | TCP - 3CX Tunnel 5090 | UDP - 3CX Tunnel 9000 – 9500 | UDP – RTP Traffic 5001 |TCP - Web meeting 443 | TCP - Inbound-Presence and Provisioning, Outbound-Google android push 2195-2196 | TCP – Outbound-IOS Push Create policy object - Addresses for PBX local IP - Object Name: 3CX-PBX - Type: IP/Netmask - IP Address: 192.168.1.100 Create policy object – Virtual IPs (VIP) for Port Mapping - Example VIP setup for port 5060 | TCP
Name: VIP-3CX_5060-TCP Interface: Wan1 Type: Static NAT External IP Address/Range: 10.11.12.13-10.11.12.13 Internal IP Address/Range: 192.168.1.100-192.168.1.100 Port Forwarding: enabled (checked) Protocol: TCP External Service Port: 5060-5060 Map to Port: 5060-5060 - Next is 5060 | UDP same as the above except for the protocol it will change to UDP - Did the rest of the VIP mapping as listed on Ports to Allow: (VIP mapping)
Firewall Policy
Outbound Policy (LAN to WAN)
Incoming Interface: lan Source Address: 3CX-PBX Outgoing Interface: wan1 Destination Address: ANY Service: ALL NAT: Enabled * All other options like Web filter, Application Control and Certificate Inspection are disabled
Inbound Policy (WAN to LAN)
Incoming Interface: wan1 Source Address: ALL Outgoing Interface: lan Destination Address: Added all VIP OBJECT created: VIP-3CX_5060-TCP, VIP-3CX_5060-UDP, etc. Service: ALL NAT: Disabled * All other options like Web filter, Application Control and Certificate Inspection are disabled Full cone NAT setup via Fortigate CLI. Open the Fortigate CLI from the dashboard. Enter the following commands in Fortigate’s CLI: config system settings set sip-helper disable set sip-nat-trace disable Reboot the Fortigate.
Reopen CLI and enter the following commands – do not enter the text after //: config system session-helper show //locate the SIP entry, usually 12, but can vary. delete 12 //or the number that you identified from the previous command. Disable RTP processing as follows: config voip profile edit default config sip set rtp disable config system settings set default-voip kernel-helper-based end
Performed another reboot.
Anything i missed?
In case anyone has the same issue
what missing above is the IP pool configuration which is 3CX-PBX in the example.
from CLI
>config firewall ippool edit “3CX-PBX”
>set type port-block-allocation
>set permit-any-host enable
>end
reboot your fw
Some posts suggest to use Profile VOIP by enabling Features however I found that is not the case
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.