Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
bashrael
New Contributor

3cx full cone nat

Hi,

I have a 3cx pbx behind a fortigate 60c (FGT60C-5.02-FW-build742)

I disabled the sip helper (http://www.3cx.com/blog/docs/disable-sip-alg-on-fortigate/)

I made vip with static nat for port 5060(tcp/udp), 5090(tcp/udp) an 9000-9500(udp)

I created a policy for these vip's from wan to my pbx on my lan

From the lan everything is working. I can call outside, calls are coming in sound is good.

 

But I need to setup some remote ip phone.  They make contact with my pbc and are able to register but there is no sound.

I did the firewall check from the 3cx pbx and it says port 5060 is not full cone nat.

 

Anyone has an idea how to set up full cone nat?

Thanks!

6 REPLIES 6
bashrael
New Contributor

no one?

Not enough info or?

Jeff_FTNT
Staff
Staff

Try CLI:

config firewall policy

edit 1

set nat enable

set permit-any-host enable

end

MikePruett

Have you switched the alg-mode to kernel based from the default proxy mode?

Mike Pruett Fortinet GURU | Fortinet Training Videos
bashrael

hi all,

sry for the late answer.

I have been doing tests with fortinet about this case and seems like MikePruett has got it right.

If you follow the 3cx instructions for fortigate ful cone nat will not be working: https://www.3cx.com/blog/docs/disable-sip-alg-on-fortigate/

It's important to add the last command as mikepruet suggested.

 

So if you have a 3cx pbx and a fortigate firewall you need to execute following commands in the fortigate:

Open the Fortigate CLI from the dashboard.

Enter the following commands in FortiGate’s CLI:

config system settings set sip-helper disable set sip-nat-trace disable

 

reboot the device

 

Reopen CLI and enter the following commands – do not enter the text after //:

config system session-helper show //locate the SIP entry, usually 12, but can vary. delete 12 //or the number that you identified from the previous command.

Disable RTP processing as follows: config voip profile edit default config sip set rtp disable

 

config system settings set default-voip kernel-helper-based end

 

grts!

luckysantiago

I did all of the task required as mentioned above such VIP mapping, policy, changes required via CLI, etc. but still getting "testing port 5060... full cone test failed" but the rest is green.

Below is a quick documentation of the steps i did: Prerequisite: LAN Interface – Where the PBX is sitting (lan) WAN Interface – Where the Public IP is assigned, goes out to internet (wan1) LAN IP Address of PBX (ex. 192.168.1.100) WAN IP Address of PBX (ex. 10.11.12.13) Ports to Allow: (VIP mapping) 5060 | TCP - General SIP access 5060 | UDP - General SIP access 5061 | TCP - Secure SIP 5090 | TCP - 3CX Tunnel 5090 | UDP - 3CX Tunnel 9000 – 9500 | UDP – RTP Traffic 5001 |TCP - Web meeting 443 | TCP - Inbound-Presence and Provisioning, Outbound-Google android push 2195-2196 | TCP – Outbound-IOS Push Create policy object - Addresses for PBX local IP - Object Name: 3CX-PBX - Type: IP/Netmask - IP Address: 192.168.1.100 Create policy object – Virtual IPs (VIP) for Port Mapping - Example VIP setup for port 5060 | TCP

Name: VIP-3CX_5060-TCP Interface: Wan1 Type: Static NAT External IP Address/Range: 10.11.12.13-10.11.12.13 Internal IP Address/Range: 192.168.1.100-192.168.1.100 Port Forwarding: enabled (checked) Protocol: TCP External Service Port: 5060-5060 Map to Port: 5060-5060 - Next is 5060 | UDP same as the above except for the protocol it will change to UDP - Did the rest of the VIP mapping as listed on Ports to Allow: (VIP mapping)

Firewall Policy

Outbound Policy (LAN to WAN)

Incoming Interface: lan Source Address: 3CX-PBX Outgoing Interface: wan1 Destination Address: ANY Service: ALL NAT: Enabled * All other options like Web filter, Application Control and Certificate Inspection are disabled

Inbound Policy (WAN to LAN)

Incoming Interface: wan1 Source Address: ALL Outgoing Interface: lan Destination Address: Added all VIP OBJECT created: VIP-3CX_5060-TCP, VIP-3CX_5060-UDP, etc. Service: ALL NAT: Disabled * All other options like Web filter, Application Control and Certificate Inspection are disabled Full cone NAT setup via Fortigate CLI. Open the Fortigate CLI from the dashboard. Enter the following commands in Fortigate’s CLI: config system settings set sip-helper disable set sip-nat-trace disable Reboot the Fortigate.

Reopen CLI and enter the following commands – do not enter the text after //: config system session-helper show //locate the SIP entry, usually 12, but can vary. delete 12 //or the number that you identified from the previous command. Disable RTP processing as follows: config voip profile edit default config sip set rtp disable config system settings set default-voip kernel-helper-based end

Performed another reboot.

Anything i missed?

Hoangmn

In case anyone has the same issue

what missing above is the IP pool configuration which is 3CX-PBX in the example.

from CLI

>config firewall ippool edit “3CX-PBX”

>set type port-block-allocation

>set permit-any-host enable

>end

 

reboot your fw

Some posts suggest to use Profile VOIP by enabling Features however I found that is not the case

Top Kudoed Authors