Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Autumn 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- 3cx full cone nat
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3cx full cone nat
Hi,
I have a 3cx pbx behind a fortigate 60c (FGT60C-5.02-FW-build742)
I disabled the sip helper (http://www.3cx.com/blog/docs/disable-sip-alg-on-fortigate/)
I made vip with static nat for port 5060(tcp/udp), 5090(tcp/udp) an 9000-9500(udp)
I created a policy for these vip's from wan to my pbx on my lan
From the lan everything is working. I can call outside, calls are coming in sound is good.
But I need to setup some remote ip phone. They make contact with my pbc and are able to register but there is no sound.
I did the firewall check from the 3cx pbx and it says port 5060 is not full cone nat.
Anyone has an idea how to set up full cone nat?
Thanks!
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
no one?
Not enough info or?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try CLI:
config firewall policy
edit 1
set nat enable
set permit-any-host enable
end
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you switched the alg-mode to kernel based from the default proxy mode?
Mike Pruett
Mike Pruett
Fortinet GURU | Fortinet Training Videos
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi all,
sry for the late answer.
I have been doing tests with fortinet about this case and seems like MikePruett has got it right.
If you follow the 3cx instructions for fortigate ful cone nat will not be working: https://www.3cx.com/blog/docs/disable-sip-alg-on-fortigate/
It's important to add the last command as mikepruet suggested.
So if you have a 3cx pbx and a fortigate firewall you need to execute following commands in the fortigate:
Open the Fortigate CLI from the dashboard.
Enter the following commands in FortiGate’s CLI:
config system settings set sip-helper disable set sip-nat-trace disable
reboot the device
Reopen CLI and enter the following commands – do not enter the text after //:
config system session-helper show //locate the SIP entry, usually 12, but can vary. delete 12 //or the number that you identified from the previous command.
Disable RTP processing as follows: config voip profile edit default config sip set rtp disable
config system settings set default-voip kernel-helper-based end
grts!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I did all of the task required as mentioned above such VIP mapping, policy, changes required via CLI, etc. but still getting "testing port 5060... full cone test failed" but the rest is green.
Below is a quick documentation of the steps i did: Prerequisite: LAN Interface – Where the PBX is sitting (lan) WAN Interface – Where the Public IP is assigned, goes out to internet (wan1) LAN IP Address of PBX (ex. 192.168.1.100) WAN IP Address of PBX (ex. 10.11.12.13) Ports to Allow: (VIP mapping) 5060 | TCP - General SIP access 5060 | UDP - General SIP access 5061 | TCP - Secure SIP 5090 | TCP - 3CX Tunnel 5090 | UDP - 3CX Tunnel 9000 – 9500 | UDP – RTP Traffic 5001 |TCP - Web meeting 443 | TCP - Inbound-Presence and Provisioning, Outbound-Google android push 2195-2196 | TCP – Outbound-IOS Push Create policy object - Addresses for PBX local IP - Object Name: 3CX-PBX - Type: IP/Netmask - IP Address: 192.168.1.100 Create policy object – Virtual IPs (VIP) for Port Mapping - Example VIP setup for port 5060 | TCP
Name: VIP-3CX_5060-TCP Interface: Wan1 Type: Static NAT External IP Address/Range: 10.11.12.13-10.11.12.13 Internal IP Address/Range: 192.168.1.100-192.168.1.100 Port Forwarding: enabled (checked) Protocol: TCP External Service Port: 5060-5060 Map to Port: 5060-5060 - Next is 5060 | UDP same as the above except for the protocol it will change to UDP - Did the rest of the VIP mapping as listed on Ports to Allow: (VIP mapping)
Firewall Policy
Outbound Policy (LAN to WAN)
Incoming Interface: lan Source Address: 3CX-PBX Outgoing Interface: wan1 Destination Address: ANY Service: ALL NAT: Enabled * All other options like Web filter, Application Control and Certificate Inspection are disabled
Inbound Policy (WAN to LAN)
Incoming Interface: wan1 Source Address: ALL Outgoing Interface: lan Destination Address: Added all VIP OBJECT created: VIP-3CX_5060-TCP, VIP-3CX_5060-UDP, etc. Service: ALL NAT: Disabled * All other options like Web filter, Application Control and Certificate Inspection are disabled Full cone NAT setup via Fortigate CLI. Open the Fortigate CLI from the dashboard. Enter the following commands in Fortigate’s CLI: config system settings set sip-helper disable set sip-nat-trace disable Reboot the Fortigate.
Reopen CLI and enter the following commands – do not enter the text after //: config system session-helper show //locate the SIP entry, usually 12, but can vary. delete 12 //or the number that you identified from the previous command. Disable RTP processing as follows: config voip profile edit default config sip set rtp disable config system settings set default-voip kernel-helper-based end
Performed another reboot.
Anything i missed?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In case anyone has the same issue
what missing above is the IP pool configuration which is 3CX-PBX in the example.
from CLI
>config firewall ippool edit “3CX-PBX”
>set type port-block-allocation
>set permit-any-host enable
>end
reboot your fw
Some posts suggest to use Profile VOIP by enabling Features however I found that is not the case
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Can't see blocked IP and FQDN... 63 Views
- How to Modify convergence times in... 99 Views
- FortiAP-231G intermittently goes offline. 130 Views
- FortiAnalyzer ADOM not using Storage 149 Views
- Allow specific full url in fortigate 523 Views
Labels
-
FortiGate
8,403 -
FortiClient
1,699 -
5.2
801 -
FortiManager
708 -
5.4
639 -
FortiAnalyzer
540 -
FortiSwitch
456 -
FortiAP
452 -
6.0
416 -
FortiClient EMS
401 -
5.6
362 -
FortiMail
308 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
210 -
5.0
196 -
FortiWeb
196 -
IPsec
183 -
FortiNAC
173 -
FortiGuard
133 -
6.4
128 -
SD-WAN
107 -
FortiSIEM
100 -
FortiGateCloud
100 -
FortiCloud Products
95 -
FortiToken
89 -
FortiAuthenticator
82 -
Customer Service
77 -
Wireless Controller
76 -
Firewall policy
69 -
4.0MR3
64 -
FortiProxy
57 -
FortiADC
53 -
High Availability
51 -
Fortivoice
50 -
FortiEDR
50 -
vlan
47 -
ZTNA
46 -
FortiSandbox
43 -
FortiExtender
43 -
FortiDNS
42 -
Routing
39 -
DNS
38 -
LDAP
38 -
BGP
37 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
32 -
Certificate
32 -
Authentication
31 -
Interface
31 -
SSO
30 -
NAT
30 -
RADIUS
28 -
FortiConnect
27 -
FortiLink
26 -
FortiWAN
25 -
FortiConverter
25 -
FortiGate v5.2
24 -
VDOM
24 -
Logging
24 -
Application control
24 -
Web profile
23 -
Virtual IP
22 -
FortiPAM
21 -
Fortigate Cloud
19 -
FortiSwitch v6.2
18 -
FortiPortal
18 -
FortiMonitor
18 -
SSL SSH inspection
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
IP address management - IPAM
14 -
SSID
13 -
Static route
13 -
System settings
13 -
FortiSOAR
12 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Traffic shaping policy
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Intrusion prevention
7 -
FortiCarrier
6 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Traffic shaping profile
5 -
Email filter profile
5 -
Web rating
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Service
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1641 | |
| 1069 | |
| 751 | |
| 443 | |
| 210 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.