Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevice
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiSASE Sovereign
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- " Full cone NAT" + VOIP ?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Not applicable
Created on ‎10-13-2008 01:25 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
" Full cone NAT" + VOIP ?
We are evaluation the 3CX VOIP Software Based PBX which on the whole is working well apart from incoming calls where we seem to have a firewall issue. The firewall is a Fortigate 60B and the VOIP system resides on an internal IP of 172.16.1.21.
Our provider has stated that :
The following ports need to be open: 5060 TCP & UDP 10000 – 20000 UDPHowever in the 3CX system you can restrict the number of ports being used, for testing I set this to 9000 to 9001 UDP. The firewall test fails with : 1 9000 Error (4) The STUN server returned an ip which is not accessible from outside. addrFromSTUN = 84.45.179.66:55492 2 9000 Error (6) An incompatible NAT configuration has been detected. Please check FAQ for further information. addrFromAgent = 84.45.179.66:55494addrFromSTUN = 84.45.179.66:55492 3 9000 Warning (8) Local port is not blocked from outside. STUN server has returned global port different from the local one, but the local port is also accessible from outside. 4 9000 Error (10) Port is open, but port number has been changed during NAT translation. THIS ERROR means you have Symmetric NAT and you do not have STATIC PORT MAPPINGS in place. 3CX Phone System will not communicated correctly with your VOIP provider or external extensions. See this FAQ: http://www.3cx.com/support/firewal-checker.html externalAddress = 84.45.179.66:55492 The solution from 3CX was to upgrade to a better firewall such as a Draytek(!) The solution appears to be to use " Full Cone NAT" or basically a Virtual IP to forward all the ports from a given external IP address to the LAN address 172.16.1.21. The problem I have is the external address 84.45.179.66 is being used for a SMTP VIP as well. Is there anyway to make traffic from a given internal IP (172.16.1.21) to go out via a different external IP address ? All my interfaces are currently in use and the WAN1 is the only interface on the 84.45.179.X network. Or do I have to move my DNS entries for e-mail ? Hope this makes some sense.
- « Previous
-
- 1
- 2
- Next »
16 REPLIES 16
Not applicable
Created on ‎10-15-2008 07:26 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well I' ve actually got it working. I' ve moved all my VIP' s away from the WAN1 IP address and put a Static NAT entry on there to the Phone System. Doesn' t explain why the phone system wouldn' t go out using the IP POOL but it' s working now so I' ll stick with it. Thanks everyone for all your help was appreciated.
Not applicable
Created on ‎10-15-2008 08:03 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah it works a treat can wholly recommend it. You can have a full 10 extension VOIP PBX system for less then £3000 including handsets. The flexibility is amazing, remote workers who can have an internal extension half way round the world anyone ?
I think the Phone System connects into to the VOIP provider on a regular basis keeping the connection alive.
Right I' m off to work out how to implement a PBX to SkyPE connector now!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Now that everything works fine, could you posts the firewall configuration again, only the rules you re using. And if possible, not graphical, just the CLI configuration ;)
The most expensive and scarce resource for man is time, paradoxically, it' s infinite.
The most expensive and scarce resource for man is time, paradoxically,
it' s infinite.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes of course.
This scenario is a VOIP PBX Phone system behind a Fortigate firewall working in NAT/Route mode. The VOIP PBX Phone system utilises an external VOIP Provider proxy to route incoming and outgoing phone calls via SIP. The external IP address of the firewall is 99.99.99.99 and the internal IP address of the PBX Server is 192.168.1.1.
Requirement to getting this working : The external IP address of the firewall has no VIP' s on it. The IP address you go out on needs to be to be clear of any VIPs, I had to move my SMTP/Webmail up an IP address.
config firewall profile
edit " SIP"
set log-voip enable
set ftp splice
unset http
unset https
set imap fragmail spamfssubmit
set pop3 fragmail spamfssubmit
set smtp fragmail spamfssubmit splice
set pop3-spamtagtype subject
set nntp no-content-summary
unset im
config sip
set status enable
set invite-rate 10
set nat-trace disable
set register-rate 10
end
set ftgd-wf-options strict-blocking
set ftgd-wf-https-options strict-blocking
next
end
config firewall vip
edit " SIP"
set extip 99.99.99.99
set extintf " wan1"
set mappedip 192.168.1.1
next
config firewall policy
edit XX
set srcintf " wan1"
set dstintf " internal"
set srcaddr " all"
set dstaddr " SIP"
set action accept
set schedule " always"
set service " SIP"
set profile-status enable
set profile " SIP"
next
end
Search : 3CX VOIP SIP PBX
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi there All
i am trying to setup our VoIP system at our offices. We are also using 3CX.
The problem i am having is when i do the firewall test, it returns with error 15.
i think the problem is our external address, we do not have static ip for the external but i dynamic, like a dyndns. Would this cause the problem? or will it work on a dyndns address?
See when i setup i VIP, the external adress i leave as 0.0.0.0 as we dont have one...
Your help is always appreciated.
Thanks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FYI still testing the MR patches, but it would appear that FortOS v3.0 MR6 works with 3CX firewall, however the v3.0 MR7 release does not work with 3CX, with inbound calls failing.
Thanks,
Justin Hobson
Thanks, Justin Hobson
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Justin,
Can confirm the above is working with MR7 726 build on a 60B.Also you don' t need to forward everything to the internal IP of the 3CX :
60B running MR7(726) build.
Scenario is 3CX is on an internal address behind the firewall running in NAT mode.
Firewall -> Protection Profile -> Create New Call it SIP or something Expand VOIP check SIP and se both fields to a number (we picked 10).
Firewall -> Virtual IP -> Create New
Call it something i.e. VOIP_INCOMING
Static NAT
External IP Address : x.x.x.x (Put your external IP in here)
Internal IP Address : 192.168.1.X (or whatever your 3CX server is on) Port Forwarding UDP 5060 5060
Firewall -> Policy -> New
Source WAN1
Destination VOIP_INCOMING
Service SIP
Protection Profile SIP
Leave NAT unchecked.
- « Previous
-
- 1
- 2
- Next »
Labels
-
FortiGate
10,794 -
FortiClient
2,213 -
FortiManager
905 -
FortiAnalyzer
690 -
5.2
687 -
5.4
638 -
FortiSwitch
597 -
FortiClient EMS
582 -
FortiAP
568 -
IPsec
445 -
6.0
416 -
SSL-VPN
393 -
FortiMail
380 -
5.6
362 -
FortiNAC
297 -
FortiWeb
257 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SD-WAN
205 -
FortiAuthenticator
185 -
FortiGuard
161 -
5.0
152 -
Firewall policy
150 -
FortiGate-VM
141 -
6.4
128 -
FortiCloud Products
118 -
FortiToken
115 -
FortiSIEM
113 -
FortiGateCloud
112 -
Wireless Controller
96 -
High Availability
93 -
Customer Service
88 -
FortiProxy
79 -
ZTNA
79 -
SAML
78 -
Routing
77 -
Fortivoice
73 -
BGP
73 -
DNS
73 -
VLAN
73 -
FortiEDR
71 -
Authentication
71 -
FortiADC
69 -
Certificate
69 -
LDAP
64 -
RADIUS
63 -
FortiLink
59 -
SSO
57 -
NAT
56 -
FortiSandbox
55 -
FortiExtender
52 -
Interface
50 -
VDOM
50 -
4.0MR3
49 -
Application control
48 -
Virtual IP
45 -
FortiDNS
43 -
Logging
42 -
SSL SSH inspection
39 -
FortiGate v5.4
38 -
FortiSwitch v6.4
38 -
FortiPAM
37 -
Web profile
36 -
FortiConnect
35 -
Automation
35 -
FortiWAN
31 -
FortiConverter
31 -
API
29 -
FortiGate v5.2
28 -
Fortigate Cloud
26 -
Traffic shaping
26 -
Static route
26 -
SNMP
25 -
SSID
25 -
FortiSwitch v6.2
23 -
FortiPortal
23 -
System settings
22 -
WAN optimization
22 -
FortiMonitor
21 -
OSPF
21 -
Security profile
19 -
Web application firewall profile
19 -
Web rating
19 -
IP address management - IPAM
19 -
FortiSOAR
18 -
FortiAP profile
17 -
FortiGate v5.0
16 -
FortiDDoS
16 -
Explicit proxy
16 -
Admin
15 -
IPS signature
15 -
Proxy policy
15 -
Intrusion prevention
15 -
FortiManager v4.0
14 -
FortiCASB
14 -
NAC policy
14 -
DNS filter
13 -
Users
13 -
FortiManager v5.0
12 -
FortiDeceptor
12 -
Traffic shaping policy
12 -
Fabric connector
12 -
Port policy
12 -
FortiBridge
11 -
FortiRecorder
11 -
Trunk
11 -
Authentication rule and scheme
11 -
FortiAnalyzer v5.0
10 -
FortiWeb v5.0
10 -
Traffic shaping profile
10 -
Fortinet Engage Partner Program
10 -
FortiGate v4.0 MR3
9 -
RMA Information and Announcements
9 -
Antivirus profile
9 -
FortiCache
8 -
FortiToken Cloud
8 -
Application signature
8 -
4.0
7 -
4.0MR2
7 -
Packet capture
7 -
VoIP profile
7 -
Vulnerability Management
7 -
FortiScan
6 -
FortiNDR
6 -
DoS policy
6 -
FortiCarrier
5 -
FortiTester
5 -
DLP profile
5 -
DLP sensor
5 -
Email filter profile
5 -
Protocol option
5 -
TACACS
5 -
Cloud Management Security
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
Multicast routing
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiAI
3 -
Kerberos
3 -
File filter
3 -
Multicast policy
3 -
FortiEdge Cloud
3 -
FortiInsight
2 -
Video Filter
2 -
Schedule
2 -
ICAP profile
2 -
Zone
2 -
Lacework
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
FortiSASE
1 -
Virtual wire pair
1 -
FortiEdge
1 -
FortiAIOps
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2712 | |
| 1416 | |
| 810 | |
| 732 | |
| 455 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.