How to Configure a Cisco Router with the 3CX Phone System

Introduction

This document describes the configuration of a Cisco Router for the use with 3CX Phone System.

cisco router

Status

In general Cisco routers are know to work correctly and can be used as gateway in front of a 3CX Phone System to connect Voip Provider, direct Remote Extensions (STUN) and 3CX Tunnel connections. Due to the complexity of the setup, ensure that SIP ALG services are turned off for port 5060 UDP (e.g. no IP NAT service SIP UDP port 5060).

The status of this type of firewall is “Supported”.
Nat Type: Not tested 

Disclaimer

Configuration of the firewall will never be carried out by the 3CX Staff at any point and must be made by the System-Administrator of the company.  You must understand the risk of opening ports to the World Wide Web. Read http://www.3cx.com/blog/docs/securing-hints/ for more information and agree with the terms stated. The provided guide is based on the best known effort to configure the device(s). 3CX is not liable for any misguidance may made in this guide.

Configuring the Cisco Router

A Cisco router has a firewall (ACL’s) and also NAT. If you have the firewall  enabled you need to configure both NAT and access for NAT to work on the firewall. If you do not have the firewall enabled follow step 1 in the documented procedure below. To configure both NAT and firewall follow steps 1 and 2 in the documented procedure below.

Step 1. Configuring NAT on a Cisco Router

For an always up to date list of the ports that need to be open check “Firewall & Router Configuration“, as the ports may depend on the version you are using.

  1. Login to the SDM (Web interface) of the Cisco router. E.g. if the router IP is 192.168.1.3, using a web browser access the following URL: http://192.168.1.1 (use HTTPS if Cisco Web Interface is running on a secure-server).
  2. Click on the “Configure” button to start configuring the router.
  3. Click on  the “NAT” button on the left hand side menu and on  the “Edit NAT Configuration”  tab to start publishing ports on the router for the 3CX Phone System.
  4. Add the following NAT entries to a new or already existing NAT table:
    1. Inbound TCP port 5001 mapped to the PBX internal IP.
    2. Inbound TCP port 5000 mapped to the PBX internal IP.
    3. Inbound TCP port 5060 mapped to the PBX internal IP.
    4. Inbound UDP port 5060 mapped to the PBX internal IP.
    5. Inbound UDP ports 9000 to 9499 mapped to the PBX internal IP.
    6. Inbound TCP port 5090 mapped to the PBX internal IP.
    7. Inbound UDP port 5090 mapped to the PBX internal IP.
  5. Click on “Add”  to add a new NAT rule.
  6. To start mapping ports, follow the options below:
    1. Tick “Static”.
    2. Set “Direction” to “From Inside to Outside”.
    3. Set “IP address of Translate from interface” to the 3CX Phone System Internal IP.
    4. Set the “Network Mask” to the 3CX Phone System subnet mask.
    5. Set “Translate to interface Type” to IP address or interface (if you have more than 1 IP bound to the same interface, and want the 3CX Phone System to  listen on a particular IP, choose IP address).
    6.  If in step 5 you chose “IP interface”, input the external IP you want the 3CX Phone System to listen on.
    7. If in step 5 you chose “Interface”, from the interface drop down menu choose the interface where 3CX Phone System should be published.
    8. Tick “Redirect Port”.
    9. Tick if it is “TCP” or “UDP” (depending on the Port being configured).
    10. Input the original port and translated port (preferably these should be the same port number).
    11. Click on “OK” to apply the NAT entry.

  7. Repeat Step 5 to map every port that the 3CX Phone System needs.
  8. When all default ports are configured, the final NAT table should look like the own shown above.

Step 2. Configuring Firewall and ACL’s on a Cisco Router

For an always up to date list of the ports that need to be open check “Firewall & Router Configuration“.

  1. Add the following ACL’s to the existing or new ACL (if firewall is enabled):
    1. Inbound TCP port 5001 mapped to the PBX internal IP.
    2. Inbound TCP port 5000 mapped to the PBX internal IP.
    3. Inbound TCP port 5060 mapped to the PBX internal IP.
    4. Inbound UDP port 5060 mapped to the PBX internal IP.
    5. Inbound UDP ports 9000 to 9499 mapped to the PBX internal IP.
    6. Inbound TCP port 5090 mapped to the PBX internal IP.
    7. Inbound UDP port 5090 mapped to the PBX internal IP.
  2. To add rules to the Firewall, click on the Firewall and ACL button on the left hand side menu.
  3. Click on the Edit Firewall Policy / ACL tab.
  4. Tick Originating traffic and from the Access Rule Window click on add to add new rule.
    1. Set Select Action to Permit.
    2. Description is not mandatory.
    3. Set Source Host/Network Type to Any IP Address.
    4. Set Destination Host/Network Type to A Host Name or IP Address.
    5. Insert the internal IP of the 3CX Phone System in Set Host Name/IP.
    6. Tick UDP or TCP (depending on which port is being configured) from Protocol and Services.
    7. Set Source Port to any.
    8. Set Destination Port to the port number the rule is being applied for.
    9. Click on OK.
  5. In the new rule window, insert the following options:
  6. Repeat Steps 3 and 4 to allow access to every port 3CX Phone System needs
  7. When all default ports are configured, the final firewall table should look like the below.
  8. Once ready, click on “File” menu and select “Write to Startup Config” so that next time the Cisco is rebooted, the configuration is not lost.
  9. Exit the configuration

Validation

Run the 3CX Firewall Checker to validate the setup from the 3CX Phone System Management Console Settings > Firewall Checker. All tested ports must return green / working.

Liked this article?


Get notified of new articles
or share
You might also be interested in: