Why Does 3CX Require Static Port Mappings (Full Cone NAT)?

If you are using a VoIP provider, you will need to have a firewall that supports and is configured to use static port mapping. Static port mapping is required for RTP, the protocol that carries audio, to be able to function correctly.

RTP and Symmetric NAT

VoIP applications that use the RTP protocol to send and receive audio and video streams, tend to have problems behind a firewall or a router since RTP uses random ports to send and receive audio or video streams. Incorrect firewall configuration will cause calls made via a VoIP providers or to remote extensions to have no audio or one way audio only.

When using Symmetric NAT, the firewall/router will change the port on which the audio is received, on the fly. For example, when making an outbound call via a VoIP provider, 3CX Phone system will make a STUN resolution to determine the public IP and port to use. It will then specify this to the other party. Meanwhile, the firewall will close the port specified in the INVITE, causing the call to fail. Obviously there is no way a VoIP call can be established reliably if the firewall does this. This procedure is called Symmetric NAT and must be switched off.

How do I check whether I have my firewall correctly configured?

The best way to check if your firewall configuration is correct and that you are not behind a symmetric NAT is to run the firewall checker. You can run the firewall checker from the 3CX Management Console, under “Settings” > “Firewall Checker”. If the firewall checker fails, or results in warning error 10, then you have Symmetric NAT and calls via a VoIP provider or to an external extension will not be reliable.

What can I do to resolve this problem and create Static port mappings?

The solution for no audio or one way audio when calling a VoIP provider or when receiving a call from a VoIP provider is to use a router or firewall that supports “Full Cone NAT”. In a “Full Cone NAT” (also known as one to one NAT) all ports for the external address are mapped to a specific internal address and same port. An external host can send RTP packets to an internal host by sending the packet to the external address of the firewall or router and mapped port.

Most firewalls can be configured to handle this. It is also referred to as static port. This configuration ensures that a particular port remains open and will not be changed by the firewall. Some very cheap firewalls do not allow this configuration, but most firewalls do. We have provided sample configurations for the following firewalls below. Based on these configurations you should be able to configure your firewall accordingly.

Further reading:

Explanation of different types of NAT and how NAT works:

Another good resource on the problems of symmetric NAT and VOIP phone systems:

Liked this article?

Get notified of new articles
or share
You might also be interested in: