3CX + Fortigate Firewalls

Discussion in '3CX Phone System - General' started by NevisAnthony, Oct 15, 2008.

Thread Status:
Not open for further replies.
  1. NevisAnthony

    Joined:
    Oct 13, 2008
    Messages:
    4
    Likes Received:
    0
    Hi we are evaluating the 3CX system and are overall very impressed. We have a VOIP provider (EntaNet) who are supplying an external landline number. When I use X-Lite externally to our firewall it rings fine.

    I've configured 3CX on a private IP address behind our Fortigate-60B firewall (in NAT mode) and outgoing calls are working fine but we can't seem to get any incoming calls to work. The Fortigate seems to have extensive SIP support and I've been through the documentation and tried various things but it constantly fails the firewall tests and I can't get any incoming calls working. I've tried the recommendations made by posters here none of which seem to work.

    Has anyone got this working in this configuration ?

    Attached a very simple network diagram.
     
  2. NevisAnthony

    Joined:
    Oct 13, 2008
    Messages:
    4
    Likes Received:
    0
    Additional :

    1 9000 Error (4) The STUN server returned an ip which is not accessible from outside. addrFromSTUN = 84.45.179.66:60098
    2 9000 Error (10) Port is open, but port number has been changed during NAT translation. THIS ERROR means you have Symmetric NAT and you do not have STATIC PORT MAPPINGS in place. 3CX Phone System will not communicated correctly with your VOIP provider or external extensions. See this FAQ: http://www.3cx.com/support/firewal-checker.html externalAddress = 84.45.179.66:60098
    3 9001 Error (4) The STUN server returned an ip which is not accessible from outside. addrFromSTUN = 84.45.179.66:60099
    etc...
     
  3. NevisAnthony

    Joined:
    Oct 13, 2008
    Messages:
    4
    Likes Received:
    0
    Got this working in the end. The error was the VMWare machine had two NICs and I was connecting to the wrong one.

    The Fortigates are SIP aware so you need to do the following :

    1/ Firewall -> Protection Profile -> New Profile -> SIP
    Expand VOIP and check SIP
    2/ Firewall -> Virtual IP -> Create New
    Name : PHONESYSTEM
    Static NAT
    External IP : the external IP of your firewall
    Intern IP : the internal IP of you phone system
    Note you can't have any other VIP's coming in on this external IP address.
    3/ Firewall -> Policy -> Create New
    Source External ALL
    Destination Internal PHONESYSTEM
    Service SIP
    Protection Profile SIP

    That did the trick for me.
     
  4. NevisAnthony

    Joined:
    Oct 13, 2008
    Messages:
    4
    Likes Received:
    0
    Fixed :

    http://support.fortinet.com/forum/tm.asp?m=43220&p=1&tmode=1&smode=1
     
  5. michielpeeters

    Joined:
    Nov 17, 2008
    Messages:
    19
    Likes Received:
    5
    We've been having alot of problems with Fortigate and 3cx.
    The fortigate is messing with sip traffic.
    After some research we finaly got a solution.

    First Make sure you got the right firewall rules.
    UDP 0-65535 9000 9015
    TCP 0-65535 5060 5060
    UDP 0-65535 5060 5060
    TCP 0-65535 5090 5090

    In the CLI of the fortigate type the following:
    config system settings
    set sip-helper disable
    set sip-nat-trace disable

    Reboot the device
    In the CLI type the following:
    Config system session-helper
    show
    (now look for SIP, mostly it will be "12")
    delete 12

    Don't use any protection profiles on the firewall rules of the sip rules.

    We solved the "no sound problem, bad sound problem"
    Youre done.
     
Thread Status:
Not open for further replies.