Cisco Config

Discussion in '3CX Phone System - General' started by paddi, Apr 22, 2016.

Thread Status:
Not open for further replies.
  1. paddi

    Joined:
    Apr 22, 2016
    Messages:
    4
    Likes Received:
    0
    Hi All,

    was looking for some pointers as to where i might be going wrong , i have set up NAT and firewall as per the instructions on the site on our cisco router but im still seem to be having problems when running the firewall checker and have no idea where im going wrong , as i have think i have the config correct

    i've pasted in some of the results and port 5060 seems to connect but the other drop ???

    any ideas ?

    Testing SIP Port 5060 using STUN server: stun.3cx.com:3478
    Resolving STUN server stun.3cx.com ... Resolved to: [198.50.247.220]
    [Test1] Reachability test ... Resolved Public IP: 80.194.146.251:5060
    STUN server stun.3cx.com has second address 198.50.247.219:3479
    [Test2] One on One Port Forwarding ... OK.
    Public IP: 80.194.146.251:5060

    Testing Tunnel Port 5090 using STUN server: stun.3cx.com:3478
    Resolving STUN server stun.3cx.com ... Resolved to: [198.50.247.220]
    [Test1] Reachability test ... Resolved Public IP: 80.194.146.251:5090
    STUN server stun.3cx.com has second address 198.50.247.219:3479
    [Test2] One on One Port Forwarding ... FAILED.
    No response received or port mapping is closed. Firewall check failed. This configuration is not supported

    Testing External Audio RTP Port 9000 using STUN server: stun.3cx.com:3478
    Resolving STUN server stun.3cx.com ... Resolved to: [198.50.247.220]
    [Test1] Reachability test ... FAILED.
    Internal port number (9000) does not match external port number (9499)

    Testing External Audio RTP Port 9001 using STUN server: stun.3cx.com:3478
    Resolving STUN server stun.3cx.com ... Resolved to: [198.50.247.220]
    [Test1] Reachability test ... Resolved Public IP: 80.194.146.250:9001
    STUN server stun.3cx.com has second address 198.50.247.219:3479
    [Test2] One on One Port Forwarding ...
     
  2. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    10,563
    Likes Received:
    245
    You haven't included any model numbers of the firewall/routers that you are using, only that it's a Cisco.
     
  3. paddi

    Joined:
    Apr 22, 2016
    Messages:
    4
    Likes Received:
    0
    oops sorry about that it's a cisco 1941 router and firewall , i usually configure it using the Cisco config pro , not so good at the command line anymore ...

    anyone got any guides for config apart from the one on here , i think its something simple that i have fogotten to do ...

    paddi
     
  4. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    10,563
    Likes Received:
    245
    Unfortunately I haven't used that particular model, but someone else on the forum may have, and can perhaps provide some assistance. In the meantime...you seem to have the port forwarding working for port 5060, a good first step. Compare what settings you have that allowed that, to the settings you have for the other ports that don't work. In theory, it should just be a matter of duplicating the port 5060 settings for the other ports.
    There may be additional features that need to be "adjusted" later, but...
     
  5. paddi

    Joined:
    Apr 22, 2016
    Messages:
    4
    Likes Received:
    0
    Can't seem to see anything different for port 5060 ? it's in the same bact of entries for NAT is actuall listed after some of the other ports in there , so unsure as to why ..

    i'm digging through some of the other rules to see if it was included in a wild card but cant seem to see it ..hopefully someone will come back to me with some more suggestions ..

    thanks again for the help
    paddi
     
  6. lneblett

    lneblett Well-Known Member

    Joined:
    Sep 7, 2010
    Messages:
    2,064
    Likes Received:
    58
    You can check:

    1. SIP ALG or SIP Helpers are disabled.
    2. Only 1 NIC in use on the host machine.
    3.Desired ports are not in use by other applications
    4. Windows firewall or other 3rd party firewall residing on host machine is off or configured to allow needed ports
    5. Double check NAT rules to insure correct ports and types (UDP or TCP or Both) for both inbound and outbound are allowed
     
  7. paddi

    Joined:
    Apr 22, 2016
    Messages:
    4
    Likes Received:
    0
    i have built a VM for the 3CX server , with nothing else installed at all (no AV yet), i have disabled the firewall on the windows machine (2012r2)

    i do think its the NAt rules on the Roter that are giving me problems , i think i will delete what i have changed on the router and go back to starting again, i only configured the router acordin to the instructions from the 3cx site , so i may have missed something out... i think i need a Static NAT from the external IP im using to the 3CX server, and then do all the other port forwards,

    paddi
     
  8. NickD_3CX

    NickD_3CX Support Team
    Staff Member 3CX Support

    Joined:
    Jun 2, 2014
    Messages:
    1,283
    Likes Received:
    68
    Hello paddi,

    Going back to the Firewall Checker, I think that it is indeed something on the NAT rules. Could it be that when adding the port range for the RTP ports (9000-9499) you have mapped:
    9000 -> 9499
    9001 -> 9498
    ...

    or something along those lines?
    It seems that you might be doing some sort of port-translation on the port forwarding rules.

    As a note, in the many times I have seen the Firewall Checker run and show errors, not once do I remember it being wrong...

    If you care to know how the Firewall Checker works and why it is usually accurate, there is a document outlining this:
    http://www.3cx.com/blog/docs/firewall-voip-rules-check/
     
Thread Status:
Not open for further replies.