• V20: 3CX Re-engineered. Get V20 for increased security, better call management, a new admin console and Windows softphone. Learn More.

Cisco Config

Status
Not open for further replies.

paddi

Customer
Joined
Apr 22, 2016
Messages
4
Reaction score
0
Hi All,

was looking for some pointers as to where i might be going wrong , i have set up NAT and firewall as per the instructions on the site on our cisco router but im still seem to be having problems when running the firewall checker and have no idea where im going wrong , as i have think i have the config correct

i've pasted in some of the results and port 5060 seems to connect but the other drop ???

any ideas ?

Testing SIP Port 5060 using STUN server: stun.3cx.com:3478
Resolving STUN server stun.3cx.com ... Resolved to: [198.50.247.220]
[Test1] Reachability test ... Resolved Public IP: 80.194.146.251:5060
STUN server stun.3cx.com has second address 198.50.247.219:3479
[Test2] One on One Port Forwarding ... OK.
Public IP: 80.194.146.251:5060

Testing Tunnel Port 5090 using STUN server: stun.3cx.com:3478
Resolving STUN server stun.3cx.com ... Resolved to: [198.50.247.220]
[Test1] Reachability test ... Resolved Public IP: 80.194.146.251:5090
STUN server stun.3cx.com has second address 198.50.247.219:3479
[Test2] One on One Port Forwarding ... FAILED.
No response received or port mapping is closed. Firewall check failed. This configuration is not supported

Testing External Audio RTP Port 9000 using STUN server: stun.3cx.com:3478
Resolving STUN server stun.3cx.com ... Resolved to: [198.50.247.220]
[Test1] Reachability test ... FAILED.
Internal port number (9000) does not match external port number (9499)

Testing External Audio RTP Port 9001 using STUN server: stun.3cx.com:3478
Resolving STUN server stun.3cx.com ... Resolved to: [198.50.247.220]
[Test1] Reachability test ... Resolved Public IP: 80.194.146.250:9001
STUN server stun.3cx.com has second address 198.50.247.219:3479
[Test2] One on One Port Forwarding ...
 
You haven't included any model numbers of the firewall/routers that you are using, only that it's a Cisco.
 
oops sorry about that it's a cisco 1941 router and firewall , i usually configure it using the Cisco config pro , not so good at the command line anymore ...

anyone got any guides for config apart from the one on here , i think its something simple that i have fogotten to do ...

paddi
 
Unfortunately I haven't used that particular model, but someone else on the forum may have, and can perhaps provide some assistance. In the meantime...you seem to have the port forwarding working for port 5060, a good first step. Compare what settings you have that allowed that, to the settings you have for the other ports that don't work. In theory, it should just be a matter of duplicating the port 5060 settings for the other ports.
There may be additional features that need to be "adjusted" later, but...
 
Can't seem to see anything different for port 5060 ? it's in the same bact of entries for NAT is actuall listed after some of the other ports in there , so unsure as to why ..

i'm digging through some of the other rules to see if it was included in a wild card but cant seem to see it ..hopefully someone will come back to me with some more suggestions ..

thanks again for the help
paddi
 
You can check:

1. SIP ALG or SIP Helpers are disabled.
2. Only 1 NIC in use on the host machine.
3.Desired ports are not in use by other applications
4. Windows firewall or other 3rd party firewall residing on host machine is off or configured to allow needed ports
5. Double check NAT rules to insure correct ports and types (UDP or TCP or Both) for both inbound and outbound are allowed
 
i have built a VM for the 3CX server , with nothing else installed at all (no AV yet), i have disabled the firewall on the windows machine (2012r2)

i do think its the NAt rules on the Roter that are giving me problems , i think i will delete what i have changed on the router and go back to starting again, i only configured the router acordin to the instructions from the 3cx site , so i may have missed something out... i think i need a Static NAT from the external IP im using to the 3CX server, and then do all the other port forwards,

paddi
 
Hello paddi,

Going back to the Firewall Checker, I think that it is indeed something on the NAT rules. Could it be that when adding the port range for the RTP ports (9000-9499) you have mapped:
9000 -> 9499
9001 -> 9498
...

or something along those lines?
It seems that you might be doing some sort of port-translation on the port forwarding rules.

As a note, in the many times I have seen the Firewall Checker run and show errors, not once do I remember it being wrong...

If you care to know how the Firewall Checker works and why it is usually accurate, there is a document outlining this:
http://www.3cx.com/blog/docs/firewall-voip-rules-check/
 
Status
Not open for further replies.
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.