Hello guys, I don't know the official config, but I have always had more success disabling the sip ALG on netscreens.
I don't think my current config is ideal, but it seems to work. I still have a decent delay on sip trunk calls, but I have to rule out my provider first.
I need to sit down and get a policy based NAT working, but until I have time to figure it out, I just went through these steps.
1. Enabled multiport VIPS from the command shell.
set vip multi-port
and then:
save
2. Created custom service with these entries.
TCP src port: 0-65535, dst port: 5060-5060
UDP src port: 0-65535, dst port: 5060-5060
UDP src port: 0-65535, dst port: 9000-9030 - more on this one later.
3. Created a VIP on the untrust interface with my custom service pointing to my 3CX server
4. Created a policy from Untrust to Trust for that VIP.
Now, this is why the solution is not great, because when you use a VIP with multiple ports it counts against the total number of VIPS available to you. I had to settle on using 30 and limiting my range. the last line in the custom rule should say UDP src port: 0-65535, dst port: 9000-9049
However I could not use that many VIPS. If found the range of 9000 to 9030 to be a good compromise.
you can limit the RTP ports in the advanced settings in 3CX.
I do want to work on a solution using NAT within a policy and get rid of the VIP altogether.
Hope this helps.