Dismiss Notice
We would like to remind you that we’re updating our login process for all 3CX forums whereby you will be able to login with the same credentials you use for the Partner or Customer Portal. Click here to read more.

firewall checker inconsistency

Discussion in '3CX Phone System - General' started by Doug Dafforn, Jan 22, 2018.

Thread Status:
Not open for further replies.
  1. Doug Dafforn

    Joined:
    Jan 15, 2018
    Messages:
    2
    Likes Received:
    0
    I'm on the periphery of a 3cx install that isn't going well. I'm really only responsible for the firewall piece and there are bigger issues than what I'm seeing with the firewall checker results, but wanted to make sure my component in this isn't a problem going forward. I have run the firewall checker against two firewalls with similar results, one a sonicwall tz 300 and the other a watchguard t30. Both were configured per their respective instructions from the 3cx site.

    Sometimes, the tests will actually pass without issues (on both firewalls), but more often than not, 1 or more udp ports (9000-9500 range) will get remapped. The message will be 'Mapping does not match 9126. Mapping is 9127'.

    On the sonicwall side I have ensured the source port remap setting is disabled on the nat policies.

    Anyone seen anything like this? Thanks.
     
  2. JCLloyd

    JCLloyd New Member

    Joined:
    Oct 5, 2017
    Messages:
    113
    Likes Received:
    20
    This sounds like the "SIP ALG" issue that remaps ports. 3CX can't handle changing the port numbers like that. A call binds to a port for the duration.

    Did you try this?...
    -
    SonicWALL - Disable "Source Port Remapping" in 'NAT Method'
    https://www.3cx.com/docs/sonicwall-firewall-configuration/
    -
    WatchGuard - Not familiar with this one.
    ... Doesn't appear WatchGuard does automatic port remapping. Maybe, when you set the internal IP?
    https://www.3cx.com/docs/watchguard-xtm-firewall/

    https://www.3cx.com/docs/manual/firewall-router-configuration/

    I had the same issue with a Cisco SOHO and had to turn off port remapping, which is called "ALG" in that model.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Doug Dafforn

    Joined:
    Jan 15, 2018
    Messages:
    2
    Likes Received:
    0
    JCLloyd, thanks for the response. The sonicwall doc you linked is the one that I used to perform the configuration, so yes I have disabled that source port remapping setting for the relevant nat policy.

    What confuses me is why I would ever see a successful firewall check test result if the firewall was in fact configured incorrectly. I'm compelled to look elsewhere for the problem, like maybe a setting of some sort on the nic of the server that is causing a subtle and random issue.
     
Thread Status:
Not open for further replies.