Solved Firewall: SIP ALG / Mismatched port mapping

Discussion in '3CX Phone System - General' started by SVanBC, Dec 14, 2017.

Thread Status:
Not open for further replies.
  1. SVanBC

    Joined:
    Dec 14, 2017
    Messages:
    40
    Likes Received:
    1
    Hi,

    I'm new to the 3CX Phone System but for one of our clients, i'm setting up the VOIP environment but for some reason, the firewall test keeps failing.

    [​IMG]

    Network overview:
    - Client has a Dynamic IP
    - B-Box3 modem (Belgium) with limited access (LAN: 192.168.X.X)
    - Meraki MX65 Firewall (behind the modem, this is where the PBX is connected, LAN: 10.X.X.X)
    - Meraki MX65 Firewall is configured as DMZ on the modem

    1) I started off installing the latest version
    2) opening the ports on the clients B-Box [​IMG]

    3) Put the MX65 as DMZ [​IMG]

    4) Opened the ports on the MX65 security appliance
    [​IMG]

    And ran the firewall test
    [​IMG]

    As you can see, all of these firewall tests, fail. I checked the solutions page but can't get it to work.

    What I noticed is that when the firewall test on the 3CX server ran, there are automatically generated ports on the modem. These appears to be caused by the ALG function on the modem. As these BBox3 modems are very limited to end user, there is no possibility to disable the ALG..
    [​IMG]

    My last option was to change the port the 3CX listens on, but this option appears to be greyed out in V15.

    Any solutions?

    Thanks in advance

    Sven
     
  2. viraltechnology

    Joined:
    Mar 22, 2015
    Messages:
    39
    Likes Received:
    5
    I hate to state an obvious question but does the ISP have any ability to disable sip ALG? Maybe look at the possibilty of hosting 3cx off-site and connecting via sbc or VPN?
     
  3. SVanBC

    Joined:
    Dec 14, 2017
    Messages:
    40
    Likes Received:
    1
    Too bad they don't. As enduser we only get basic priviliges. We need to upgrade in order to be able to disabled the ALG. Gonna take the VPN option into account
     
  4. viraltechnology

    Joined:
    Mar 22, 2015
    Messages:
    39
    Likes Received:
    5
    We host almost all of out installs off-site. I like that we do not have to open ports in the firewall. Using the sbc allows us to encrypt data from the sbc to the 3cx server and for the.most part it eliminates issues with Nat, SIP-AlG etc,etc
     
  5. complex1

    complex1 Active Member

    Joined:
    Jan 25, 2010
    Messages:
    752
    Likes Received:
    38
    @SVanBC

    Please also forward port 5060 TCP in the router and test again.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. SVanBC

    Joined:
    Dec 14, 2017
    Messages:
    40
    Likes Received:
    1
    Thanks for the replies.
    Issue is resolved, ALG was the issue.
    Solution? Contacted ISP for PPPoE details and configured on the Meraki firewall to bypass SIP ALG on the modem.
    Case closed ;)
     
    viraltechnology likes this.
  7. viraltechnology

    Joined:
    Mar 22, 2015
    Messages:
    39
    Likes Received:
    5
    glad they worked with you to get that disabled!!
     
  8. YiannisH_3CX

    YiannisH_3CX Support Team
    Staff Member 3CX Support

    Joined:
    May 10, 2016
    Messages:
    4,443
    Likes Received:
    282
    Glad the issue has been resolved and thank you for posting your solution
     
Thread Status:
Not open for further replies.