Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 3 subscribers
  • Views 6187 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

3cx hinter UTM

geordi

Hallo zusammen,

hat schon jemand erfolgreich eine 3cx hinter einer UTM am Start? Ich verzweifel da gerade.
Ich hab ein Additional Address Objekt angelegt mit einer freien, öffentlichen IP aus unserem öffentlichen Subnetz. Des Weiteren hab ich Adressobjekte angelegt für die interne und externe IP meiner 3cx. VOIP ist aus auf der UTM.
Per Masquerading gebe ich der 3cx beim ausgehenden Traffic die WAN-IP die auch eingehend genutzt wird. Eingehend habe ich per DNAT die Ports reingegeben.
Dennoch bekomme ich immer wieder den Fehler (testing port 5060... full cone test failed.



This thread was automatically locked due to age.
  • 0

    Hi geordi,

    you have created an SNAT rule as well?

    if you have you may well want to provide more information, as you have a picture telling us what failed, but no explanation of what this failure is ..?

    please provide more information geordi.

    XG & UTM Architect (Systems: XG v18 & UTM 9.7 - Virtual, HW & SW)
    Curious enough to take it apart, skilled enough to put it back together, Clever enough to hide the extra parts when I'm Done!

  • 0 in reply to Argo

    Hi,

    SIP is working, but no RTP. I can call internally but without audio. THe picture was showing the firewall check result from the 3cx. Looking at the firewall and IPS logs from the sophos is not showing any drop during the test.

    I tried it with SNAT, but I am not sure if this was correct. So I deleted the SNAT.

    Here are some pictures showing the actual config regarding masquerade and DNAT. I also have a firewall rule allowing the services to the 3cx, disabled VOIP and created an IPS exception.

    I can connect to the 3cx with the client, internal and external.



    How would be a correct SNAT in this case? 

  • 0 in reply to geordi

    Hi geordi,

    a couple of questions;

    1. from the tests in your original question (that are performed from an internet location) these show you are unable to get to port 5060...

    2.  is 3cx_WAN the same Public IP as SDSL 10Mbit?

    3. SNAT would be configured as if the traffic were coming from the 3cx server (a good way to test if that is possible is to find the Public IP Address that it thinks it is 'Masquerading' as.

    this mean you would change the 'Source Network Address Translation' (S.N.A.T.) address

    e.g. if the 3cx server is 192.168.1.100 an SNAT rule would change this address to a Public IP Address (as Private IP Addresses are either ignored or dropped).

    SNAT/DNAT have issues if there is a previous rule which encompasses the 3cx server - the 3cx server will use that rule as it comes before the rules you have created - Rule Order is very important.

    I hope this helps, SNAT is always a mind-bender

    also I looked at the following 2 pages from 3cx;

    https://www.3cx.com/docs/manual/firewall-router-configuration/

    https://www.3cx.com/docs/troubleshooting-firewall-checker/

    XG & UTM Architect (Systems: XG v18 & UTM 9.7 - Virtual, HW & SW)
    Curious enough to take it apart, skilled enough to put it back together, Clever enough to hide the extra parts when I'm Done!

  • 0

    Hallo Geordi,

    What do you learn from doing #1 in Rulz (last updated 2019-04-17)?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML