3CX PBX behind a PAN-500

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

3CX PBX behind a PAN-500

L1 Bithead

After about a week of trial and error, the Palo Alto Network engineers have told me that my PAN-500 does not support the 3CX phone system. I am told that a future feature request will resolve flow based NAT issue I am having with STUN traffic. Unfortunately, I have already bought the server and all new IP phones and the changeover is 2 weeks away.

 

After searching several technical sites for answer, including PAN and 3CX community sites, I can see references to other issues with IP phones, 3CX and PAN, so it seems like this setup is working somewhere. Does anyone have 3CX working behind a PAN firewall? Would you be willing to share rules / setup? Even if your setup is a work around, I might be able to limp along while Palo Alto works on feature request 3214, which is supposed to fix the problem.

 

Thanks, Jim

 

13 REPLIES 13

L1 Bithead

Yes, we have one site with a PA200 running 3CX without any issues, PM me to discuss your current config and i can share our ruleset and config.

Great! Thanks Alex. I will PM as soon as I determine how to do that. I can't find instructions on private messages here. I found the "powered by Lithium" tag and searched for the instructions over there. I have a support request into the PAN community which may be answered tomorrow.

 

Jim

Alex - the support team told me that the private messaging feature is not enabled in PAN Live Community.  Are you on Spiceworks? If so, private messaging works there - I am jim9817.

Hi Alex

 

I'm in the same situation: in our office we have a PaloAlto 220 and we have the same issues with 3CX ... we tried all ideas we have but no positive results: ports are fowarded randomly... Then we have seen your post:  can you help me? Can you send me your working configuration?

Thank you very much in advance and have a great day.

Maurizio

L1 Bithead

Has anyone come up with a solution for this?  I have a PA-3020 and I am having trouble trying to get our 3CX phone system to pass the firewall check.  It keeps failing when testing the ports 5060 and 5090.

L1 Bithead

We found the problem. After confirming with AT&T (twice!) that they had no ports blocked, we set up a wireshark monitor on the 3CX server. It turned out that AT&T was blocking port 5060. "Well, all ports are open except UDP 5060" said AT&T. I had to write a letter on our corporate letterhead requesting that AT&T open port 5060 on its managed router to allow SIP traffic to and from the internet. Once that port was opened, we passed the 3CX firewall test and have been up and running on 3CX since the January. 

 

Our two final rule changes:

path: vsys vsys1 rulebase application-override rules SIP-Override
detail: <change><before><![CDATA[SIP-Override { destination [ any ]; port 5060; } ]]></before><after><![CDATA[SIP-Override { destination [ STUN-US1 STUN-US2 STUN2 STUN3 ]; port 5060-5090; } ]]></after></change>

 

path: vsys vsys1 service 3CX5060TCP
detail: <change><before><![CDATA[]]></before><after><![CDATA[3CX5060TCP { protocol { tcp { source-port 5060; port 5060; override { no ; } } } description "3CX port 5060 TCP"; } ]]></after></change>

Thanks.  I'll run a Wireshark on my server and see if it's doing the same thing.

L1 Bithead

Ok, so I took my 3CX server off of AT&T and put it on our Comcast connection.  I still got the same problems.  I'm pretty sure Comcast is not blocking 5060.  I finally figured out the PAN3020 randomized the ports going outbound, so I created a policy to preserve the port, and I finally got the 5060 to work, but then I kept getting "Full Cone NAT" errors.  I tried a thousand different NAT policy configurations, ran Wireshark until the end of time, and Googled every problem I came across to death, and I cannot get this to work on the Palo Alto 3020 no matter what I try.

 

I've read in some Google search results where people are using the same firewall I am using and have gotten it to work, but they did not provide their NAT policies to show how they got it to work.

 

Also, I discovered that if I run the Firewall Check too many times the "detecting SIP ALG" will fail.  Even after I restore my firewall back to the settings before any 3CX policies the SIP ALG detection fails every time, even though I have ALG disabled.  I literally have to reinstall the 3CX server software to get it to successful detect that I have ALG disabled.

 

I really want to get this to work, but I have exhausted just about everything I can possibly think of.  It would have been awesome if 3CX would've included the Palo Alto in their "Step by Step Instructions for Popular Firewalls" guide.

 

We paid an ENORMOUS amount of money for this Palo Alto 3020.  It is like the Mercedes Benz of firewalls.  You would think there would be an easy way to configure this firewall to allow for VoIP configurations.

Hi @ForrestDean 

I am proving your same issue, we have a Palo Alto 220 and I would like your opinion about the Nat and Security rules to do the 3cx works. What have you done specifically? 

The situation is that the outbound call works but the voice is unidirectional instead the inbound calls don't have the tone.

 

Thank you 

Hi to All,

 

Has some found a solution for this ? 

I managed to make my 3cx receive and dial calls with success but cannot make the mobile app work.

3CX firewall always gives fail for the full cone nat.

Thanks in advance

L0 Member

Did you get this to work? I have a PA-820 and have not been able to get it to work...

L1 Bithead

I know this is super old thread but I'd like to see what you guys did if you don't mind.

I'm planning to switch over to 3CX as well and currently having issues when testing the firewall on 3CX. I have opened all the necessary ports shown here.

How to configure your Firewall Router in 3CX Phone System

 

I'm using PAN-3020.

 

Thanks guys!

 

 

Are you able to get it working with 3CX?

I have the same PAN-3020 and am about to deploy 3CX on-prem.

Did you have on-prem 3CX or Cloud hosted?

 

Care to share what you had configured on yours?

 

I was able to get the Firewall Check to pass after adding two ports, UDP 5060 and 3478 outbound.

If I don't do that, the check will fail.

 

I saw those two ports are being denied so I added it the policy.

The weird thing is 3CX manual does not mention those two ports for outbound traffic. 

I'm not sure if this is PA or 3CX issue for using a totally different ports.

 

Appreciate the help!!

 

 

  • 12464 Views
  • 13 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!