3CX PBX behind a PAN-500

Reply
Highlighted
L1 Bithead

3CX PBX behind a PAN-500

After about a week of trial and error, the Palo Alto Network engineers have told me that my PAN-500 does not support the 3CX phone system. I am told that a future feature request will resolve flow based NAT issue I am having with STUN traffic. Unfortunately, I have already bought the server and all new IP phones and the changeover is 2 weeks away.

 

After searching several technical sites for answer, including PAN and 3CX community sites, I can see references to other issues with IP phones, 3CX and PAN, so it seems like this setup is working somewhere. Does anyone have 3CX working behind a PAN firewall? Would you be willing to share rules / setup? Even if your setup is a work around, I might be able to limp along while Palo Alto works on feature request 3214, which is supposed to fix the problem.

 

Thanks, Jim

 

Tags (2)
Highlighted
L2 Linker

Re: 3CX PBX behind a PAN-500

Yes, we have one site with a PA200 running 3CX without any issues, PM me to discuss your current config and i can share our ruleset and config.

Highlighted
L1 Bithead

Re: 3CX PBX behind a PAN-500

Great! Thanks Alex. I will PM as soon as I determine how to do that. I can't find instructions on private messages here. I found the "powered by Lithium" tag and searched for the instructions over there. I have a support request into the PAN community which may be answered tomorrow.

 

Jim

Highlighted
L1 Bithead

Re: 3CX PBX behind a PAN-500

Alex - the support team told me that the private messaging feature is not enabled in PAN Live Community.  Are you on Spiceworks? If so, private messaging works there - I am jim9817.

Highlighted
L0 Member

Re: 3CX PBX behind a PAN-500

Hi Alex

 

I'm in the same situation: in our office we have a PaloAlto 220 and we have the same issues with 3CX ... we tried all ideas we have but no positive results: ports are fowarded randomly... Then we have seen your post:  can you help me? Can you send me your working configuration?

Thank you very much in advance and have a great day.

Maurizio

Highlighted
L1 Bithead

Re: 3CX PBX behind a PAN-500

Has anyone come up with a solution for this?  I have a PA-3020 and I am having trouble trying to get our 3CX phone system to pass the firewall check.  It keeps failing when testing the ports 5060 and 5090.

Highlighted
L1 Bithead

Re: 3CX PBX behind a PAN-500

We found the problem. After confirming with AT&T (twice!) that they had no ports blocked, we set up a wireshark monitor on the 3CX server. It turned out that AT&T was blocking port 5060. "Well, all ports are open except UDP 5060" said AT&T. I had to write a letter on our corporate letterhead requesting that AT&T open port 5060 on its managed router to allow SIP traffic to and from the internet. Once that port was opened, we passed the 3CX firewall test and have been up and running on 3CX since the January. 

 

Our two final rule changes:

path: vsys vsys1 rulebase application-override rules SIP-Override
detail: <change><before><![CDATA[SIP-Override { destination [ any ]; port 5060; } ]]></before><after><![CDATA[SIP-Override { destination [ STUN-US1 STUN-US2 STUN2 STUN3 ]; port 5060-5090; } ]]></after></change>

 

path: vsys vsys1 service 3CX5060TCP
detail: <change><before><![CDATA[]]></before><after><![CDATA[3CX5060TCP { protocol { tcp { source-port 5060; port 5060; override { no ; } } } description "3CX port 5060 TCP"; } ]]></after></change>

Highlighted
L1 Bithead

Re: 3CX PBX behind a PAN-500

Thanks.  I'll run a Wireshark on my server and see if it's doing the same thing.

Highlighted
L1 Bithead

Re: 3CX PBX behind a PAN-500

Ok, so I took my 3CX server off of AT&T and put it on our Comcast connection.  I still got the same problems.  I'm pretty sure Comcast is not blocking 5060.  I finally figured out the PAN3020 randomized the ports going outbound, so I created a policy to preserve the port, and I finally got the 5060 to work, but then I kept getting "Full Cone NAT" errors.  I tried a thousand different NAT policy configurations, ran Wireshark until the end of time, and Googled every problem I came across to death, and I cannot get this to work on the Palo Alto 3020 no matter what I try.

 

I've read in some Google search results where people are using the same firewall I am using and have gotten it to work, but they did not provide their NAT policies to show how they got it to work.

 

Also, I discovered that if I run the Firewall Check too many times the "detecting SIP ALG" will fail.  Even after I restore my firewall back to the settings before any 3CX policies the SIP ALG detection fails every time, even though I have ALG disabled.  I literally have to reinstall the 3CX server software to get it to successful detect that I have ALG disabled.

 

I really want to get this to work, but I have exhausted just about everything I can possibly think of.  It would have been awesome if 3CX would've included the Palo Alto in their "Step by Step Instructions for Popular Firewalls" guide.

 

We paid an ENORMOUS amount of money for this Palo Alto 3020.  It is like the Mercedes Benz of firewalls.  You would think there would be an easy way to configure this firewall to allow for VoIP configurations.

Highlighted
L0 Member

Re: 3CX PBX behind a PAN-500

Hi @ForrestDean 

I am proving your same issue, we have a Palo Alto 220 and I would like your opinion about the Nat and Security rules to do the 3cx works. What have you done specifically? 

The situation is that the outbound call works but the voice is unidirectional instead the inbound calls don't have the tone.

 

Thank you 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!