We are facing difficulties with a plain-in-to out and out-to-in NAT which is configured as described below:
- Private to public
- Public to private for ports 5060 an 9000-9049 UDP with the PBX address as destination.
For some reason SIP signaling works fine, but the incoming RTP stream doesn't come through.
The firewall was tested even with allow any-any on both destinations but even then there is no solution.
Is this a known issue, or are we facing a serious operator error?
I'm having a similar problem. I assume you are working on a 3CX system judging from the ports. What's interesting is that with CallCentric, things work fine but with Nexvortex, it doesn't and I end up with a disconnected call. Hopefully someone will shed some insight into this
Sorry for the late response. We are indeed using a 3CX PBX solution for our own purposes, as wel as for our customers.
Up until now we were able to use another public IP which we configured directly on the PBX so without the PA2050 in the path to the internet. This works fine of course, but now we have to build a similar configuration for a customer as PoC.
Again we are testing and configuring, but without any result. Still we face one way audio.
I tried to configure application override for SIP, but i could not find a config guide yet, so i can't check if i configured it the right way. Either way, it doesn't work.
Would be a lot easier if Palo Alto would just make an option to enable or disable SIP ALG somewhere...!!
Any suggestion is welcome!
We are running 4.1.2 (with content version 270.1140) but have seen similar results with all other releases we had (4.0.5 and up).
Currently we are examinating traces and noticed that the PA translates the source port in the STUN traffic coming from the PBX.
SRC PORT: 5060
DST PORT: 3478
SRC PORT: 30412
DST PORT: 3478
Why does the PA translate the source port? Possibly because port 5060 is below 10.000 and thus is registered for destination ports?
From this point we stronly believe that this is where the PBX looses it. As we are now facing this configuration also on customer sites we are eager to solve this matter.
Com1 Communication Solutions BV
Message was edited by: branders (added content version)
Problem solved with a workaround!
We used static source and destination translation which makes it work. NOT the way this should be done, but at least our PBX is happy now.
Has been running for several weeks without any issue...
Would you mind share your NAT/Policy rules to make 3CX work ?
I have same problem and it's driving me nuts - even with bi-directional NAT it's not working.
Thanks in advance
At the moment - this *seems* to be working for us:
3CX v.10 w. SP6, default ports and STUN resolving. We're using the "PBX delivers audio" option.
PA-2020 w. software v. 4.1.6, Application version 310-1401, Threat version 310-1401, Antivirus version 760-1045
Incomming NAT rules:
Public ip on selected ports (port service) send to 3CX server
Outgoing NAT rules:
Internal IP to Public IP, Translated IP = Static IP, Bi-directional=no
Allow STUN & RTP to outside from 3CX server
Allow selected ports from outside to 3cx server
Allow selected ports from 3cx server to outside
Allow SIP from phones to 3cx
(I'm not entirely sure if you need to allow rtp or selected ports from phones to 3cx server - at the moment it doesn't appear to be needed)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!