Sonicwall NSA 2600 and 3cx

Discussion in '3CX Phone System - General' started by blang008, Dec 17, 2015.

Thread Status:
Not open for further replies.
  1. blang008

    Joined:
    Oct 27, 2015
    Messages:
    16
    Likes Received:
    1
    Getting Internal port number xxx does not match external port number xxx on all ports running the firewall checker. Sonicwall is managed by another vendor who said they have configured everything as stated in the 3cx document. However, they have an updated firmware that does not contain the port remap option. Could this be the reason? and do they need to downgrade the firmware. I've called into 3cx support multiple times and cannot get anyone to call me back. Now just getting straight to their voicemail.
     
  2. craigreilly

    craigreilly Well-Known Member

    Joined:
    Feb 1, 2012
    Messages:
    3,277
    Likes Received:
    246
    Sounds like that is the issue.
    Are you in t he USA? 3cx is not and I am not sure their support hours.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. CentrexJ

    CentrexJ Member

    Joined:
    May 5, 2009
    Messages:
    432
    Likes Received:
    67
    Since you have such a high end Sonicwall don't you have separate external IPs where you can assign one to 3CX?

    The special firmware is only needed when using many-to-one nat where the primary WAN IP is used for multiple servers based on port number.

    When using the one-to-one nat the special firmware isn't required. The 3CX document doesn't cover one-to-one nat but you can get the document from Sonicwall.

    If you only have one static IP address have them put in a call to Sonicwall and ask for 5.8 or 5.9 with HotFix 152075 (both exist) or if there is a newer firmware that has the hotfix already applied. The firmware release notes documentation usually references which hotfixes are fixed.

    I have 5.9 with the hotfix but only for TZ100, 105, 200, 210 and 215.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. blang008

    Joined:
    Oct 27, 2015
    Messages:
    16
    Likes Received:
    1
    Only problem is this is a financial institution and the firewall is controlled by a 3rd party and I highly doubt that they will downgrade the firmware as it is their standard and supported firmware for this device.
     
  5. CentrexJ

    CentrexJ Member

    Joined:
    May 5, 2009
    Messages:
    432
    Likes Received:
    67
    That's good. Have them assign one external static IP dedicated to 3CX and setup according to Sonicwall's document for one-to-one nat and you can use any firmware version.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. dig1234

    Joined:
    Jun 1, 2015
    Messages:
    75
    Likes Received:
    0
    I can confirm the One to One Nat trick works on sonicwall, you need an extra public IP but it avoids messing with the firmware which is a really bad idea in my experience...
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. redhamilton

    Joined:
    Jan 22, 2016
    Messages:
    10
    Likes Received:
    0
    I'm having the same issue with a Sonicwall NSA4500

    I have a dedicated public IP adddress NAT'd to my internal 3cx box using one-to-one NAT.
    ALL ports are competely open.

    In the network settings of 3cx I've tried using both the public IP and the internal (IP of the NIC) IP as the "public" ip.

    3cx shoudn't even need to be aware of the public IP since I'm using 1to1 NAT.

    Anyway, getting port mismatch, no idea why, defies anything that makes sense.

    Help would be appreciated.

    -Josh
     
  8. dig1234

    Joined:
    Jun 1, 2015
    Messages:
    75
    Likes Received:
    0
    Where is the phone? Is it behind another sonicwall across a VPN?
    Which ports are getting translated?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. redhamilton

    Joined:
    Jan 22, 2016
    Messages:
    10
    Likes Received:
    0
    Not even to worrying about phones....just setting up PBX services at this point.
    One sonicwall
    ALL ports are being translated from the dedicated external IP to the internal IP
    one to one NAT
    EXT IP <-> INT IP for all ports.
    -Josh
     
  10. dig1234

    Joined:
    Jun 1, 2015
    Messages:
    75
    Likes Received:
    0
    Can you post your NAT rules? You need one for inbound and one for outbound tied to the respective interfaces...
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. hwong

    Joined:
    Jul 17, 2015
    Messages:
    24
    Likes Received:
    0
    I'm running into the same issue with the failed firewall checker. As far as I can tell everything is working - can make and receive phone calls. It's just that the checks fail.

    I don't mean to hijack this thread but I also have an issue with intermittent audio drops for external calls in the afternoons. I checked with our SIP provider and they noticed that some RTP packets were getting through. I don't understand why it would be intermittent though.
     
  12. lneblett

    lneblett Well-Known Member

    Joined:
    Sep 7, 2010
    Messages:
    2,083
    Likes Received:
    61
    Sonicwall is finicky and I too have had a number of issues dealing with which firmware either does or does not need the hotfix. The last install that involved a SW (October) did not have the latest firmware for the model, but the client had a support agreement with Sonicwall. He finally called support and they got into the router, updated the firmware, installed the hotfix and then configured the ports. It has worked fine ever since. If you have a support agreement, make use of it as they can make heads or tails of the hotfix applicability. Before I finally got them to call support, their own internal IT guy tried and we wasted 6 hours as he insisted the firmware he installed, which was also the reported latest, did not need it......apparently it did.
     
  13. hwong

    Joined:
    Jul 17, 2015
    Messages:
    24
    Likes Received:
    0
    I called Sonicwall support yesterday and they ran a packet capture while I ran the firewall checker and they didn't see any dropped packets. They seem to think that something else is mangling the packets which is causing the firewall checker to fail. I am running v6.1.2.3-20n on my NSA 2600 so I wouldn't need the hotfix right? I'm also setup with One-to-One NAT.
     
  14. dig1234

    Joined:
    Jun 1, 2015
    Messages:
    75
    Likes Received:
    0
    The hotfix enables the checkbox on advanced tab of a NAT rule for "Disable Source port mapping". The other way to solve is to do One to One nat which automatically disables source port mapping for that IP. This does not require the hotfix. Are there no other routers between the 3cx and sonicwall? The packet capture would reveal if the mapping is happening before or after the sonicwall. This is not rocket science... Sometimes I have to call back a couple times to get a technician who is better trained in the particular area...
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  15. hwong

    Joined:
    Jul 17, 2015
    Messages:
    24
    Likes Received:
    0
    No other routers. We even did the Find Network Path under Diagnostics and the Sonicwall sees the 3CX server and it's MAC address. The only special thing I can think of is that the 3CX and our phones are on VLAN but even then the Sonicwall does the routing and it sees it on the Network Path.
     
  16. dig1234

    Joined:
    Jun 1, 2015
    Messages:
    75
    Likes Received:
    0
    Are the phones hitting the local IP address or public IP? Is the 3cx server on same vlan as the phones?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  17. hwong

    Joined:
    Jul 17, 2015
    Messages:
    24
    Likes Received:
    0
    Local IP and yes same vlan as the phones
     
  18. dig1234

    Joined:
    Jun 1, 2015
    Messages:
    75
    Likes Received:
    0
    so the issue is ports getting mapped out to the sip provider? Make sure you have 2 NAT rules targeting the VLAN interface one for inbound and one for outbound. If possible post a screenshot of the rules.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Thread Status:
Not open for further replies.