• V20: 3CX Re-engineered. Get V20 for increased security, better call management, a new admin console and Windows softphone. Learn More.

Sonicwall NSA 2600 and 3cx

Status
Not open for further replies.

blang008

Joined
Oct 27, 2015
Messages
13
Reaction score
1
Getting Internal port number xxx does not match external port number xxx on all ports running the firewall checker. Sonicwall is managed by another vendor who said they have configured everything as stated in the 3cx document. However, they have an updated firmware that does not contain the port remap option. Could this be the reason? and do they need to downgrade the firmware. I've called into 3cx support multiple times and cannot get anyone to call me back. Now just getting straight to their voicemail.
 
Sounds like that is the issue.
Are you in t he USA? 3cx is not and I am not sure their support hours.
 
Since you have such a high end Sonicwall don't you have separate external IPs where you can assign one to 3CX?

The special firmware is only needed when using many-to-one nat where the primary WAN IP is used for multiple servers based on port number.

When using the one-to-one nat the special firmware isn't required. The 3CX document doesn't cover one-to-one nat but you can get the document from Sonicwall.

If you only have one static IP address have them put in a call to Sonicwall and ask for 5.8 or 5.9 with HotFix 152075 (both exist) or if there is a newer firmware that has the hotfix already applied. The firmware release notes documentation usually references which hotfixes are fixed.

I have 5.9 with the hotfix but only for TZ100, 105, 200, 210 and 215.
 
Only problem is this is a financial institution and the firewall is controlled by a 3rd party and I highly doubt that they will downgrade the firmware as it is their standard and supported firmware for this device.
 
blang008 said:
Only problem is this is a financial institution and the firewall is controlled by a 3rd party and I highly doubt that they will downgrade the firmware as it is their standard and supported firmware for this device.

That's good. Have them assign one external static IP dedicated to 3CX and setup according to Sonicwall's document for one-to-one nat and you can use any firmware version.
 
I can confirm the One to One Nat trick works on sonicwall, you need an extra public IP but it avoids messing with the firmware which is a really bad idea in my experience...
 
I'm having the same issue with a Sonicwall NSA4500

I have a dedicated public IP adddress NAT'd to my internal 3cx box using one-to-one NAT.
ALL ports are competely open.

In the network settings of 3cx I've tried using both the public IP and the internal (IP of the NIC) IP as the "public" ip.

3cx shoudn't even need to be aware of the public IP since I'm using 1to1 NAT.

Anyway, getting port mismatch, no idea why, defies anything that makes sense.

Help would be appreciated.

-Josh
 
Where is the phone? Is it behind another sonicwall across a VPN?
Which ports are getting translated?
 
Not even to worrying about phones....just setting up PBX services at this point.
One sonicwall
ALL ports are being translated from the dedicated external IP to the internal IP
one to one NAT
EXT IP <-> INT IP for all ports.
-Josh
 
Can you post your NAT rules? You need one for inbound and one for outbound tied to the respective interfaces...
 
I'm running into the same issue with the failed firewall checker. As far as I can tell everything is working - can make and receive phone calls. It's just that the checks fail.

I don't mean to hijack this thread but I also have an issue with intermittent audio drops for external calls in the afternoons. I checked with our SIP provider and they noticed that some RTP packets were getting through. I don't understand why it would be intermittent though.
 
Sonicwall is finicky and I too have had a number of issues dealing with which firmware either does or does not need the hotfix. The last install that involved a SW (October) did not have the latest firmware for the model, but the client had a support agreement with Sonicwall. He finally called support and they got into the router, updated the firmware, installed the hotfix and then configured the ports. It has worked fine ever since. If you have a support agreement, make use of it as they can make heads or tails of the hotfix applicability. Before I finally got them to call support, their own internal IT guy tried and we wasted 6 hours as he insisted the firmware he installed, which was also the reported latest, did not need it......apparently it did.
 
I called Sonicwall support yesterday and they ran a packet capture while I ran the firewall checker and they didn't see any dropped packets. They seem to think that something else is mangling the packets which is causing the firewall checker to fail. I am running v6.1.2.3-20n on my NSA 2600 so I wouldn't need the hotfix right? I'm also setup with One-to-One NAT.
 
The hotfix enables the checkbox on advanced tab of a NAT rule for "Disable Source port mapping". The other way to solve is to do One to One nat which automatically disables source port mapping for that IP. This does not require the hotfix. Are there no other routers between the 3cx and sonicwall? The packet capture would reveal if the mapping is happening before or after the sonicwall. This is not rocket science... Sometimes I have to call back a couple times to get a technician who is better trained in the particular area...
 
No other routers. We even did the Find Network Path under Diagnostics and the Sonicwall sees the 3CX server and it's MAC address. The only special thing I can think of is that the 3CX and our phones are on VLAN but even then the Sonicwall does the routing and it sees it on the Network Path.
 
Are the phones hitting the local IP address or public IP? Is the 3cx server on same vlan as the phones?
 
Local IP and yes same vlan as the phones
 
so the issue is ports getting mapped out to the sip provider? Make sure you have 2 NAT rules targeting the VLAN interface one for inbound and one for outbound. If possible post a screenshot of the rules.
 
Status
Not open for further replies.
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.