Sonicwall TZ170 Enhanced Configuration

Discussion in '3CX Phone System - General' started by lrodis, Oct 28, 2008.

Thread Status:
Not open for further replies.
  1. lrodis

    Joined:
    Oct 28, 2008
    Messages:
    9
    Likes Received:
    0
    Has anybody got this working where the 3CX system is not the primary server on the network? Do I need to get a second static IP?

    Any help would be greatly appreciated.

    I'm running 3.4 enhanced. Would a TZ180 work better?

    Larry
     
  2. KrisHansen

    Joined:
    Apr 30, 2008
    Messages:
    22
    Likes Received:
    0
    Not sure specifically with the sonic wall firewall but im assuming it has some sort of port forwarding rules. It will work no problems no matter how many other servers on the network. What are you trying to achieve & what errors/what services are not working?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. lrodis

    Joined:
    Oct 28, 2008
    Messages:
    9
    Likes Received:
    0
    Because I can't get the firewall test to work correctly.

    If I'm setup wih your stun server I can get the VOIP provider registered but the Firwall test fails with warnings of 8 and 10.

    1 9000 Warning (8) Local port is not blocked from outside. STUN server has returned global port different from the local one, but the local port is also accessible from outside.
    2 9000 Error (10) Port is open, but port number has been changed during NAT translation. THIS ERROR means you have Symmetric NAT and you do not have STATIC PORT MAPPINGS in place. 3CX Phone System will not communicated correctly with your VOIP provider or external extensions. See this FAQ: http://www.3cx.com/support/firewal-checker.html externalAddress = 24.234.191.230:50744

    If I run the test again I get a firewall check failed with the same errors plus
    1 9000 Warning (8) Local port is not blocked from outside. STUN server has returned global port different from the local one, but the local port is also accessible from outside.
    2 9000 Error (10) Port is open, but port number has been changed during NAT translation. THIS ERROR means you have Symmetric NAT and you do not have STATIC PORT MAPPINGS in place. 3CX Phone System will not communicated correctly with your VOIP provider or external extensions. See this FAQ: http://www.3cx.com/support/firewal-checker.html externalAddress = 24.234.191.230:50744

    If I remove the stun server it will also through in passes as well as failes depending on when I press the check firewall. However when I remove the stun setup my CallCwentric line registration fails.

    My sonicwall vopi settings are
    Enable consistent NAT
    Enable SIP Transformations
    Permit non-SIP packets on signaling port

    H.323 Settings
    Enable H.323 Transformations

    I have the following NAT policies in place (server 2 is the 3CX server)
    1 Firewalled Subnets WAN Primary IP WAN Primary IP server01 Private server01 Services Original Any Any 15
    2 server01 Private WAN Primary IP Any Original server01 Services Original Any WAN 16
    3 server2 Private WAN Primary IP Any Original 3CX VOIP Original Any WAN 17
    4 Any Original WAN Primary IP server01 Private server01 Services Original Any Any 18
    5 Any Original WAN Primary IP server2 Private 3CX VOIP Original Any Any 19
    6 Any WAN Primary IP Any Original Any Original WLAN WAN 20
    7 Any WAN Primary IP Any Original Any Original LAN WAN 21

    These are the services I have defined for port forwarding to the 3c server
    RTP UDP 9000 9015
    SIP TCP 5060 5060
    SIP UDP 5060 5060
    Stun TCP 3478 3478

    So I'll a
     
  4. lrodis

    Joined:
    Oct 28, 2008
    Messages:
    9
    Likes Received:
    0
    I played some more and I can make outgoing call but I don't get any inbound at all.

    I'm also attaching the packet trace from the sonicwall just looking at the ip address of the 3cx stun server.

    I also borrowed a second IP address from my ISP and calls do come through.

    So back to my original question has anyone gotten this to work with Sonicwalls without a dedicated IP?

    Thanks in advance


    Larry
     
  5. buddy@gcsbend.com

    Joined:
    Jul 3, 2008
    Messages:
    23
    Likes Received:
    0
    I have a SonicWALL Pro 2040 with SonicOS standard, not Enhanced. (Wish I had enhanced because it gives you more control over NAT and PAT policies.)

    My setup works great with CallCentric. (using 3CX v6.0.806 and 6.1.0)

    Firewall Allow Rule (note on OS standard, the rules are much simpler):
    From WAN interface to 3CX Server IP object.
    Service: SIP (UDP port 5060)
    Bandwidth Management enabled. (For my situation I have 1400 Kb/s guaranteed / priority 0)

    VoIP settings: Enable Consistant NAT, Enable SIP Transformations

    However, STUN server will always fail with error (10) warnings because the SonicWALL always translates Port Addresses for security reasons. It's OK, however, because SIP Transformations handles everything including setting up and tearing down RTP tunnels. That's why you don't need allow rules for RTP ports or for STUN server. STUN traffic gets through anyway because the requests originate from the inside the LAN.

    For SonicOS enhanced, I would delete all services, access rules, adress objects, NAT policies that you created and start over using the Public Server Wizard.
    Server Type: Other
    Service: SIP
    Server Name: 3CX-PBX (or whatever you call yours)
    Private IP Address: LAN IP of the 3CX server
    Public IP Address: External Static IP

    The Wizard will create the following:
    Server Address Objects
    1. Create '3CX-PBX Private' assigned to LAN Zone for Host 192.168.41.48. (or LAN IP of your 3CX box)
    2. Reuse 'WAN Primary IP' address object assigned to WAN Zone for 216.128.112.18. (or external static IP)

    Server Service Group Object
    1. Create '3CX-PBX Services' with SIP Service.

    Server NAT Policies
    1. Create Inbound Server NAT Policy to rewrite packets to original destination 'WAN Primary IP' to translated destination '3CX-PBX Private'.
    2. Create Outbound Server NAT Policy to rewrite packets from '3CX-PBX Private' to translated source 'WAN Primary IP'.
    3. Create Loopback NAT Policy to allow access from all internal zones to the server at public IP address 216.228.174.18.

    Server Access Rules
    1. WAN > LAN - Allow 'Any' to 'WAN Primary IP' for Service Group '3CX-PBX Services'.
    Similar rules will be created from all lower security zones to the LAN zone.

    After the access rule has been created, you can go in and enable bandwidth management, based uppon your ISP bandwidth and max number of simultanious calls you will allow.

    You should be good to go using standard CallCentric template.
     
  6. lrodis

    Joined:
    Oct 28, 2008
    Messages:
    9
    Likes Received:
    0
    Buddy,

    Thank you very much. I never went farther then the firewall test. I'll give it a try for my clients as I already went and purchased a 2nd IP for $5/month.

    Larry
     
Thread Status:
Not open for further replies.