Guide on How to Configure a SonicWALL Firewall for Use With the 3CX Phone System
On this topic
This document describes the configuration of Dell Sonicwall devices based on an TZ100, TZ100W, TZ105, TZ105W, TZ200, TZ200W, TZ205, TZ205W, TZ210, TZ 210W, TZ215, TZ 215W, NSA 220, NSA 220W, NSA 240, NSA 2400, NSA 3500, NSA 4500, NSA 5000, NSA E5500, NSA E6500, NSA E7500, NSA E8500, NSA E8510 for the use with 3CX Phone System.
In general DELL Sonicwall firewalls are know to work correctly and can be used as gateway in front of a 3CX Phone System to connect Voip Provider, direct Remote Extensions (STUN) and 3CX Tunnel connection if HotFix firmware or newer Firmwares including this HotFix have been applied.
The status of this type of firewall is “in validation state”.
Required Firmware version is: SonicOS 220.127.116.11o HotFix 152075
Configuration of the firewall will never be carried out by the 3CX Staff at any point and must be made by the System Administrator of the company. You must understand the risk of opening ports to the World Wide Web. Read https://www.3cx.com/blog/docs/securing-hints/ for more information and agree with the terms stated. The provided guide is based on the best known effort to configure the device(s). 3CX is not liable for any misguidance may made in this guide.
This article describes how a SonicWALL appliance should be configured in order to deploy a 3CX Phone System behind it. As the 3CX Phone System requires full cone NAT with Port Forwarding, it needs to be deployed in either a:
- One-to-One NAT configuration. In this scenario, a dedicated public IP address is assigned to the 3CX. (No Hot Fix Required)
- Many-to-One NAT configuration. In this scenario, the 3CX is reached via the Dell SonicWALL public IP address. (Hot Fix Required)
The One-to-One NAT configuration is covered in the SonicOS Admin Guide. As the 3CX only supports Port Forwarding, SIP Transformations and Consistent NAT need to be disabled within SonicOS.
This document focuses on steps needed for deployment in a Many-to-One NAT configuration. SonicOS has been extended to provide ‘Port Forwarding’ support. Until included in applicable releases, Hot Fixes are available to those customers with an active ‘Software and Firmware Update’ license. Contact the DELL Sonicwall Support Team to request the applicable Firmware/Hotfix.
Open the Web Management Console of the DELL SonicWall Firewall Gateway:
- Create Services objects for TCP/UDP ports for which 3CX needs Port Forwarding. Add all ports needed to connect from the outside to the 3CX Phone System (NAT ports). To determine the ports needed for the setup, check this link: https://www.3cx.com/docs/firewall-router-configuration-voip/, as the ports may depend on the version you are using.
- Create the Service Group “3CX Services” with all of the above Service Objects as members.
- Create the Address Object ”3CX PBX” where by the sample show the 3CX Phone System been located on the internal IP address 192.168.3.155. This needs to be replaced by the actual IP address of your setup.
- Create NAT Policies for 3CX inbound and outbound connections:
- Add a NAT policy for outbound connections from the 3CX PBX. If using an interface other than X1 as the WAN interface, then the Outbound Interface needs to be changed accordingly.
Edit the Advanced TAB and make sure that “Disable Source Part Remap” is disabled.
- Add a NAT policy for inbound connections to the 3CX PBX. If using an interface other than X1 as the WAN interface, then the Inbound Interface needs to be changed accordingly.
Here is a summary of a simple setup.
- Create the “Firewall → Access Rule” to allow access to the 3CX PBX direction WAN to LAN. If using an interface other than X1 as the WAN interface, the Destination needs to be changed accordingly.
- Ensure that SIP Transformations and Consistent NAT are disabled (as these will be done by the 3CX Phone System).
Run the 3CX Firewall Checker to validate the setup from the “3CX Management Console Dashboard → Firewall Check”. All tested ports must return a green “done” result.