Configuring a Cisco Meraki Firewall with 3CX

Introduction

This document describes the configuration of Cisco Meraki for use with 3CX. This guide is written for PBX administrators on networks with a single WAN IP, or who are using their primary WAN IP for 3CX. We assume the 3CX Server in our example has an internal IP address of 192.168.168.8 and that you are using 5001 for your 3CX web components – adjust as required if you choose to use 443 instead.

Step 1: Configure Port Forwarding (NAT)

This guide was written with firmware 18.107.2 on the new dashboard experience, but due to how Meraki Dashboard works, will likely stay the same on newer firmware versions.

Login to the Meraki dashboard (https://dashboard.meraki.com):

1.    Navigate to “Security and SD WAN” > “Firewall”.

2.    Scroll to the Forwarding rules section and click the “Add a port forwarding rule” button on the left to add a new rule.

3.    Create NAT rules for all required ports that need to be forwarded, based on this list.

1.    “Name”: Label the rule for easier identification.

2.    “Uplink”: Select the uplink used by the MX. Typically this is Internet 1.

3.    “Protocol”: Set the protocol type depending on the port(s) you are forwarding.

4.    “Public Port”: Enter the external port, this is the same as the internal one.

5.    “LAN IP”: Enter the internal IP address of the 3CX Phone System.

6.    “Local Port”: Enter the internal port, this is the same as the external one.

7.    “Allowed Remote IPs”: set this to any

4.    Repeat step #3 for every forwarded port.

5.    Click on “Save” in the bottom (right or center) of the page.

6.    After adding all port forward rules, they should look similar to the example below.

Step 2: Port Preservation (Full Cone NAT)

Cisco Meraki devices come with Port Preservation already enabled and no option to disable it. You do not need to do anything on this step.

Step 3: Configuring Hairpin NAT

Cisco Meraki devices come with Hairpin NAT already enabled and no option to disable it. You do not need to do anything on this step.

It’s important to note that Hairpin Nat will consume more WAN traffic and may result in poor call quality in some situations. We recommend using Split Brain DNS whenever possible; however, this is not a supported function of Cisco Meraki MX firewalls. Although you can call Meraki support and have them enable the built in internal DNS server, this DNS server is limited in nature and not recommended.

Step 4: Validating Your Setup

To validate your NAT / Port Forwarding setup, Go to “Dashboard” > “Firewall” in 3CX Management Console to run the 3CX Firewall Checker to validate if your firewall is correctly configured for use with 3CX. See more info about the Firewall Checker.

In some cases you might have to reboot the firewall for the changes to take effect.

Special thanks to 3CX Gold Partner, Tigunia, and Martin Twerski for this guide.

Last Updated

This document was last updated 23 October 2023

https://www.3cx.com/docs/cisco-meraki-firewall