VoIP & a SonicWall
Using a SonicWall with VoIP
Using a SonicWall and VoIP can be a challenging endeavor, so much so, that many VoIP providers will simply say that they will not support their service for a customer using a SonicWall. To understand the complexities of why VoIP becomes such an issue for the Sonicwall to handle correctly one must understand that the SonicWall firewall router will NAT outbound port numbers to different values. The SonicWall does provide a "Consistent NAT" option to help resolve this issue, but this does not correct the fact that port numbers are actually changed. Changing outbound port numbers will cause issues with the VoIP traffic. These issues can result in one-way audio and dropped calls.
Some background about the SonicWall
The SonicWall has a setting,
SIP Transformations which transforms SIP messages between the LAN (trusted) and
WAN/DMZ (untrusted). According to SonicWall; If your SIP
proxy is located on the public (WAN) side of the SonicWall (which is most always
the case) and SIP clients are on the LAN side, the SIP clients by default
embed/use their private IP address in the SIP/Session Definition Protocol (SDP)
messages that are sent to the SIP proxy, hence these messages are not changed
and the SIP proxy does not know how to get back to the client behind the
SonicWall. Selecting Enable SIP Transformations enables the SonicWall to
go through each SIP message and change the private IP address and assigned port.
Enable SIP Transformation also controls and opens up the RTP/RTCP ports that
need to be opened for the SIP session calls to happen. NAT translates Layer 3
addresses but not the Layer 7 SIP/SDP addresses, which is why you need to select
Enable SIP Transformations to transform the SIP messages. You need to
check this setting when you want the SonicWALL security appliance to do the SIP
But, what is found most of the time is that; You Do Not Want SIP Transformations Enabled.
SonicWall Settings for VoIP
Having SIP Transformations Enabled creates issues with the VoIP signaling as well as the RTP voice traffic. For a recommended approach to try:
- Uncheck Enable SIP Transformations.
- Create inbound firewall/NAT rules for the ports you need.
- Try turning off Consistent NAT and configuring outbound NAT policies for your traffic, using the same port numbers as for the inbound traffic, for example, UDP 5060 for SIP Signaling.