VoIP & a SonicWall
Using a SonicWall with VoIP
Using a SonicWall and VoIP can be a challenging endeavor, so much so, that many VoIP providers will simply say that they will not support their service for a customer using a SonicWall. To understand the complexities of why VoIP becomes such an issue for the Sonicwall to handle correctly one must understand that the SonicWall firewall router will NAT outbound port numbers to different values. The SonicWall does provide a "Consistent NAT" option to help resolve this issue, but this does not correct the fact that port numbers are actually changed. Changing outbound port numbers will cause issues with the VoIP traffic. These issues can result in one-way audio and dropped calls.
Some background about the SonicWall
The SonicWall has a setting, SIP Transformations which
transforms SIP messages between the LAN (trusted) and WAN/DMZ
(untrusted). According to SonicWall;
If your SIP proxy is located on the public (WAN) side of the
SonicWall (which is most always the case) and SIP clients are on
the LAN side, the SIP clients by default embed/use their private
IP address in the SIP/Session Definition Protocol (SDP) messages
that are sent to the SIP proxy, hence these messages are not
changed and the SIP proxy does not know how to get back to the
client behind the SonicWall. Selecting Enable SIP
Transformations enables the SonicWall to go through each SIP
message and change the private IP address and assigned
port. Enable SIP Transformation also controls and opens up
the RTP/RTCP ports that need to be opened for the SIP session
calls to happen. NAT translates Layer 3 addresses but not the
Layer 7 SIP/SDP addresses, which is why you need to select
Enable SIP Transformations to transform the SIP messages.
You need to check this setting when you want the SonicWALL
security appliance to do the SIP transformation.
But, what is found most of the time is that; You Do Not Want SIP Transformations Enabled.
SonicWall Settings for VoIP
Having SIP Transformations Enabled creates issues with the VoIP signaling as well as the RTP voice traffic. For a recommended approach to try:
- Uncheck Enable SIP Transformations.
- Create inbound firewall/NAT rules for the ports you need.
- Try turning off Consistent NAT and configuring outbound NAT policies for your traffic, using the same port numbers as for the inbound traffic, for example, UDP 5060 for SIP Signaling.