SonicWALL and SIP

The SonicWALL security appliance allows VoIP phone and applications to be deployed behind the firewall. The VoIP > Settings page includes the settings for supporting VoIP traffic on the SonicWALL security appliance.

General Settings

The Consistent NAT setting ensures predictable re-use of the same translated IP address and UDP port pair for internal (LAN) address and port pairs. This checkbox is disabled by default. Consistent NAT changes standard NAT policy to provide greater compatibility with peer-to-peer applications that require a consistent IP address to connect to. Consistent NAT uses an MD5 hashing method to consistently assign the same mapped public IP address and UDP Port pair to each internal private IP address and port pair.

SIP Settings

This section provides configuration tasks for SIP Settings.

The Enable SIP Transformations setting transforms SIP messages between LAN (trusted) and WAN/DMZ (untrusted). You need to check this setting when you want the SonicWALL to do the SIP transformation. If your SIP proxy is located on the public (WAN) side of the SonicWALL and SIP clients are on the LAN side, the SIP clients by default embed/use their private IP address in the SIP/Session Definition Protocol (SDP) messages that are sent to the SIP proxy, hence these messages are not changed and the SIP proxy does not know how to get back to the client behind the SonicWALL. Selecting Enable SIP Transformations enables the SonicWALL to go through each SIP message and change the private IP address and assigned port. Enable SIP Transformation also controls and opens up the RTP/RTCP ports that need to be opened for the SIP session calls to happen. NAT translates Layer 3 addresses but not the Layer 7 SIP/SDP addresses, which is why you need to select Enable SIP Transformations to transform the SIP messages. It's recommended that you turn on Enable SIP Transformations unless there is another NAT traversal solution that requires this feature to be turned off. SIP Transformations works in bi-directional mode and it transforms messages going from LAN to WAN and vice versa.

   
Permit non-SIP packets on signaling port - This checkbox is disabled by default. Select this checkbox for enabling applications such as Apple iChat. Enabling this checkbox may open your network to malicious attacks caused by malformed or invalid SIP traffic.

SIP Signaling inactivity time out (seconds) - This field has a default value of 1200 seconds (20 minutes).

SIP Media inactivity time out (seconds) - This field has a default value of 120 seconds (2 minutes).

Additonal SIP signaling port (UDP) for transformations (optional) - This setting allows you to specify a non-standard UDP port used to carry SIP signaling traffic. Normally, SiP signaling traffic is carried on UDP port 5060. However, a number of commercial VOIP services use different ports, such as 1560. Using this setting, the security appliance performs SIP transformation on these non-standard ports.

Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk