Difference between revisions of "Router Info Sonicwall"

From IPitomy Wiki
Jump to navigation Jump to search
(complete sonicwall info revamp)
Line 1: Line 1:
We have a document on setting up a Sonicwall here:
+
===Disable SIP Header Transformations and Enable Consistent NAT===
  
[http://www.ipitomy.com/webrelease/Sonicwall/Sonicwall%20Quick%20Guide.pdf http://www.ipitomy.com/webrelease/Sonicwall/Sonicwall%20Quick%20Guide.pdf]<br/>
+
SonicWALL SIP ALG is called SIP Header Transformations, this should be Disabled and Consistent NAT should be Enabled:<br/>
 +
[[File:Sonicwallcnsht.png]]
  
We have seen that having IPS turned on with the check box for Prevent Low Priority Attacks checked can cause issues with some calls not going through.  If you are having intermittent call failures try disabling this setting.<br/>
+
===Create Outbound NAT Policy and Disable Source Port Remap===
  
We have verified that enabling an inside--outside rule resolves the problems with dropped calls as it forces the Sonicwall to stick to port 5060.  To configure this, create a NAT rule as follows:<br/><br/>
+
In some cases the SonicWALL will remap the 5060 and 10000-20000 UDP source ports causing one way audio and calls dropping after 30 seconds.
Original Source: PBX Private IP<br/>
 
Translated Source: IP of the WAN interface (X1 IP for example)<br/>
 
Original Destination: Address Group for our SIP servers (52.5.220.123 or 54.200.236.200)<br/>
 
Translated Destination: Original<br/>
 
Original Service:  Service Group including 5060 UDP and 10000-20000 UDP<br/>
 
Translated Service:  Original<br/>
 
Inbound Interface: Any<br/>
 
Outbound Interface: WAN interface (X1 for example)<br/><br/>
 
  
After that go to the Advanced tab and check the box for "Disable Source Port Remap" and click OK. The system will now talk to us from source port 5060.<br/>
+
To resolve this, create an inside to outside rule like the following:
 +
<table>
 +
<tr>
 +
<td>
 +
'''Original Source:''' <br/>
 +
'''Translated Source:''' <br/>
 +
'''Original Destination:'''    <br/>
 +
'''Translated Destination:'''  <br/>
 +
'''Original Service:'''  <br/>
 +
'''Translated Service:'''  <br/>
 +
'''Inbound Interface:''' <br/>
 +
'''Outbound Interface:'''
 +
</td>
 +
<td><div style="margin-left: 30px;">
 +
PBX Private IP<br/>
 +
IP of the WAN interface (X1 IP for example)<br/>
 +
Address Group for our SIP servers (52.5.220.123 or 54.200.236.200)<br/>
 +
Original<br/>
 +
Service Group including 5060 UDP and 10000-20000 UDP<br/>
 +
Original<br/>
 +
Any<br/>
 +
WAN interface (X1 for example)
 +
</div></td>
 +
</tr>
 +
</table>
  
 +
After that go to the Advanced tab and check the box for "Disable Source Port Remap" and click OK.<br/>
 +
[[File:Sonicwallspr.PNG]]<br/>
 +
Once completed the PBX will always use the proper source ports on the WAN side.
  
 +
===Create Access Policy with Increased UDP Timeout===
  
=== '''WARNING!'''<br/> ===
+
Most often seen in cloud deployments you will see phones going REACHABLE/UNREACHABLE with complaints of calls going directly to voicemail and BLFs not lighting properly.
  
VoIP phones behind a firewall running SonicOS 6.2.7.1 cannot make outbounds calls, although inbound calls and phone registration are working fine. Occurs when the internal SIP device uses a port that is different from the source port (the port associated with the Via or Contact fields), and when the remote device sends packets to this port, the firewall is not forwarding them to the internal device.
+
To fix this add a LAN to WAN Access Policy as follows:
 +
<table>
 +
<tr>
 +
<td>
 +
'''From Zone:''' <br/>
 +
'''To Zone:''' <br/>
 +
'''Service:'''    <br/>
 +
'''Source:'''  <br/>
 +
'''Destination:'''  <br/>
 +
'''Users Allowed:'''  <br/>
 +
'''Schedule:'''
 +
</td>
 +
<td><div style="margin-left: 30px;">
 +
LAN<br/>
 +
WAN<br/>
 +
SIP (UDP 5060)<br/>
 +
Any<br/>
 +
Any<br/>
 +
All<br/>
 +
Always On
 +
</div></td>
 +
</tr>
 +
</table>
 +
 
 +
Navigate to the Advance tab and reduce the UDP timeout to 30 seconds, once saved phones should remain REACHABLE.

Revision as of 18:47, 18 November 2021

Disable SIP Header Transformations and Enable Consistent NAT

SonicWALL SIP ALG is called SIP Header Transformations, this should be Disabled and Consistent NAT should be Enabled:
Sonicwallcnsht.png

Create Outbound NAT Policy and Disable Source Port Remap

In some cases the SonicWALL will remap the 5060 and 10000-20000 UDP source ports causing one way audio and calls dropping after 30 seconds.

To resolve this, create an inside to outside rule like the following:

Original Source:
Translated Source:
Original Destination:
Translated Destination:
Original Service:
Translated Service:
Inbound Interface:
Outbound Interface:

PBX Private IP
IP of the WAN interface (X1 IP for example)
Address Group for our SIP servers (52.5.220.123 or 54.200.236.200)
Original
Service Group including 5060 UDP and 10000-20000 UDP
Original
Any
WAN interface (X1 for example)

After that go to the Advanced tab and check the box for "Disable Source Port Remap" and click OK.
File:Sonicwallspr.PNG
Once completed the PBX will always use the proper source ports on the WAN side.

Create Access Policy with Increased UDP Timeout

Most often seen in cloud deployments you will see phones going REACHABLE/UNREACHABLE with complaints of calls going directly to voicemail and BLFs not lighting properly.

To fix this add a LAN to WAN Access Policy as follows:

From Zone:
To Zone:
Service:
Source:
Destination:
Users Allowed:
Schedule:

LAN
WAN
SIP (UDP 5060)
Any
Any
All
Always On

Navigate to the Advance tab and reduce the UDP timeout to 30 seconds, once saved phones should remain REACHABLE.