Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Enable SIP Transformations for LAN to LAN

LTAdminLTAdmin Newbie ✭
edited March 2022 in Mid Range Firewalls

I have a question about the SonicWall Config for VOIP phones. I have softphones on Interface X0 (LAN zone) communicating with a phone system on interface X4 (LAN Zone). The documentation says:

“Selecting Enable SIP Transformations transforms SIP messages between LAN (trusted) and WAN/DMZ (untrusted).”

So, my question is – Is this only for LAN to WAN traffic? Or will this also transform SIP messages between LAN and LAN? 

More details:

NSA 3600 with SonicOS Enhanced 6.5.3.2-14n

Interface X0: 192.168.1.1/24, LAN Zone, network for computer laptops and servers.

Interface X4: 172.26.0.2/24, LAN Zone, network for phone system and IP desksets.  

Firewall access rule allows any and all from LAN to LAN.

NAT Policy translates the source to X4 IP for Inbound X0 to outbound X4.

The softphone (installed on a laptop) can connect to the phone system, get dial tone, and place a call. But I have a situation of “they can hear me, but I can’t hear them”. So, it looks like I need to enable SIP Transformations. But the documentation seems pretty specific about LAN to WAN and doesn’t mention anything about LAN to LAN.

Seems like a simple omission, but I'd like to know if anyone knows for sure before I proceed.

Thanks!

Category: Mid Range Firewalls
Reply

Answers

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @LTAdmin

    that's an interessting question, but in my opinion I would not touch the SIP transformation. I honestly cannot tell you if this works on LAN-LAN.

    If both interfaces are in the same Zone (LAN) you don't need any helpers or NAT rules. If the access rules allow ANY-ANY-ANY you're good to go. You should just make sure that the connections are running into timeouts.

    Why do you hide the X0 addresses to X4 via NAT? I would get rid of this NAT, just make sure your X4 network devices have a default route to X4 IP or at least a route to X0 network. Vice-versa for X0.

    --Michael@BWC

  • LTAdminLTAdmin Newbie ✭

    Hi Michael, Thanks for the response.

    It’s a little complicated. Originally, our phone system network and computer system network were completely separate – physically and logically. In fact, before I came to work here, they even had the same IP subnet addresses (both were at 192.168.1.0/24).  

    The phone network has a Ubiquiti firewall connecting to Spectrum (dedicated circuit) with SIP trunks.

    The computer network has the SonicWall firewalls connecting to Google Fiber (much greater bandwidth, but NOT dedicated circuit suitable for VOIP.)

    But this presents a problem now that we have people working from home. They can run a softphone on their laptop and connect to the phone system through the Ubiquiti VPN. Or they can connect to the SonicWall VPN to access servers and printers. But they can’t do both at the same time. So, we want to set it up so that they can connect to the SonicWall and have access to both internal LANs. That’s the real reason for setting all this up.  

    The equipment on the phone network is set with their gateway at the Ubiquiti firewall. Therefore, the NAT is required to make sure traffic coming from the computer LAN through SonicWall X4 RETURNS to X4. (The first thing we did was change the IP subnet for the phone network.)

    “Enable SIP Transformations” is required to fix the problem “they can hear me, but I can’t hear them”. Apparently, VOIP traffic has a field in the layer 7 header that includes the IP address. And “Enable SIP Transformations” replaces that with the NAT address so that 2-way VOIP connections can be made appropriately. At least that’s how I understand it at this point. As with everything, this has been a rapid learning curve for me. The access rules do allow ANY-ANY-ANY. But that’s a layer 3 thing. Apparently there’s some additional issue at layer 7 that’s fixed by “Enable SIP Transformations”. 

    I tried checking the boxes to see what happens, but no luck. But then the thought occurred to me: I’m testing from inside the building where I can connect a laptop with a softphone to the computer LAN, thus my question about LAN to LAN. However, what we REALLY need is for our home workers to be able to do this. So maybe I should test from home. That would be WAN to LAN.  

    If it works from home (WAN to LAN), but doesn’t work in the building (LAN to LAN) then that would answer my original question… and then make the question irrelevant 😊

This discussion has been closed.