Getting a Sonicwall To Stop Port Remapping Guidance needed
I'm pulling hairs out over sonicwall still remapping sip ports on our devices. I'll list out my steps so far, but if anyone has a successful guide to preventing ports from being remapped by this device on UDP please share your steps or review my own for missing ones.
-Checked off every single setting, ensuring that only sip transformations are enabled in this VOIP section of Firewall.
2)In Network-DHCP Server Settings-Lease Scopes
selected Add static
set IP desired under IP address, set MAC under ethernet address, left lease time at 1440, set gateway & subnet from CMD-ipconfig/all found data.
Added services: named R!ATAFaxUDP
5060-5080 UDP ports
4) -Network-NAT Policy/Rules (2 entries)
Named: No SIP Port Remap WAN-To-LAN & No SIP Port Remap LAN-To-WAN
Source LAN Destination WAN for Service R!ATAFaxUDP
Source WAN Destination LAN for Service R!ATAFaxUDP
Under Advanced for both of these, unchecked 'source port remap'.
Rebooted devices, issues persist. 😓
What firmware are you running? Generally, using SIP Transformations on a Sonicwall is NOT recommended. Using Consistent NAT on the VoIP page is though.
Have you gone through the articles?
Have you contacted your ISP to ensure they don't have SIP ALG turned on on their equipment. Make sure your SIP endpoint is aware of the NAT in play.
I was mistaken on that point, 'Consistent NAT' is the only setting that's enabled, not SIP transformations, excuse the error.
Regarding the SIP endpoint, it has a field dedicated to the SIP port, and every time a port is selected, the Sonicwall remaps it. The process was repeated half a dozen times. What sort of settings make an endpoint aware of 'nat in play'? SIP devices often have a NAT section, but this is often a 'manual NAT' (a tool to configures the IP address to be advertised in SIP signaling/invites on the network) or one of many protocols like ICE, STUN, or TURN to better register a device, not particularly keep a SIP Port.
I'm going through the articles now and will follow up but please advise on what you mean..
"What sort of settings make an endpoint aware of 'nat in play'?"
Typically a PBX or phone will have a setting to tell it if it is behind a NAT device and what the external public IP of the NAT is.
Is the endpoint on the latest firmware? What is the endpoint?
-How to troubleshoot common VoIP issues? This addresses audio issues and quality issues. Nothing about port remapping.
-Basic information for successful troubleshooting of Voice over IP issues. This is a list of info to provide to no one in particular. The basics of forum posts are to share your own attempts and insight, and provide more information on request. If no one has requested all this extra information, it'll only make my post seem more cumbersome to deal with won't it?
-VoIP: Poor quality or calls getting dropped - This addresses quality and call drops. It provides some steps to move voip traffic away from some firewall/security options, but doesn't outright mention the port remapping steps/concerns. We'll perform these steps to see if it affects port remapping.
-Trouble shooting a scenario where Source remap is causing the VOIP issues - This article is exactly what we need, it describes the issue perfectly, but it has already been followed. Ports are still being remapped by the Sonicwall. Identical devices using the same VOIP service don't see remaps when routed away from the Sonicwall.
Regarding NAT, Endpoint is on the latest firmware, device is a Grandstream HT801 Fax ATA. It includes STUN options and a NAT yes/no option. I've attached a screenshot of all the nat settings available.
What other requisites are required for this port remap concern? It comes up far too often in VOIP for there to be one
barebones article and gishgallop article lists whenever it's asked about. The same device can pull accurate SIP ports when we rule out the sonicwall in the exact same network and cabling environment. What is the full list of settings/steps to avoid ource/port remaps?
Can you send screenshots of your NAT rules or at least better descriptions? Are you allowing inbound SIP to this fax ATA?
Thanks for the follow up, I'm gathering screenshots of the full NAT rule list and the firewall/network policies amount to:
Zones: 'lan to wan any service for device IP of fax' this is repeated for sip port range 5060-5100
Zones: 'wan to lan any service for device IP of fax' this is repeated for sip port range 5060-5100
Updates to follow!