Menu

Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Sign In Register

Is this access rule safe?

SWall_ForeverSWall_Forever Newbie ✭
in Entry Level Firewalls

My client has VoIP phones that were having intermittent issues – sometimes no dial tone, sometimes calls drop so I called Sonicwall Support. The support engineer created a couple NAT rules and an access rule. The access rule is as follows: For Source; Zone/Int.=WAN, Address=Any, Port/Service=Any. For Destination; Zone/Int.=LAN, Address=X1 IP, Port/Service=Any. We disabled all inspection of traffic that uses this rule. I have faith in the S.Wall support staff but I can't get this wrong so I have to ask the question, “Doesn’t this leave a big hole in my firewall, letting virtually anything in?” My initial thought was for the destination service to be “SIP Group” which contains SIP-TCP and SIP-UDP but that didn’t solve the issue, presumably because the phones use other ports which we saw in a packet capture. Greatly appreciate any input – thanks.

Category: Entry Level Firewalls
Reply

Answers

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @SWall_Forever this Access Rule sounds insanely stupid, but to assess the risk the accompanying NAT rules are crucial. Only the traffic that gets NATed will hit the Access Rule.

    What is the destination of your NAT rules, your PBX? In my opinion there is no need for inbound Rules to get VoIP working properly, but it depends on the environment. Diagnosting VoIP issues can be a hassle.

    —Michael@BWC

  • MariuszMariusz Enthusiast ✭✭
    edited February 8

    Address=X1 IP is for IP VoIP phone address in LAN?

    I suggest trying changes in the VoIP settings. First, enable "Enable SIP Transformations" only.
    Of course, removing the NAT rule first.

    VoIP.jpg


  • SWall_ForeverSWall_Forever Newbie ✭

    Thanks folks. Below are the 2 NAT rules they had me create, first is outbound, 2nd inbound. Phones-All is an address group that all the phones are in. There isn't an on-premise switch. The phones connect directly to a cloud switch. The phone vendor told me absolutely do not enable SIP ALG but do enable consistent NAT. Source port remap is enabled on both NAT rules.

    OUTBOUND RULE:

    Original - Translated

    Source:

    Phones-All - X1 IP

    Destination:

    Any - Original

    Service:

    Any - Original

    Inbound Int: Any

    Outbound Int: Any

    INBOUND RULE:

    Source:

    Any - Original

    Destination:

    X1 IP - Phones-All

    Service:

    Any - Original

    Inbound int:X1

    Outbound int:Any

    Thanks again.

  • ArkwrightArkwright Community Legend ✭✭✭✭✭

    Either you missed something or that inbound rule does nothing. If it does not rewrite the destination then the traffic will just hit the firewall itself, but fortunately I think nothing will happen if management is not enabled on the corresponding access rule.

    "Source: Any" is never a good from a security POV.

    You most likely want source port remapping disabled, not enabled.

Sign In or Register to comment.