Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 28 subscribers
  • Views 4294 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Inbound Firewall Rule For Cloud Pbx

Ken7631

Hi, I was hoping someone could help me regarding a firewall rule related to a cloud pbx. Lets say I have two IP phones (172.16.10.10/24 & 172.16.10.11/24). They register out to a cloud pbx with a public IP address of 76.31.11.5 using UDP port 5060 for registration and they use UDP ports 10000-10200 for RTP speech path. If I create a LAN to WAN user/network rule of:

Source Zones --> LAN
Source Network --> IP Phone Subnet
Destination Zones --> WAN
Destinations Network --> Cloud Pbx IP Address
Services: SIP & RTP

This will allow me to register the phones and call out fine but if there hasn't been an outbound call in awhile then the ports that were being used for outbound were eventually closed and an inbound call will just drop. My question is do I need to create a WAN to LAN user/network inbound rule of say:

Source Zones --> WAN
Source Network --> Cloud Pbx IP Address
Destination Zones --> LAN
Destinations Network --> IP Phone Subnet
Services: SIP & RTP

I ask because I thought you would always need to create a Business Application Rule --> DNAT for uninitiated inbound connections. I really appreciate any help, thank you.



This thread was automatically locked due to age.
  • +1

    Hi

    First of all I would like to say thanks for the detail description.

    LAN to WAN rule will allow outbound connection and outbound call from your VoIP phones.

    But if we consider the fact for Inbound call then flow would be like this: Outside VoIP connector  --> Internet cloud  --> XG Gateway --> LAN switch --> VoIP phone.

    Without DNAT rule XG will not be able to forward VoIP traffic to your LAN VoIP Phones as that traffic is unknown to XG ( without DNAT rule ) and traffic will be dropped.

    DNAT may required in your case and you may configure the DNAT rule and later on any challenges you may give a try with advance CLI steps:

    DNAT rule : https://community.sophos.com/kb/en-us/122976

    VoIP advance settings CLI command :

    https://community.sophos.com/kb/en-us/127785

  • 0 in reply to Vishal_R

    Hi Vishal,

    That's what I thought. Thank you for taking the time to respond and clearing this up.

  • 0 in reply to Ken7631

    I have a question for you? How does your VoIP provider find your network if the connection has dropped? Most VoIP PBXs keep a logged in session to the external provider active for incoming calls, so in reality you would not need an incoming firewall rule.

    ian

  • 0 in reply to rfcat_vk

    Hi Ian,

    Thank you for taking the time to respond to me. I’d be grateful for any help regarding firewalls. I’ve been using the SG and XG for a little bit now but am learning new stuff everyday thanks to this forum and great posters like yourself. I actually have two scenarios. The first:

    The IP phones register out to a provisioning server that has the SIP server address of the cloud based pbx. The cloud pbx whitelists the public IP address of where the IP phones are and all outbound calls work fine. Periodically the calls will have no audio on an inbound call. I originally thought since the IP phone is allowed everything it needs port wise on an outbound connection that the firewall would always keep a live connection with the IP phone and cloud pbx so it would keep the ports open as long as the phone was plugged in. I was then told that you would need to DNAT port 5060 for the phones to register and DNAT the RTP ports also for speech path since this is an uninitiated connection from the outside to the firewall.

    The second scenario is we have a SIP to analog device so an ATA. It registers out to the same cloud pbx and the device on site converts it to analog via fxs ports. They are having the same issue. Their IT company has made a DNAT rule in the SG that has ports 5060 to the IP of the grandstream but have not done the same for the RTP ports.

    Any help regarding this is very much appreciated. Thank you.