We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda NextGen Firewall X

How do I use an SIP VoIP system through the Barracuda NG Firewall?

  • Type: Knowledgebase
  • Date changed: 7 years ago
Solution #00005845

Scope:
This solution applies to Barracuda NG Firewall, all firmware versions.

Answer:
SIP VoIP Servers communicate with the SIP provider using dynamic ports and address information via SDP (Session Description Protocol) and RTP (Realtime Transport Protocol). 
 
To work around issues with NAT, the NG Firewall provides a plugin module to read these details as they happen and use them without compromising the protection.
 
The setup will end up looking like this:























 
All configuration is done in the Forwarding Rules.

We suggest you create the following network and service objects for use, though it is also possible to explicitly configure these directly in the rules themselves as well. 
 
If you wish, you can choose alternative names for any of the objects or the reference “asterisk” in the service objects, as long as you change the details everywhere.
 
Network Objects
  • SIP-Asterisk: Internal IP of your SIP VoIP server
  • SIP-SipGate: External IP of your SIP VoIP provider
 
Service Objects
  • SIP:
    • Protocol UDP
    • Port Range 5060
    • PlugIn “sip srvname=asterisk”
    • all other values unchanged











































  • RTP:SIP
    • Protocol UDP
    • Dyn. Service “RTP:asterisk” (this is the same “asterisk” as defined above; if you change the server name, do it in both)
    • Balanced Timeout 60
    • all other values unchanged


 



































Firewall Rules
You need 3 rules in total, two for the session negotiation and one for the VoIP data.
  • SIP-LANtoGATEWAY
This rule is for establishing an outbound connection from the server on the LAN to the SIP provider.
  • Type: Pass
  • Source: SIP-Asterisk
  • Service: SIP
  • Destination: SIP-SipGate
  • Connection: Dynamic Source NAT (Proxydyn)

































  • SIP-GATEWAYtoLAN
  • This rule is for inbound connections from the SIP provider.
    • Type: Redirect
    • Source: SIP-SipGate
    • Service: SIP
    • Destination-Redirected: [external firewall IP]
    • Destination-Target: check “Reference” and select SIP-Asterisk
    • Connection: No Source NAT (Client)

































  • SIP-RTP-Asterisk
  • This rule is for the data.
    • Type: Pass
    • Source: SIP-Asterisk
    • Service: RTP:SIP
    • Destination: SIP-SipGate
    • Connection: No Source NAT (Client)
    • Check 2-Way Policy


 

























Once you have created the rules, please test your VoIP connections to ensure that everything is working properly.

Link to This Page:
https://campus.barracuda.com/solution/50160000000IflqAAC