How do I configure my Sonicwall to allow VoIP phones?

ideamatics
ideamatics used Ask the Experts™
on
I have a Sonicwall TZ190 and just purchased IP phones from 8x8.  When I connect the phones to my network, i get a message that says "Not connected".   The folks at 8x8 said that I need to adjust my firewall settings to enable QoS and to disable SPI.  They also provided this link: http://www.8x8.com/Support/BusinessSupport/Documentation/QoSSettings.aspx

I'm a novice when it comes to the sonicwall and am looking for detailed steps as to how to configure my router to play nicely with my IP phones.  If you need any additional information from me, please let me know. Thanks in advance for your help!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Yes, try this:

go to start->run (or hold WindowsKey + R) to open run dialog

type and run: cmd

once command prompt is up, type: ipconfig

get the "Default Gateway"

type this ip address into firefox/ie

enter the login credentials (if you havent set this up before, try these combos:
admin/password
(blank)/password
(blank)/admin
linksys/admin
admin/linksys

if they don't work, a google search of "(ROUTER MODEL) default login" should help you.

Once in your router, go through all of the tabs looking for the options they mentioned.

Usually under WAN or Advanced settings, these options can sometimes be hidden in random places.

Best of luck!
Here is the manual for your router, it should have some additional help

Try your best, its not exactly easy when I'm not at your computer. If you get any further or need more help, post again here and I will check back

http://static.compusa.com/pdf/sonicwall-TZ190-manual.pdf

Author

Commented:
Hi themrobert - I have access to the firewall and can navigate freely inside the interface.  I checked the document you sent and it has nothing relating to VoIP or QoS.  Looking for step-by-step instructions on how to do this. thanks!
CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

Top Expert 2010

Commented:
Certainly make sure that your phones are getting an IP and gateway. Also, you might consider enabling SIP on your sonicwall. Login to the sonicwall and go to VoIP > Settings. Check the Enable SIP Transformations checkbox.

I read the link in your question and it seems that 8x8 simply wants you to purchase one of their routers. To configure QoS, you'd have to configure a number of things on the sonicwall. Enabling QoS simply says the VoIP traffic for the phones is always guaranteed a specific bandwidth. I don't think that's the problem. I think the phones simply aren't able to find the SIP Proxy (or whatever they are using) on the Internet.

I assume the phones came preconfigured, which might mean they aren't getting an IP locally in order to get a gateway and find their way out to the Internet. Essentially being unable to phone home.
Yes I agree with digitap.

Are you able to tinker with the interface on the phone (if any) to get to the network settings? If you are able to set this to DHCP so that it automatically gets an address, or at least configure it so that it is visible and has access to your network, it should then see the internet, and use the SIP Proxy that 8x8 provides.

At this point it definitely appears to be an issue with the network ip settings, (unless your router/firewall/isp blocks sip traffic or 8x8 which seems unlikely at this point.)
Top Expert 2010

Commented:
Rather than retype - this is directly out of the help regarding SIP transformations:

By default, SIP clients use their private IP address in the SIP Session Definition Protocol (SDP) messages that are sent to the SIP proxy. If your SIP proxy is located on the public (WAN) side of the SonicWALL security appliance and SIP clients are on the private (LAN) side behind the firewall, the SDP messages are not translated and the SIP proxy cannot reach the SIP clients.

Selecting Enable SIP Transformations transforms SIP messages between LAN (trusted) and WAN/DMZ (untrusted). You need to check this setting when you want the SonicWALL security appliance to do the SIP transformation. If your SIP proxy is located on the public (WAN) side of the SonicWALL and SIP clients are on the LAN side, the SIP clients by default embed/use their private IP address in the SIP/Session Definition Protocol (SDP) messages that are sent to the SIP proxy, hence these messages are not changed and the SIP proxy does not know how to get back to the client behind the SonicWALL. Selecting Enable SIP Transformations enables the SonicWALL to go through each SIP message and change the private IP address and assigned port. Enable SIP Transformation also controls and opens up the RTP/RTCP ports that need to be opened for the SIP session calls to happen. NAT translates Layer 3 addresses but not the Layer 7 SIP/SDP addresses, which is why you need to select Enable SIP Transformations to transform the SIP messages.
 
      
Tip: In general, you should check the Enable SIP Transformations box unless there is another NAT traversal solution that requires this feature to be turned off. SIP Transformations works in bi-directional mode, meaning messages are transformed going from LAN to WAN and vice versa.

Author

Commented:
Ok I enabled the SIP transformations in the SonicWall (screenshot attached).  I power cycled my IP phone and it still says "No Service".  Do I need to check any of the other checkboxes on the VoIP Settings page?  Do I need to create a LAN-WAN rule to allow SIP?  
sonicwall.jpg
Top Expert 2010

Commented:
can you confirm the phone is getting a proper ip on the network?
amatson78Sr. Security Engineer

Commented:
Transformations are only needed if the provider/PBX is not doing transformations. Outbound traffic is un-restricted. As digitap asked are the phones registering to the provider? If you run a packet capture can you see the registration packets or are they being blocked?

Author

Commented:
I unhooked my phone and plugged the network cable in my laptop and confirmed that there is an IP and Default Gateway.  Not sure how to run a packat capture.  Any tips?   On my screenshot posted earlier, do i need to check any more of those checkboxes under SIP?
Top Expert 2010

Commented:
I'm concerned that all you've done is proven that your network cable is connected to the network and a device can get an IP address. However, how do you know the voip phone gets the proper IP configuration? Does something come up on the display of the phone? Did the vendor say you had to configure them with a static configuration?

Author

Commented:
The vendor did not specify that a static IP is needed.  I'm supposed to see a messaged called "Activate" when the phone is turned on.  Instead, I see a message "Not connected".  My hunch is that either the phone can't communicate with the outside world (WAN) or that the response from the host is blocked by my sonicwall (WAN -> LAN).  I'm fairly certain the sonicwall is the problem, but i'm unsure about the configuration to allow the phone to successfully communicate.  
amatson78Sr. Security Engineer
Commented:
Did you run a packet capture to confirm if the packets are being blocked?
Top Expert 2010

Commented:
Certainly capturing some packets would be helpful. Knowing the IP the voip phone is using would assist in the packet capture as well. I'm going to stand on the fact that if we can't tell what IP the voip phone is taking, then we can't be certain it's talking with the outside server. You could guess what the IP is by looking at the DHCP leases on your DHCP server. Once you know the IP, then we can be certain it "should" be communicating externally with the server.

With the IP of the voip phone, you can go to System > Packet Capture. Then, configure to capture packets of the IP of the voip phone. I'll leave the details of the packet capture config to amatson78. I have a feeling he's done that more than I have. Once we have some logged information, we can see why the traffic is being blocked.

Again, though, what is the internal IP of the voip phone?

Author

Commented:
When I connected my laptop to the network cable that the phone uses, the ip was 192.168.83.21.   I assume the IP phone would use the same IP number, correct?   I cleared my sonicwall log and then power cycled the IP phone.  Here is a screenshot of the log.  Anything look amiss?
sonicwall.jpg
Top Expert 2010
Commented:
Your laptop won't get the same IP as the IP phone. The DHCP server leases the IP address to a host device for a period of time. When the lease is up, it will query the device asking if it still needs it. If it doesn't, it puts the IP address back in the pool. If it does, then it simply renews the lease.

The only thing strange I see is something on the WLAN (skedouche003) is trying to connect with 192.168.83.1 (sonicwall i assume) and having its connection dropped.

I'm also seeing a broadcast connection dropped from 10.1.104.1, which may be nothing.

I still think you need to confirm your IP phone is getting an IP address from your DHCP server. Is the MAC address printed on the bottom of the phone? If it is, then you can match that up in the set of DHCP leases on your DHCP server.

Author

Commented:
I figured out the problem.  The good folks at 8x8 needed to activate my phone from their end.  Apparently the guy I spoke with initially did not think of this and simply blamed the sonicwall.  ugh.  thanks for all the help with this issue!
Top Expert 2010

Commented:
Sure. I'm glad it's working. Always be suspicious when they blame you but don't help you at least walk through and prove that "theory".

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial