Firewall and NAT Configuration for SIP Trunks: What Breaks and How to Fix It

Why SIP and NAT Fight Each Other

SIP is a self-referential signaling protocol. A SIP INVITE contains the local IP address and port of the device that sent it, embedded inside the SDP body (c= connection line and m= media line). When that device sits behind NAT, the local IP (for example, 192.168.1.50) is meaningless to the carrier. The carrier sees the public IP in the IP header but the private IP in the SDP body, and sends RTP media to 192.168.1.50 — which is unreachable from the internet.

This is the root cause of the majority of one-way audio problems on new SIP trunk deployments. The carrier sends audio to the address in the SDP body, the agent can't hear the contact but the contact can hear the agent (or vice versa), depending on which leg's NAT is broken.

The fix is not complex, but it requires deliberate configuration at three layers: firewall, SBC/router, and SIP stack.

Layer 1: Firewall Rules for SIP and RTP

A SIP trunk requires two categories of traffic:

• SIP signaling: UDP and TCP on port 5060 (or 5061 for SIP-TLS). Some carriers also use UDP 5080.
• RTP media: UDP on a port range. Standard range is 10000–20000 or 16384–32767 depending on the SBC.

Minimum inbound allow rules for an outbound-originating SIP trunk (traffic from carrier edge to your SBC):

`` ALLOW UDP <carrier_ip_block> → <sbc_public_ip> 5060 # SIP signaling ALLOW UDP <carrier_ip_block> → <sbc_public_ip> 10000-20000 # RTP media ``

Minimum outbound allow rules:

`` ALLOW UDP <sbc_public_ip> → <carrier_ip_block> 5060 ALLOW UDP <sbc_public_ip> → <carrier_ip_block> 10000-20000 ``

Obtain the carrier's published IP ranges from your custom SIP integration documentation and update the firewall allow list. Do not use 0.0.0.0/0 for RTP — that opens the toll-fraud surface unnecessarily. See the toll fraud hardening guide for RTP source IP restriction.

Stateful firewalls track TCP sessions well but handle UDP poorly. A stateful firewall that sees an outbound SIP INVITE from your SBC may correctly allow the 200 OK reply, but will not automatically allow the RTP streams — those are new UDP flows that must match explicit rules.

Layer 2: SIP ALG — Disable It Unconditionally

SIP Application Layer Gateway is a feature built into most consumer and SMB routers. It was designed to help SIP traverse NAT by rewriting SDP bodies. It fails more often than it helps and should be disabled on every router in the path between your SBC and the internet.

SIP ALG breaks in common, hard-to-diagnose ways: it modifies Contact headers to point to the wrong IP, it corrupts SDP bodies by partially rewriting address fields, and it interferes with SIP-TLS by inspecting traffic it cannot decrypt. Symptoms of active SIP ALG: registration works but calls fail, one-way audio on some but not all calls, intermittent 408 Request Timeout from the carrier.

On a pfSense firewall: System → Advanced → Firewall & NAT → uncheck "Enable SIP ALG." On Cisco ASA: no fixup protocol sip. On Juniper SRX: delete applications application junos-sip. On Ubiquiti EdgeRouter: delete service nat rule <SIP-rule> followed by set system conntrack modules sip disable. Confirm the change with a packet capture showing unmodified SDP bodies after the firewall.

Layer 3: NAT Traversal at the SBC

Your SBC or softphone must be told what its public IP address is so it can correctly populate the SDP body. Most SBCs support one of three methods:

Static NAT mapping: configure the SBC's external (public) IP explicitly. On FreeSWITCH, set <param name="ext-rtp-ip" value="<public_ip>"/> and <param name="ext-sip-ip" value="<public_ip>"/> in the Sofia profile. On Asterisk, set externip=<public_ip> and localnet=192.168.0.0/255.255.0.0 in sip.conf or pjsip.conf.

STUN: the SBC queries a STUN server at startup to discover its public IP. Acceptable for smaller deployments; not recommended for production outbound floors because STUN UDP keepalives add overhead and STUN server outages create dependency.

Dedicated public IP with no NAT: the cleanest architecture. Assign a static public IP directly to the SBC interface (or use 1:1 NAT where the SBC is always told the public IP). Most outbound call center SBCs (AudioCodes Mediant, Ribbon SBC-SWe, Kamailio) are designed to run in this mode.

Layer 4: Outbound NAT and Port Preservation

For outbound SIP over UDP, NAT must preserve the source port. A SBC registering from UDP/5060 must be NATted to public UDP/5060, not to a random ephemeral port. If the firewall changes the source port, the carrier cannot correctly associate OPTIONS keepalives with the registered endpoint and the registration will time out.

On pfSense, enable "Static Port" on the NAT rule for the SBC's source address. On Cisco IOS/ASA, use ip nat inside source static udp <sbc_local_ip> 5060 <public_ip> 5060. Verify with a SIP trace (sngrep or tshark on port 5060) that the source port in carrier-received packets is 5060, not a translated ephemeral port.

Diagnosing NAT and Firewall Problems

sngrep is the fastest way to diagnose SIP issues on Linux. Install on the SBC host and capture:

``bash sngrep -d eth0 -f "host <carrier_sip_ip>" ``

A successful outbound call sequence: INVITE → 100 Trying → 180 Ringing → 200 OK → ACK. If the sequence stalls at 100 Trying, the carrier is not responding — check firewall egress. If you receive a 200 OK but audio is one-way, look at the SDP body in the 200 OK and verify the remote contact address is a public IP, then check the c= line in your SBC's own 200 OK or ACK to verify it contains your public IP, not a private one.