New firewall no RTP

A a couple of client sites I am changing router/firewalls and when using the new firewalls I have problems with trunk registration and media. The SIP trunk provider uses the PBX public IP for authentication.

At one site, the old router/FW is a Cisco RV016 and the configuration consists of the following:

  • A one-to-one NAT using the designated public IP and the PBX’s internal IP
  • The access rules are allow ANY to/from the SIP provider’s 2 IPs
  • Deny other traffic to the PBX’s IP

This has worked fine.

The new router/FW is a SonicWall, it config is similar:

  • A NAT rule ties the PBX to the designated public IP with original/original
  • The Access rule allows ANY to/from the SIP trunk provider

This results in no media. Calls can be placed but there is no audio.

If I open up 10000-65535 from ANY source I get media.

My two questions are: This seems vulnerable; is this the proper firewall ruleset? And, why did the RV016 work with presumably more restriction?

The problem was that the PBX was set to NAT and the FW was trying to do SIP inspection.