{{tag>Troubleshooting NAT Firewall}}
====== NAT and Firewall Settings for VoIP ======

===== ITSPA Best Current Practice (BCP) for on site phone systems ===== 

For secure deployment of an IP-PBX please see - [[http://www.itspa.org.uk/wp-content/uploads/1311-Recommendations-for-secure-deployment-of-an-IP-PBXV2.pdf|Recommendations for secure deployment of an IP-PBX - Version 2]]

===== SIP Trunks and Inbound  =====

==== Asterisk ====


  * Forward Ports **5060 UDP** for SIP to your Asterisk server (please note newer versions of Asterisk may use **5160 UDP** by default)
  * Forward  ports **10000 to 20000 UDP** for RTP (Voice) to your Asterisk server.

This configuration assumes you are using the default RTP ports 10000-20000.

==== FreeSWITCH ====

  * Forward port **5060 UDP** to your FreeSWITCH server.
  * Forward ports **10000 to 40000 UDP** to your FreeSWITCH server.

This assumes you are using the FreeSWITCH default RTP range 10000-40000.

FreeSWITCH will also need to be able to access DNS (port 53 UDP) and NTP (port 123 UDP, for time). These ports should not be forwarded but your firewall should allow this traffic to pass through if required.
==== Other IP-PBX ====

Refer to your documentation for which RTP ports you need to forward.


===== SureVoIP Hosted =====
==== Softphones ====
Do not configure any port forwarding as the SureVoIP Hosted platform handles network address translations (NAT) automatically.

If you need to allow a range of ports, please allow port 5060 UDP and TCP. 

RTP ports from the SureVoIP Hosted platform will be in the range 10000 to 40000.

Your internal RTP port will vary depending on which softphone client you are using.This is normally configurable from the advanced configuration page.

  * Ensure **SIP ALG** is **Off** (See [[troubleshooting:sip_alg:start|here]] for guidance on what [[troubleshooting:sip_alg:start|SIP ALG]] is and how to disable it)
  * Ensure **STUN** or **ICE** is **Off** or any //NAT traversal// settings

See our [[howtos:setup:start#softphones|softphone setup guides]] for guidance on connecting your software to SureVoIP
==== Deskphones ====

Allow ports **5060 UDP** and **10000 to 40000 UDP** to pass through your firewall to access your phones. Please //do not// use port forwarding.

Your internal ports may differ depending on your phone model. This is normally configurable from the advanced settings page.

  * Ensure **SIP ALG** is **Off** (See [[troubleshooting:sip_alg:start|here]] for guidance on what [[troubleshooting:sip_alg:start|SIP ALG]] is and how to disable it.)
  * Ensure **STUN** is **Off** or any //NAT traversal// settings.

See our [[HOWTOs:setup:start|phones setup guides]] for more info on setting up your phones to connect to SureVoIP.