Working with Firewalls and NAT 96SIPxNano IP-PBX Getting Started Guide B • Firewalls and NATWorking with Firewalls and NATFor phones to make calls to parties on the other side of a firewall, you configure both the firewall and thephone.• If your firewall is packet-based, you configure both the firewall and the phone to identify the ports thatallow incoming VoIP traffic (SIP, RTP, and RTCP packets) to pass through it.• If your firewall uses NAT (Network Address Translation) and is packet-based, you configure both the fire-wall and the phone to identify the firewall’s external or Internet IP address in addition to identifying theports for incoming VoIP traffic. See page 98.• A proxy-based firewall must use a SIP-specific proxy. See page 99 for tips to help you set up phones in yourinstallation.Configure the firewallThis section provides an overview of the tasks that you will complete for your packet-based firewall when youprepare to use phones. Refer to the documentation provided with your firewall software for instructions.Recording the external IP addressWhile you are working with the server or router that provides your firewall services, determine and record itsexternal or Internet IP address for reference during firewall/phone configuration. This address may be identi-fied as the WAN IP address, or with another label.Opening VoIP portsOn your firewall, you define the ports to open for incoming SIP, RTP, and RTCP traffic.• The SIP (Session Initiation Protocol) port is used for call control: setting up and tearing down calls. For SIPpackets, you define a single port. The well known port number for SIP is 5060.• The RTP (Real-time Transport Protocol) port receives the audio for a call, and the RTCP (Real-time Con-trol Protocol) port receives the control and media statistics stream. Two consecutively numbered ports arerequired per call to receive these packet streams. The default value for the first port is 8766.• To allow a phone user to place calls on hold or make conference calls, four pairs (eight ports) are recom-mended. At a minimum, two ports are needed to support a single connection.If your firewall has NAT, see page 98 for additional information.