Handling voip behind ION 1200S

T.Jain081923 — Wed, 11 Mar 2026 06:13:46 GMT

HI Everyone,

I am new to Palo Community, and having difficulty in getting sip trunk up and running behind the ION 1200S

We have a NEC PABX behind ION 1200S

SIP ALG is disabled

The carrier wants to receive the Public IP address as contact address but NEC is sending the local ip address

Thats the reason carrier is sending 403

Should I set a DNAT for the PABX to make it work?

Create Static NAT rule (Policies > NAT):
- Original Packet: Source zone untrust → trust; Source any (or SV9100 subnet); Destination ITSP IPs/FQDN (use FQDN objects); Service sip + RTP range (UDP 5060, 10020-10533).
- Translated Packet:
  - Destination: SV9100 IP A (SIP) on inbound.
  - Source: Static IP = your public IP (bidirectional checked).
Security policy: Allow sip/sip-trunk app-id, service UDP/TCP 5060 + RTP; log all sessions.
Critical: Disable SIP ALG (Device > Setup > Session > SIP ALG off) to prevent mangling of SDP/register headers.

Please help me to understand how i can make it work

Thanks & Regards

Tushar

Re: Handling voip behind ION 1200S

TomYoung — Wed, 11 Mar 2026 23:26:46 GMT

Hi @T.Jain081923 ,

SIP ALG on the NGFW inspects the SIP header to perform 2 functions: (1) open pinholes for the media traffic based upon the endpoint IP addresses and ports specified in the SIP packets, and (2) performs a NAT rewrite of SIP fields to change the private IP address to the public IP address.

https://docs.paloaltonetworks.com/ngfw/administration/app-id/application-level-gateways

Most VoIP vendors recommend disabling SIP ALG on ALL vendor's firewalls because it has repeatedly broken voice traffic. My own experience confirms this behavior. It is not necessarily the firewall vendors' fault. Many VoIP vendors implementations are different, and they change it whenever they want. Keeping SIP ALG up-to-date with the many vendors then becomes an administrative burden. PANW probably implemented their SIP ALG based upon RFC 3665 and has no desire to keep up with proprietary changes.

You can try to enable SIP ALG and see if it fixes your issue. If not, you will need to manually configure the 2 functions listed above: (1) manually configure rules to allow the media traffic, and (2) manually configure the PBX to rewrite the SIP information. The rewrite usually involves some combination of the SIP header From, Contact, and Via fields, and SDP header (inside the SIP packet) Audio-Connection-Info and Connection-Info fields. You will need a NEC PBX manual to configure it.

A far easier solution would be to put the PBX on a DMZ where it can have a public IP address.

Thanks,

Tom

topic Handling voip behind ION 1200S in Prisma SD-WAN Discussions

Handling voip behind ION 1200S

Re: Handling voip behind ION 1200S