MX VOIP Firewall rules

Comes here often

MX VOIP Firewall rules

I have a customer that  are using  softphones and are connected by a the SD-WAN., but all other Voip services are on the cloud inc PABX and external SIP connections and they want to use local breakout.


Phone to Phone traffic no firewalls (SD-WAN)

Voip Services in the cloud (Meraki firewall ) 


I have concerns regarding the Meraki firewall allowing inbound connections to the Phones  from the VOIP Provider as Meraki  only seem to allow Port forwarding or 1 to many NAT.  


The Meraki firewalls are Stateful,  but I have concerns  with the Inbound traffic if no state is generated by the client first.


I have seen other VOIP cloud providers  that are working  fine with only outbound  firewall rules and no inbound port forwarding.


Does Meraki work some Magic to allow  traffic generated from the Cloud?


Thank you


  • How are inbound connections handled?
    The MX is a stateful firewall, so most inbound communication will only be allowed as a response to an established outbound conversation. Inbound communication can be explicitly allowed by means of port forwarding or 1:1 NAT/1:Many NAT rules, whereby a specific internal device is associated with a public port/IP.
    When considering how to implement a VoIP solution, it is important to note who will be initiating what communication; if an internal phone initiates a connection to an external PBX, the stateful firewall will allow the PBX's response back into the network. However, if an external PBX attempts to initiate a connection to an internal phone, it will be blocked unless there is a port forwarding or NAT rule allowing that communication.
    For more information on port forwarding and NAT rules on the MX, please refer to the following articles:
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.