Cisco VoIP Phones behind a FIREWALL

glitchlist Uncategorized Leave a Comment

When you have to protect your CallManager in a secure zone of your lan you have to face two problem: SIP and NAT.

In our case we handle voip sessions through firewall by configuring an ACL with TCP/UDP port_set. For internal resources, we don’t use NAT mode, here you have the ports from phones to CM:

Destinaton portDescription
UDP/32768-61000EPHEMERAL_port_range
UDP/16384-32676RTP-SRTP
TCP/2000SCCP
TCP/2443SCCPS
TCP/5060SIP
UDP/5060SIP
TCP/5061SIPS
UDP/5061SIPS
TCP/2445TRUST ENDPOINT
TCP/3804CAPF
TCP/6970PUSH FIRMWARE & CONFS
TCP/8080XML APP
UDP/69TFTP

For external resources like a Trunk cVoIP we use NAT and, in Fortigate environment, sip session-helper function that look inside SIP packet and perform inspection for NAT (or not) SIP devices.

.glitchlist crew

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.