VoIP

VoIP – Cisco Phones behind a FIREWALL

glitchlist Blog Leave a Comment

When you have to protect your VoIP CallManager in a secure zone of your lan you have to face two problem: SIP and NAT.

In our case we handle voip sessions through firewall by configuring an ACL with TCP/UDP port_set. For internal resources, we don’t use NAT mode, here you have the ports from phones to CM:

Destinaton portDescription
UDP/32768-61000EPHEMERAL_port_range
UDP/16384-32676RTP-SRTP
TCP/2000SCCP
TCP/2443SCCPS
TCP/5060SIP
UDP/5060SIP
TCP/5061SIPS
UDP/5061SIPS
TCP/2445TRUST ENDPOINT
TCP/3804CAPF
TCP/6970PUSH FIRMWARE & CONFS
TCP/8080XML APP
UDP/69TFTP

For external resources like a Trunk cVoIP we use NAT and, in Fortigate environment, sip session-helper function that look inside SIP packet and perform inspection for NAT (or not) SIP devices.

Unfortunately the SIP (Session Initiation Protocol), developed in 1996, was designed to work in LANs without having some compatibility to be published on the Internet. In fact, a limitation of the protocol, in case you want to NAT SIP services on the Internet, makes it impossible to work without a payload translation mechanism that translates the informations between phones and call managers from private ip to public ip.

HERE you can find Cisco TCP and UDP Port Usage Reference.

and HERE you will find FortiGate tips for activate firewall ALG function.

.glitchlist crew

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.