opening up CME to internet

Unanswered Question
Oct 9th, 2008
User Badges:

I want to be able to have my IP phones and IP communicator machines to be able to register and use CME without having to VPN in. Seems like the port usage is rather complicated but this is what I have come up with so far.

access-list 101 permit udp any host eq tftp

access-list 101 permit tcp any host eq www

access-list 101 permit tcp any host eq 2000

access-list 101 permit udp any host range 24576 32768

Int the example below, is the public IP of my CME box and is the tftp server where I have copied and edited the config files with the public IP of the CME.

As of now the phones can register and dial-out but I am getting no audio.

Also, I see the phones requesting .tlv files from the tftp but I only have cnf files. What are the .tlv files for?

What am I missing for the audio?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Marwan ALshawi Thu, 10/09/2008 - 17:44
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

the issuse here is u have ACL applied on the outside interface as we know at the end of evry ACL there is an implicit deny now as u stated the phone rigister and dial but no audio audio use random upd port negocited between phones and CME this need to be solved in two

one way not good at all which u oped all upd traffic betwen 16xx 32xx

the best way is to have application inspection in ur case should be CBAC which is abalable on IOS firewall features if u use ISR mostly u have this feature this will open this port based on the seesion and closed after the end of the session (application inspection)

good luck

if helpful Rate


This Discussion