Unanswered Question
Apr 2nd, 2009
User Badges:


Customer requirement is to have a physical Cisco IP Phone with SIP firmware off net, to register with CME7.0 in the network. They do not want to establish any vpn to acheive this.

My first question is on the CME, are there any major configuration differences when registering SIP phones in comparison to SCCP Phones? I am assuming all you have to do is make sure you have the SIP firmware in flash and tftp.

Second question is what ports do I have to allow from the public internet into the NAT IP for CME?

I am also going to have a SIP trunk to the service provider. What ports should I allow from the service SIP Proxy server?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Nicholas Matthews Thu, 04/02/2009 - 17:55
User Badges:
  • Red, 2250 points or more

Hi There,

To start off, answers to your questions:

"are there any major configuration differences when registering SIP phones in comparison to SCCP Phones?"

Yes. It's totally different, has a different feature set, and generally speaking, doesn't work as well.

"what ports do I have to allow from the public internet into the NAT IP for CME"

By default it is TCP and UDP 5060. You can change this in 12.4(20)T and later with the sip level 'listen-port' command. If you're using Cisco phones, TFTP (UDP 69) as well.

"What ports should I allow from the service SIP Proxy server?"

Again, UDP/TCP 5060, unless they give you a different port range, which they do some times.

You will want to be very careful with having an open SIP port on the internet. There are hackers that scan for those, and then proceed to send calls through to Cuba and such. You will need to be very careful, depending on what all you configure SIP-wise.

A VPN really is heavily suggested, for security reasons port-wise.

You would need to make sure that your SIP CME doesn't take in random registrations (by default it does this), as well as configure fairly secure passwords.

You will need to configure your dial peers in a way that random calls from the Internet are not able to be routed through your system. This is done primarily with IP source-groups and the 'permission term' and 'permission orig' commands.

Here's the minimum configuration for SIP CME:

voice service voip


registrar server

voice register global

mode cme

source-address port 5060

max-dn X

max-pool X

voice register dn 1

number 1000

voice register pool 1



number 1 dn 1

username X password X



p.holley Mon, 04/06/2009 - 10:18
User Badges:

I had told the customer that it would be better to establish a vpn before registering the ip phone to CME. But they are concerned that not all public areas allow a vpn to be established using a secure client. In their case they are using checkpoint secure client and have confirmed that not all public hot spots allow vpn. Hence this suggestion of having phones use unsecure public internet.

Thanks for your response

Are the "voice register pool" disabled on IOS images for the 7.x telephony service versions?

We have upgraded the firmware of a Cisco2800 router, from an 12.4 XW release to an 12.4T one, in order to upgrade from CME4.2 to CME7.1.

When IOS read configuration file for every "voice register pool" we got the following error message:

"Pool tag too large, maximum 0"

However when I call ? after the command "voice register pool ?" it reply with

" <1-110> voice-register-pool tag"

Does the CME 7.1 not support the voice registration pools?

many thanks

paolo bevilacqua Fri, 04/10/2009 - 09:30
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

voice register global

mode cme

max-dn xx


I added also the line

max-pool 100

at the "voice register global" section

to resolve the issue.

However the "mode cme" don't let me to add networks as id below the "voice register pool", so we have to choice to enable or not the "mode cme".

Anyway the max-pool parameter under "voice register global" resolve the issue (with or without mode cme)


This Discussion