Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Can you use a sip soft phone over internet to uc540/560/CME?

Unanswered Question
Nov 30th, 2011
User Badges:

For about a year now, I've been attempting to use a sip softphone client on the internet to connect to a uc560, 540 and 2800-based CME with no success.  I've tried portgo and 3cx from both a pda and from my laptop out on the internet.  I can get both sip clients to connect instantly as an extension on the local LAN.  When I try from the internet, I see "invalid ip address" on debug ccsip, and it reflects the internet IP of the client trying to register.

My client login is the extension for both the username and password, and i have the MAC as 0000.0000.0000 in the voice register pool.  I use the outside internet IP of the network for the host.  I map thru 5060 over both tcp/udp to the inside phone system and forward 10,000-20,000 over both tcp/udp as well.  I've tried a source-address on CME for the voice register global of the internet, the local loopback, the outside of the phone system and the voice vlan side of the phone system,

I'm stumped!  If anyone has gotten this to work successfully, can you post a config?  Is it an issue of the firewall?  Perhaps it requires all ports open on the internet IP to the inside phone system with a 1 to 1 nat translation?

Thanks in advance for any input.




voice service voip


allow-connections h323 to h323

allow-connections h323 to sip

allow-connections sip to h323

allow-connections sip to sip

no supplementary-service h450.2

no supplementary-service h450.3

supplementary-service h450.12

no supplementary-service sip moved-temporarily

no supplementary-service sip refer



  registrar server expires max 3600 min 120

  no call service stop



voice register global

mode cme

source-address port 5060

max-dn 5

max-pool 5


mwi reg-e164

voicemail 500

tftp-path flash:

create profile sync 0003025739805842


voice register dn  1

number 200

allow watch

name Jeff


label Jeff


voice register pool  1

id mac 0000.0000.0000

number 1 dn 1

dtmf-relay sip-notify

username 200 password 200

codec g711ulaw

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Alberto Montilla Wed, 12/21/2011 - 07:24
User Badges:
  • Cisco Employee,

Dear Jeff;

When you say over the internet, do you have a VPN link between the sites?


Jeff Cooper Wed, 12/21/2011 - 15:06
User Badges:

If I use a vpn into the network where the 540 and/or 560 exists, i can connect up no problem with a soft sip client.  I can even connect up polycom phones.  If i'm outside the network, on my pda or laptop on the road without a vpn client, i get the error above.  If I run a switchvox phone system, i dont need a vpn client, i connect right in with a soft sip client or polycom phone.  It doesn't sound like CME/UC series supports SIP connectivity from outside the network without a vpn client.   It would be great for customers who might not be able to support a vpn client into whichever vendor firewall on their pda.  I wish Cisco would adapt this functionality.

Another great reason , was in carribean and didnt want to pay roaming charges.  I had wirelesss internet provided at the resort.  If i could of used a sip client, i could of connected over the wireless internet as an extension to the uc540 back home.  Then I could of dialed out with no charges over a magic jack that provides a pots line into the uc540.

Instead I  implemented a switchvox that allowed me to connect my pda's sip softphone effortlessly thru the internet without maintaining a vpn, and took calls that way while on vacation.  No toll charges and forwarded all calls to the magicjack back home to my pda acting as an in-house extension on the switchvox.

Sorry, long answer.  But I've been battling with this on CME for over a year.  I believe it the last hurdle CME needs to overcome regardless of it being on a 2900, 2800, 3500 etc or a uc540/560 platform.  Be nice if you could tie in pdas as "soft" extensions for salesmen, remote users, owners, service techs who are anywhere in the world.  As long as there's wireless internet, they're on the pbx. 

ps- I've setup iphones that will register the vpn automatically and constantly based on being outside the network with certificates for authentication - pita in my mind

Alberto Montilla Thu, 12/22/2011 - 01:53
User Badges:
  • Cisco Employee,

Hi Jeff;

I see your point. UC500 is not only a PBX but a UC solution, so VPN secure access for users is a pre-requisite for remote users on UC products.


renato.guimaraes Thu, 12/22/2011 - 08:06
User Badges:

Your solution is to use SSLVPN along with Anyconnect VPN client with CIPC softphone.



Anyconnect (download the one named anyconnect-win-2.5.3055-k9.pkg)


In CCA, go to Configure -> Security -> SSL VPN

Under the Basic tab, add users accordingly.

Under the Advanced tab, leave "Thin Client" unchecked.

Check "Full Tunnel mode" and enter an IP range, for example Start:, End:

Under SSL VPN Client, click Install and choose the Anyconnect file you downloaded earlier.

I would also check "Keep SSL VPN Client Software installed on the client PC."

I believe that's all on the UC end. This is how we have our SSL VPN setup and it works fine. 

Install the CIPC softphone on your client computer.  Navigate to the UC's WAN IP address using HTTPS. Login with the credentials you've created and it will download the anyconnect client and connect you. You're now on a SSL VPN with your UC and you can open the CIPC softphone. It should register after you've connected, otherwise I'd check the TFTP server setting for the softphone. The default I believe is


David Trad Thu, 12/22/2011 - 21:00
User Badges:
  • Gold, 750 points or more
  • Cisco Designated VIP,

    2013 Small Business

Hi Jeff,

I know what you are trying to do and was able to do is successfully with a 2810 ISR, but with those systems you can hack away at the CLI with no problems at all... Your biggest draw back is, in order to get it to work you have to punch some pretty damn big holes in your firewall (ACL's) and here is where the problem lays, the minute we did that we had all sorts of whack jobs trying to connect to the 2800 using randomized passwords, and the only way to overcome it was to lock it down to only allow connection from a single IP address.

As you can imagine this was no good because we couldnt then use NetSIP on our mobiles to connect over 3G because the IP address constantly changes.

I would recommend using the VPN client on either the iPhone or the Android to connect via IPSEC and then tunnel in that way with a SIP phone, it is the only safe way to do it without opening your system up to some major kick A** toll fraud.




This Discussion