TCP/UDP ports used by Call Manager for H 323 Communication

Unanswered Question


I have a Call Manager and IP Phones behind a Firewall. At the other side of the firewall i have a router with 2 FXS ports. I have connected two analog phones to these FXS ports. Now in the Call Manager i have added the router as a H 323 Gateway in order to have communication between the IP Phones and the Analog phones.

I want to know what ports are to be opened at the Firewall so that this communication can occur.

Thanks in advance

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)


Thanks for the reply.

If i correctly understand i need to open the following ports at the Firewall

UDP 16384 - 32667 ( for rtp traffic b/w Phones )

UDP 1719

TCP 1720

TCP 11000-65535 ( for H 323 Communications )

My doubt is can the communication between the phones be established by only opening up UDP 16384 - 32667.

Because If i have to open up all the ports mentioned as above then i am opening up almost all the TCP ports.

Awaiting your reply


dugrant Fri, 10/17/2003 - 09:39
User Badges:
  • Bronze, 100 points or more

Yes, you are right. This is why you need a firewall that is "H.323 aware", so that it can detect automagically what UDP ports are negotiated, and allow that traffic through.

Cisco IOS and PIX do this, so if you firewall is one of these youre OK.

vmalhi Mon, 11/03/2003 - 05:47
User Badges:

Why can't you enable H245 tunnelling so that H245 communication takes place over port 1720?

sgamer Thu, 02/12/2004 - 14:58
User Badges:


When I go to that link it says it's "under construction" so I assume it's being updated. Do you know when it will be published again?

djones Fri, 10/24/2003 - 11:33
User Badges:

If it's an h323-aware firewall ala PIX, you need a "fixup protocol h323 1720" which tells the FW to start to eavsdrop on port 1720 (h225 call setup) so it can glean the remainder of the ports to be opened (h245 & RTP).

The PIX acl or conduit must also allow the GW IP address in on port 1720 to begin the signalling process.

If you don't have an H323-aware FW, you have to allow ALOT of ports inbound from the GW:

TCP 1720 for h225,

TCP 4000-4999 for H245 (I think - the IOS gw's used a different range of ports than the AS5xxx gw's,

UDP 16384-32768 for RTP

Good luck,



This Discussion