Customer requirement is to have a physical Cisco IP Phone with SIP firmware off net, to register with CME7.0 in the network. They do not want to establish any vpn to acheive this.
My first question is on the CME, are there any major configuration differences when registering SIP phones in comparison to SCCP Phones? I am assuming all you have to do is make sure you have the SIP firmware in flash and tftp.
Second question is what ports do I have to allow from the public internet into the NAT IP for CME?
I am also going to have a SIP trunk to the service provider. What ports should I allow from the service SIP Proxy server?
"are there any major configuration differences when registering SIP phones in comparison to SCCP Phones?"
Yes. It's totally different, has a different feature set, and generally speaking, doesn't work as well.
"what ports do I have to allow from the public internet into the NAT IP for CME"
By default it is TCP and UDP 5060. You can change this in 12.4(20)T and later with the sip level 'listen-port' command. If you're using Cisco phones, TFTP (UDP 69) as well.
"What ports should I allow from the service SIP Proxy server?"
Again, UDP/TCP 5060, unless they give you a different port range, which they do some times.
You will want to be very careful with having an open SIP port on the internet. There are hackers that scan for those, and then proceed to send calls through to Cuba and such. You will need to be very careful, depending on what all you configure SIP-wise.
A VPN really is heavily suggested, for security reasons port-wise.
You would need to make sure that your SIP CME doesn't take in random registrations (by default it does this), as well as configure fairly secure passwords.
You will need to configure your dial peers in a way that random calls from the Internet are not able to be routed through your system. This is done primarily with IP source-groups and the 'permission term' and 'permission orig' commands.
I had told the customer that it would be better to establish a vpn before registering the ip phone to CME. But they are concerned that not all public areas allow a vpn to be established using a secure client. In their case they are using checkpoint secure client and have confirmed that not all public hot spots allow vpn. Hence this suggestion of having phones use unsecure public internet.
These are the paths to get to each CCX logs through CLI. They may be helpful if you are having issues accessing RTMT or downloading logs through it.
If you want to download them you have to prefix "file get " and you can add one of the options (re...