Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Registering Through a Firewall

I have a setup in which some of my phones must register with CallManager across the internet through a pix firewall. I'm using CallManager 4.x. The phones are on an internal network of and the CallManager and the Gateway are on I've opened up the ports on the firewall to allow TFTP, Skinny and RTP traffic through, and have redirected TFTP and Skinny traffic to the CallManager server and RTP traffic to the gateway. I've set option 150 in DHCP to point to the public IP of the firewall (which then shoots the traffic over to CallManager). The phones are picking up the TFTP download from CallManager, but that's where it ends. Nothing really registers after that. The phones are getting information about CallManager being at 172.16.0.x, but ? of course ? none of the routers on the internet know how to get to my network. Also, CallManager isn't going to know how to get back to I could use a VPN, I suppose, but I don't know how well that works for voice. Furthermore, the client has a low-end firewall at the remote site that doesn't support VPNs, and I'm afraid they'll have a little, hairy, cat-fit if I ask them to shuck out more money.

Hall of Fame Super Gold

Re: Registering Through a Firewall


if you have a poor firewall you will get nowhere anyway, because it won't be able to understand sccp protocol and dynamically open ports for media.

You might consider sosma small router like the 800 series thta are really cheap but come with the full set of security features like VPN firewall, etc. With these everything should work fine, or at least is diagnosticable.

New Member

Re: Registering Through a Firewall

Are you saying that a VPN is my only answer?

Hall of Fame Super Gold

Re: Registering Through a Firewall

In practice, yes, unless you want to play with NAT static translations (aka forwards) on the non-cisco firewall. Results are not guaranteed.

CreatePlease login to create content