cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
625
Views
0
Helpful
14
Replies

IP telephony/PIX Firewall problems

anthony.warren
Level 1
Level 1

Can someone please clarify what ports I need open on my PIX firewall to allow me to have Call Managers and Gateway and phones on the inside and some phones in a DMZ.

Anthony Warren

14 Replies 14

dgoodwin
Cisco Employee
Cisco Employee

Just for basic audio and signaling using CallManager 3.1, you would need TCP/2000, TCP/2427-2428 for MGCP signaling, UDP/16384-32767 for audio.

If you are going to be doing other things, like using the corporate directory or XML services, you would need to open TCP/80, SoftPhone you would need TCP/2748 and TCP/8404.

For CallManager 3.0 you would need TCP/2001 and TCP/2002 for Skinny based gateway signaling.

The list goes on and on.

That's great information! Are any additional ports needed for CallManager 3.1? Are any additional ports needed for Unity 3.0?

F C Wood

fc@wood.org

Just for my info, while we're on topic....

is there any way in the CCM / PIX to restrict the ports used for RTP / RTCP, or do you need to open up a large range of ports.

Thanks in advance.

UDP 16384-32767 randomly chosen. No way to alter this as far as I know.

dgoodwin
Cisco Employee
Cisco Employee

In general the answer is no. However there are a very large number of variables involved as far as what is on the inside and outside of the firewall that could possibly add more holes to be poked. I can't generalize without knowing the specific requirements, that was just a sample.

Thanks for that.

Now for the obvious question. Do those ports need to be open from CM or GW or phone on inside to talk to phones in DMZ?

  • CM needs to talk to all phones using Skinny - TCP/2000 on CM side
  • CM needs to talk to all GW using appropriate signaling method - TCP/2001-2002 for Skinny, TCP/2427-2428 for MGCP, TCP/1720 for H.323, TCP/1719 for H.323 RAS (gatekeeper)
  • UDP/16384-32767 needs to be open for all devices that could possibly need to stream RTP. That can include phones, gateways, transcoders, conference bridges, music on hold, IVR, voicemail, you name it.
  • H.323 RAS is UDP port 1719

    eyabane
    Level 1
    Level 1

    By the time you are done allowing your legitimate users access to resources on your network, you would have opened so many ports, it won't even be funny anymore. There is a better way to open theses ports and still maintain a high level of security: a VoIP Firewall that will open the needed ports dynamically, on a per-call basis, so you can relax and take care of other important tasks on your network. I can give you some leads on that, as well as the technology behind it. For what security is worth these days, this will give you the peace of mind you need.

    What information do you have regarding VoIP Firewalls?

    my company has developed a VoIP Firewall that solves your problem. I can direct you to the appropriate people in my organisation to talk to in order to obtain more information if you want. in short the concept behind it is to cut back on all the trouble involving manually opening ports and monitoring their usage. Our solution does it for you dynamically and shuts them as soon as the call/connection is terminated. soon, we will even integrate advanced authentication with it as well. Let me know if you want to more.

    Eyabane

    Eyabane,

    Please forward me (chissong@skopevo.com) contact information of someone within your organization that I can speak to about your VoIP Firewall. Thanks.

    Craig

    will do!

    rlyons
    Level 1
    Level 1

    You might also want to check the "fixup" command if you are doing nat and have phones on one side and a CM on the other side. From the IPX 6.1 Command Summary "If Call Manager (CM) is configured for NAT and outside phones register to it via TFTP, the

    connection will fail because PIX Firewall currently does not support NAT TFTP messages."

    Getting Started

    Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: