Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

IP telephony/PIX Firewall problems

Can someone please clarify what ports I need open on my PIX firewall to allow me to have Call Managers and Gateway and phones on the inside and some phones in a DMZ.

Anthony Warren

14 REPLIES
Cisco Employee

Re: IP telephony/PIX Firewall problems

Just for basic audio and signaling using CallManager 3.1, you would need TCP/2000, TCP/2427-2428 for MGCP signaling, UDP/16384-32767 for audio.

If you are going to be doing other things, like using the corporate directory or XML services, you would need to open TCP/80, SoftPhone you would need TCP/2748 and TCP/8404.

For CallManager 3.0 you would need TCP/2001 and TCP/2002 for Skinny based gateway signaling.

The list goes on and on.

fc
New Member

Re: IP telephony/PIX Firewall problems

That's great information! Are any additional ports needed for CallManager 3.1? Are any additional ports needed for Unity 3.0?

F C Wood

fc@wood.org

New Member

Re: IP telephony/PIX Firewall problems

Just for my info, while we're on topic....

is there any way in the CCM / PIX to restrict the ports used for RTP / RTCP, or do you need to open up a large range of ports.

Thanks in advance.

Cisco Employee

Re: IP telephony/PIX Firewall problems

UDP 16384-32767 randomly chosen. No way to alter this as far as I know.

Cisco Employee

Re: IP telephony/PIX Firewall problems

In general the answer is no. However there are a very large number of variables involved as far as what is on the inside and outside of the firewall that could possibly add more holes to be poked. I can't generalize without knowing the specific requirements, that was just a sample.

New Member

Re: IP telephony/PIX Firewall problems

Thanks for that.

Now for the obvious question. Do those ports need to be open from CM or GW or phone on inside to talk to phones in DMZ?

Cisco Employee

Re: IP telephony/PIX Firewall problems

  • CM needs to talk to all phones using Skinny - TCP/2000 on CM side
  • CM needs to talk to all GW using appropriate signaling method - TCP/2001-2002 for Skinny, TCP/2427-2428 for MGCP, TCP/1720 for H.323, TCP/1719 for H.323 RAS (gatekeeper)
  • UDP/16384-32767 needs to be open for all devices that could possibly need to stream RTP. That can include phones, gateways, transcoders, conference bridges, music on hold, IVR, voicemail, you name it.
  • New Member

    Re: IP telephony/PIX Firewall problems

    H.323 RAS is UDP port 1719

    New Member

    Re: IP telephony/PIX Firewall problems

    By the time you are done allowing your legitimate users access to resources on your network, you would have opened so many ports, it won't even be funny anymore. There is a better way to open theses ports and still maintain a high level of security: a VoIP Firewall that will open the needed ports dynamically, on a per-call basis, so you can relax and take care of other important tasks on your network. I can give you some leads on that, as well as the technology behind it. For what security is worth these days, this will give you the peace of mind you need.

    New Member

    Re: IP telephony/PIX Firewall problems

    What information do you have regarding VoIP Firewalls?

    New Member

    Re: IP telephony/PIX Firewall problems

    my company has developed a VoIP Firewall that solves your problem. I can direct you to the appropriate people in my organisation to talk to in order to obtain more information if you want. in short the concept behind it is to cut back on all the trouble involving manually opening ports and monitoring their usage. Our solution does it for you dynamically and shuts them as soon as the call/connection is terminated. soon, we will even integrate advanced authentication with it as well. Let me know if you want to more.

    Eyabane

    New Member

    Re: IP telephony/PIX Firewall problems

    Eyabane,

    Please forward me (chissong@skopevo.com) contact information of someone within your organization that I can speak to about your VoIP Firewall. Thanks.

    Craig

    New Member

    Re: IP telephony/PIX Firewall problems

    will do!

    New Member

    Re: IP telephony/PIX Firewall problems

    You might also want to check the "fixup" command if you are doing nat and have phones on one side and a CM on the other side. From the IPX 6.1 Command Summary "If Call Manager (CM) is configured for NAT and outside phones register to it via TFTP, the

    connection will fail because PIX Firewall currently does not support NAT TFTP messages."

    233
    Views
    0
    Helpful
    14
    Replies
    CreatePlease to create content