Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Firewall Ports with Profile

What are the ports that have to open on firewall when I have a profile without VCS to communicate directly with a public IP? I've seen several responses and an extensive series of ports to open.

Can you help me?

New Member

Firewall Ports with Profile


   For IP call you need to open specific ports that vary according to configurations.

Here is the ports range varying according to port allocation set to dynamic or static

Dynamic: The system will allocate which ports to use when opening a TCP connection. The

reason for doing this is to avoid using the same ports for subsequent calls, as some firewalls

consider this as a sign of attack. When Dynamic is selected, the H.323 ports used are from 11000

to 20999. Once 20999 is reached they restart again at 11000. For RTP and RTCP media data, the

system is using UDP ports in the range 2326 to 2487. Each media channel is using two adjacent

ports, ie 2330 and 2331 for RTP and RTCP respectively. The ports are automatically selected by

the system within the given range. Firewall administrators should not try to deduce which ports are

used when, as the allocation schema within the mentioned range may change without any further


Static: When set to Static the ports are given within a static predefined range [5555-6555].

For H.323: these are the port range when static is configured.

*       Gatekeeper Discovery (RAS) - Port 1719 - UDP

*       Q.931 call Setup - Port 1720 - TCP

*       H.245 - Port Range 5555-5574 - TCP

*       Video - Port Range 2326-2485 - UDP

*       Audio - Port Range 2326-2485 - UDP

*       Data/FECC - Port Range - 2326-2485 - UDP

Hope this helps.