Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1872
Views
0
Helpful
1
Replies

Allowed Ports for SIP Trunk

Go to solution
jamie.mai
Level 1
Level 1

‎01-18-2017 09:04 AM - edited ‎03-17-2019 09:13 AM

I have not found a clear answer on this, I have a remote site connected through an ASA. It is a wireless connection to nearby building. I have a 2800 router at the remote site and am wanting to run CME on and connect to the main CUCM cluster with a SIP trunk. What ports do I need to allow on the ASA? Will all traffic be contained in the SIP trunk between CUCM and CME or will RTP traffic need to be allowed from phone to phone? That is what I want to avoid as we don't want to have to allow all those IP ranges over the firewall. Thanks!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Anthony Holloway
Cisco Employee
Cisco Employee

‎01-18-2017 07:10 PM

In the most basic setup, a CME connected to a CUCM via SIP trunk will have the phones sending RTP directly to one another.  However, your ASA has something called Deep Packet Inspection, which is the inspect command, and if you have inspect sip enabled, then the Firewall need only allow UDP and/or TCP port 5060.  It will then automatically detect and allow the additional flows from device to device for RTP/RTCP.

If however, you don't have SIP inspection on, then you'll need to allow the RTP traffic manually.

If you're against opening up the IP Phone subnet and port ranges, you can cause the phones on the CUCM side to use an MTP (check MTP required on the SIP trunk) so that all of the media flows through the MTP on the SIP Trunk (MRGL > MRG > MTP) and then you can simply allow all UDP traffic from ANY to the IP of the MTP.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Anthony Holloway
Cisco Employee
Cisco Employee

‎01-18-2017 07:10 PM

In the most basic setup, a CME connected to a CUCM via SIP trunk will have the phones sending RTP directly to one another.  However, your ASA has something called Deep Packet Inspection, which is the inspect command, and if you have inspect sip enabled, then the Firewall need only allow UDP and/or TCP port 5060.  It will then automatically detect and allow the additional flows from device to device for RTP/RTCP.

If however, you don't have SIP inspection on, then you'll need to allow the RTP traffic manually.

If you're against opening up the IP Phone subnet and port ranges, you can cause the phones on the CUCM side to use an MTP (check MTP required on the SIP trunk) so that all of the media flows through the MTP on the SIP Trunk (MRGL > MRG > MTP) and then you can simply allow all UDP traffic from ANY to the IP of the MTP.

0 Helpful
Customers Also Viewed These Support Documents