Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1963
Views
0
Helpful
9
Replies

question about sip trunk between cucm

baselzind
Level 6
Level 6

‎08-14-2016 01:10 AM - edited ‎03-17-2019 07:49 AM

let us say i want to create a sip trunk between my cucm and a cucm in another country , the sip trunk will go through my firewall then into my wan correct? not into my voice gateway that is connected to a E1?

also if it will go my firewall what ports do i need to open to allow calls through the sip trunk?

Labels:
0 Helpful
9 Replies 9

mmyszor
Cisco Employee
Cisco Employee

‎08-14-2016 03:38 AM

Standard SIP ports are 5060 and 5061 (secure SIP) TCP and UDP

do note that you need to allow RTP traffic, which will most probably flow the same path - ports UDP 16384-32768

0 Helpful

Mohammed al Baqari
Level 11
Level 11

‎08-14-2016 07:29 AM

Hi,

You can have direct SIP-SIP trunks between between CUCM clusters. You can still introduce CUBE between the trunks especially if CUCM nodes aren't part of same enterprise and you want to introduce security.

Regarding the ports, it depends on what do you want to serve over the trunk. ICT SIP Trunks can be for call signaling, ILS, EMCC, etc. So each application have its set of ports.

Regarding media stream this isn't limited to CUCM nodes. In fact majority of RTP stream will be running between endpoints which is running between 16384 to 65535 (the upper limit used to be 32767 but cisco raised the limit).

If you are really considering security and thinking about port restriction I highly recommend to go with CUBE setting between clusters or SME deployment.

0 Helpful

Chris Deren
Hall of Fame
Hall of Fame
In response to Mohammed al Baqari

‎08-14-2016 10:35 AM

If you do not want to allow direct RTP connections between endpoint due to potentially many firewall rule requirements you can either use CUBE with media flow-through and thus only open connection to/from the CUBE, or you can check "MTP required" on the SIP trunk and open connection from your MTP devices (CUCM based or IOS based).

0 Helpful

baselzind
Level 6
Level 6
In response to Mohammed al Baqari

‎08-14-2016 09:48 PM

im connecting to the remote site via vpn so the sip trunk will run through it , so basically i juts need to allow 5060 and 5061 for both tcp and udp , and udp "16384-65535" for the sip trunk connection? what about rctp ports?

0 Helpful

Mohammed al Baqari
Level 11
Level 11
In response to baselzind

‎08-14-2016 09:56 PM

If you you are using it for call signaling only then you need 5060-5061 tcp-udp between CUCM clusters and not 16384 - 65535 between endpoints (e.g. phones). Regarding RTCP ports they fall in the same range (RTP uses even ports and RTCP uses odd ports).

Read my earlier note and below note from Chris about CUBE/MTP if you want to avoid complex firewall management related to voip connections. It will reduce time to manage the firewall and standardize your deployment. 

0 Helpful

baselzind
Level 6
Level 6
In response to Mohammed al Baqari

‎08-14-2016 10:02 PM

well i dont think my voice gateway connected to a E1 can be cube correct ? it needs to be connected to a wan , second why would it be difficult to implement on a firewall? dont i just create a rule for the remote site vpn that allows these ports? i already have sip trunks with other countries but those were already done before i came to the workplace

0 Helpful

Mohammed al Baqari
Level 11
Level 11
In response to baselzind

‎08-14-2016 10:19 PM

It can be used as CUBE. There is nothing stopping it from being a CUBE (just make sure the router specs are enough).

It is always a management overhead when it comes for managing multiple rules for multiple subnets and ports (especially when you want to establish full mesh connections). Some firewalls have good features such as object-groups, ranges, etc. But my preference is to have CUBE for many other VoIP related reasons when the deployment scales up.

0 Helpful

gauravpurohit
Level 1
Level 1
In response to baselzind

‎08-14-2016 10:26 PM

the voice gateway with E1 and a CUBE differs in the services they offer this dictates their location in your collaboration environment. You typically may not place gateway behind firewalls and therefore don't need rules updated. This is because they offer a fixed line service. SIP on the other hand uses WAN to send voice therefore you need to secure it.

You need to think about scalability if you don't want CUBE you'd need specific rules for every party involved (and do this every time there is new requirement). If you have CUBE sitting between, you only need to do this once only. 

0 Helpful

gauravpurohit
Level 1
Level 1

‎08-14-2016 09:58 PM

- yes you don't need E1 for this.

- requirement for CUBE (not Voice Gateway) largely depends on how you intend the two clusters to integrate. CUBE is the logical and physical demarcation so if you need features like address hiding amongst the clusters, better Media negotiation control, or scalability (to name a few) I'd suggest you look into getting CUBE. 

- many people have already helped you with the firewall ports information which I believe you will need regardless. 

0 Helpful
Customers Also Viewed These Support Documents