I know that would be the best practices, but this is a remote site with few phones and the customer will not put a firewall.

thanks.

Hello,

So the best practices will just allow the ports between the CUCM and the VG?

Will this doc help?

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/port/9_1_1/CUCM_BK_T2CA6EDE_00_tcp-port-usage-guide-91/CUCM_BK_T2CA6EDE_00_tcp-port-usage-guide-91_chapter_01.html

thanks. 

Your concern should be on the Internet side of the gateway.  You do not want folk on the Internet accessing your gateway and making phone calls at your expense.  Lock down that side so that nothing except your service provider can access your gateway, and even then try and limit the ports protocols and destinations it can reach.  I also like to use COR so that the service provider dial peers can't "see" anything except the CUCM facing dial peers.

Can you provide an example about this security configuration?

thanks. 

I'll try and look something out, but I think most of the gateways I look after are either dual purpose VG and Internet access, in which case the configuration is more complex, or are placed inside a separate firewall.  If I can't find one I can draught out the outline which you can then tweak for your exact scenario.

If you want an emergency quick protection then stick an extended access list on the Internet interface permitting just the two host addresses, where x.x.x.x is your gateway IP and y.y.y.y is your service provider

ip access-list extended SECURE
 permit ip host y.y.y.y host x.x.x.x

That's better than nothing.