Showing results for 
Search instead for 
Did you mean: 

Can you use a sip soft phone over internet to uc540/560/CME?

Jeff Cooper

For about a year now, I've been attempting to use a sip softphone client on the internet to connect to a uc560, 540 and 2800-based CME with no success.  I've tried portgo and 3cx from both a pda and from my laptop out on the internet.  I can get both sip clients to connect instantly as an extension on the local LAN.  When I try from the internet, I see "invalid ip address" on debug ccsip, and it reflects the internet IP of the client trying to register.

My client login is the extension for both the username and password, and i have the MAC as 0000.0000.0000 in the voice register pool.  I use the outside internet IP of the network for the host.  I map thru 5060 over both tcp/udp to the inside phone system and forward 10,000-20,000 over both tcp/udp as well.  I've tried a source-address on CME for the voice register global of the internet, the local loopback, the outside of the phone system and the voice vlan side of the phone system,

I'm stumped!  If anyone has gotten this to work successfully, can you post a config?  Is it an issue of the firewall?  Perhaps it requires all ports open on the internet IP to the inside phone system with a 1 to 1 nat translation?

Thanks in advance for any input.




voice service voip


allow-connections h323 to h323

allow-connections h323 to sip

allow-connections sip to h323

allow-connections sip to sip

no supplementary-service h450.2

no supplementary-service h450.3

supplementary-service h450.12

no supplementary-service sip moved-temporarily

no supplementary-service sip refer



  registrar server expires max 3600 min 120

  no call service stop



voice register global

mode cme

source-address port 5060

max-dn 5

max-pool 5


mwi reg-e164

voicemail 500

tftp-path flash:

create profile sync 0003025739805842


voice register dn  1

number 200

allow watch

name Jeff


label Jeff


voice register pool  1

id mac 0000.0000.0000

number 1 dn 1

dtmf-relay sip-notify

username 200 password 200

codec g711ulaw


Alberto Montilla
Cisco Employee
Cisco Employee

Dear Jeff;

When you say over the internet, do you have a VPN link between the sites?


If I use a vpn into the network where the 540 and/or 560 exists, i can connect up no problem with a soft sip client.  I can even connect up polycom phones.  If i'm outside the network, on my pda or laptop on the road without a vpn client, i get the error above.  If I run a switchvox phone system, i dont need a vpn client, i connect right in with a soft sip client or polycom phone.  It doesn't sound like CME/UC series supports SIP connectivity from outside the network without a vpn client.   It would be great for customers who might not be able to support a vpn client into whichever vendor firewall on their pda.  I wish Cisco would adapt this functionality.

Another great reason , was in carribean and didnt want to pay roaming charges.  I had wirelesss internet provided at the resort.  If i could of used a sip client, i could of connected over the wireless internet as an extension to the uc540 back home.  Then I could of dialed out with no charges over a magic jack that provides a pots line into the uc540.

Instead I  implemented a switchvox that allowed me to connect my pda's sip softphone effortlessly thru the internet without maintaining a vpn, and took calls that way while on vacation.  No toll charges and forwarded all calls to the magicjack back home to my pda acting as an in-house extension on the switchvox.

Sorry, long answer.  But I've been battling with this on CME for over a year.  I believe it the last hurdle CME needs to overcome regardless of it being on a 2900, 2800, 3500 etc or a uc540/560 platform.  Be nice if you could tie in pdas as "soft" extensions for salesmen, remote users, owners, service techs who are anywhere in the world.  As long as there's wireless internet, they're on the pbx. 

ps- I've setup iphones that will register the vpn automatically and constantly based on being outside the network with certificates for authentication - pita in my mind

Hi Jeff;

I see your point. UC500 is not only a PBX but a UC solution, so VPN secure access for users is a pre-requisite for remote users on UC products.



Your solution is to use SSLVPN along with Anyconnect VPN client with CIPC softphone.


Anyconnect (download the one named anyconnect-win-2.5.3055-k9.pkg)

In CCA, go to Configure -> Security -> SSL VPN

Under the Basic tab, add users accordingly.

Under the Advanced tab, leave "Thin Client" unchecked.

Check "Full Tunnel mode" and enter an IP range, for example Start:, End:

Under SSL VPN Client, click Install and choose the Anyconnect file you downloaded earlier.

I would also check "Keep SSL VPN Client Software installed on the client PC."

I believe that's all on the UC end. This is how we have our SSL VPN setup and it works fine. 

Install the CIPC softphone on your client computer.  Navigate to the UC's WAN IP address using HTTPS. Login with the credentials you've created and it will download the anyconnect client and connect you. You're now on a SSL VPN with your UC and you can open the CIPC softphone. It should register after you've connected, otherwise I'd check the TFTP server setting for the softphone. The default I believe is


David Trad
Rising star
Rising star

Hi Jeff,

I know what you are trying to do and was able to do is successfully with a 2810 ISR, but with those systems you can hack away at the CLI with no problems at all... Your biggest draw back is, in order to get it to work you have to punch some pretty damn big holes in your firewall (ACL's) and here is where the problem lays, the minute we did that we had all sorts of whack jobs trying to connect to the 2800 using randomized passwords, and the only way to overcome it was to lock it down to only allow connection from a single IP address.

As you can imagine this was no good because we couldnt then use NetSIP on our mobiles to connect over 3G because the IP address constantly changes.

I would recommend using the VPN client on either the iPhone or the Android to connect via IPSEC and then tunnel in that way with a SIP phone, it is the only safe way to do it without opening your system up to some major kick A** toll fraud.



Cheers, David Trad. **When you rate a persons post, you are indicating a thank you or that it helped, but at the same time you are also helping to maintain the community spirit - You don't have to rate posts and you wont be looked down upon :) *
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: