The main thing is not to use NAT; the endpoint’s IPv4 address and RTP port will be embedded in the application layer payload. Alternatively, you can try SIP & RTP Protocol Inspection, if the call is unencrypted, but that tends to be unreliable.
As for ports to open: if using SIP TCP you should be able to get by with allowing established sessions for outbound calls (inbound won’t work unless SIP is opened to the endpoint - and I wouldn’t recommend that; you’ll get a lot of malicious calls.) You’ll also need to allow whatever the RTP range the endpoint is configured for; check the relevant documentation.
If this answer is unappealing you may want to consider Cisco Expressway as a SIP registrar/proxy. Firewall traversal is it’s primary purpose for existing. Or Webex Cloud Device Registration - which would allow the Cisco endpoint to natively join a Webex Meeting (not SIP).