This is what we suggest firewall-wise for voip customers:
|Firewall Requirements on Voiceless Platform|
|SIP (IPv4)||UDP 5060||126.96.36.199 - 119|
|SIP (IPv6)||UDP 5060||2001:8b0:30::5060:0/112|
|RTP (IPv4)||UDP 1024-65535||188.8.131.52 - 119|
|RTP (IPv6)||UDP 1024-65535||2001:8b0:30::5060:0/112|
|Firewall Requirements on Legacy 'C' Platform|
|SIP||UDP 5060||184.108.40.206 - 119|
SIP is the call routing information that creates and manages calls. in practice if you allow port 5060 from the outside world you'll see attacks and possibly receive spam phone calls. We do not recommend leaving 5060 open unless you really know what you are doing. Phones rarely use ports as low as 5060 for media.
RTP is the actual audio. On the older call servers it will be as direct as possible the audio can be sent from anywhere on the internet. Using the ne call servers it is only from the same call server as the SIP control messages. On most phones you can configure which ports to use for RTP, so you can restrict this range further. For example, on a SNOM phone the default range for RTP is 49152 to 65534.
Avoid using NAT where possible. However, some NAT gateways provide an adequate SIP ALG (e.g. Technicolor TG582), and some devices provide NAT that works with the new call server (e.g. FireBrick 2500/2700 and many simple NAT routers). If NAT works, then well done, but if not we cannot guarantee to be able to make it work.