Manual
Purpose Source Dest. Source
IP
Source
port
Transport
protocol
Dest. IP Dest. port
RTP & RTCP Endpoint EXPe Any >=1024 UDP 192.0.2.2 36002 to
59999
SIP endpoints using UDP / TCP or TLS
SIP TCP Endpoint EXPe Any >=1024 TCP 192.0.2.2 5060
SIP UDP Endpoint EXPe Any >=1024 UDP 192.0.2.2 5060
SIP TLS Endpoint EXPe Any >=1024 TCP 192.0.2.2 5061
RTP & RTCP Endpoint EXPe Any >=1024 UDP 192.0.2.2 36002 to
59999
TURN server control Endpoint EXPe Any >=1024 UDP 192.0.2.2 3478 **
TURN server media Endpoint EXPe Any >=1024 UDP 192.0.2.2 24000 to
29999
** On Large systems you can configure a range of TURN request listening ports. The default range is 3478 –
3483.
Outbound (DMZ > Internet)
If you want to restrict communications from the DMZ to the wider Internet, the following table provides
information on the outgoing IP addresses and ports required to permit the Expressway-E to provide service to
external endpoints.
Purpose Source Dest. Source
IP
Source port Transport
protocol
Dest. IP Dest.
port
H.323 endpoints with public IP address
Q.931/H.225 EXPe Endpoint 192.0.2.2 15000 to
19999
TCP Any 1720
H.245 EXPe Endpoint 192.0.2.2 15000 to
19999
TCP Any >=1024
RTP & RTCP EXPe Endpoint 192.0.2.2 36000 to
59999
UDP Any >=1024
SIP endpoints using UDP / TCP or TLS
SIP TCP & TLS EXPe Endpoint 192.0.2.2 25000 to
29999
TCP Any >=1024
SIP UDP EXPe Endpoint 192.0.2.2 5060 UDP Any >=1024
RTP & RTCP EXPe Endpoint 192.0.2.2 36000 to
59999
UDP Any >=1024
TURN server
media
EXPe Endpoint 192.0.2.2 24000 to
29999
UDP Any >=1024
Other services (as required)
DNS EXPe DNS
server
192.0.2.2 >=1024 UDP DNS
servers
53
Cisco Expressway Basic Configuration Deployment Guide (X8.5.2) Page 44 of 57
Appendix 3: Firewall and NAT settings