When you have to protect your VoIP CallManager in a secure zone of your lan you have to face two problem: SIP and NAT.
In our case we handle voip sessions through firewall by configuring an ACL with TCP/UDP port_set. For internal resources, we don’t use NAT mode, here you have the ports from phones to CM:
| Destinaton port | Description |
| UDP/32768-61000 | EPHEMERAL_port_range |
| UDP/16384-32676 | RTP-SRTP |
| TCP/2000 | SCCP |
| TCP/2443 | SCCPS |
| TCP/5060 | SIP |
| UDP/5060 | SIP |
| TCP/5061 | SIPS |
| UDP/5061 | SIPS |
| TCP/2445 | TRUST ENDPOINT |
| TCP/3804 | CAPF |
| TCP/6970 | PUSH FIRMWARE & CONFS |
| TCP/8080 | XML APP |
| UDP/69 | TFTP |
For external resources like a Trunk cVoIP we use NAT and, in Fortigate environment, sip session-helper function that look inside SIP packet and perform inspection for NAT (or not) SIP devices.
Unfortunately the SIP (Session Initiation Protocol), developed in 1996, was designed to work in LANs without having some compatibility to be published on the Internet. In fact, a limitation of the protocol, in case you want to NAT SIP services on the Internet, makes it impossible to work without a payload translation mechanism that translates the informations between phones and call managers from private ip to public ip.
HERE you can find Cisco TCP and UDP Port Usage Reference.
and HERE you will find FortiGate tips for activate firewall ALG function.