Connect GXP2140 phone from Home Office to UCM6204


I have a UCM6204 configured at our office, working with phones on the LAN.
I’m now trying to connect a GXP2140 phone from a home office.
I’ve enabled port forwarding on our office firewall to forward tcp/udp 5060 and 5061 to the UCM.
I’ve enabled a static (public internet) IP on our firewall for the UCM, and configured that IP under PBX -> SIP Settings (NAT) as the “external host” IP address.

I’ve configured the GXP2140 to point to the UCM’s IP address.

Thus far I have been unable to get the phone to connect.
I’ve tried using a couple of public STUN servers, but that also has not helped.





you have to NAT RTP ports, too.
and you need to activate NAT on the extension settings.
I suggest you to activate every rule towards UCM in ACL if you don’t want to find a sieve.
Alternatively, a “transparent” VPN is allowed.


HI please confirm if you are able to reach your UCM network from your remote lcaotion

  1. can you ping the public facing ip of the UCM network form the location of the phone network

  2. can you telnet to port 5060 and 5061 to confirm they are open

  3. You will also have to open RDP ports to has mentioned if you want to get audio


What is your firewall?
SIP ALG disabled as well.


Thanks for the suggestions everyone.
The firewall is a Sophos XG firewall. I’ve allowed those ports and configured a static (internet) IP for the UCM. Still no success, but I will continue working on it. I’ll try the telnet to port suggestion to verify that is working. I wonder if my home router or Rogers network is blocking something. I’ve been assuming the problem is on the UCM side, but possibly not…

Thanks everyone.



as written above, did you verify that you have done the correct natal of the RTP doors? iL FIREWALL/ROUTER has the SIP ALG disabled?


Telecom -

Why would you try and telnet to port 5060/1 when no telnet service is running on those ports? I don’t think there will be any response.

billd -

When you indicate connect, what does that actually mean? Does that mean get the phone to register to the UCM or does that mean make a successful call?

I assume you manually provisioned the phone before deploying and it is pointing to the public IP where the UCM resides? Is the remote router set for port forwarding, it is the remote phone set to a static IP. It takes two sides to tango, so you have to also think about the remote side.

I assume you have cable with Rogers which implies the use of an MTA (cable modem), The cable modem should be in bridge mode so that whatever the front end of the MTA sees, is the same as what the Sophos will see. I assume this is the case. Also, depending on the MTA, it too may have a SIP ALG which should be disabled.


@Telecomsolutions, this request of yours is strange to me too :slight_smile:


I had trouble getting the Sophos XG to allow the traffic for SIP in and out correctly all the time even though the settings should have been good.

I would reach out to Sophos on this one.


on the contrary I have a customer who has a Sophos firewall, I was skeptical but I certainly could not make him change the firewall. Their computer scientist made me the NATs I asked him about and I have to say that everything is working properly.
I think it doesn’t depend so much on the vendor as on the updates their hw had.


Hi Damiano
Sorry I am using linux machine so its easy
externalip port eg 5060
you will see connected or refused then you know the port is open or closed like the picture port 5060 to that ip is closed

for windows you have to enable telnet service
copy and paste in your cmd
Dism /Online /Enable-feature /FeatureName:TelnetClient
then run telnet “example” 53



if he open the port manually to register to the far end pabx his pabx is listening on 5060 or 5061 for a registration request or the rdp ports he can very quickly check if his port forwarding is sucessful test to see if those ports are open.


I use putty and changed the client port to query the host on 5060 to my public IP, It just times out, which is what I would expect as there is no telnet socket running on 5060 by which to offer a telnet connection.

I question why it would indicate connected.


in fact it also seems strange to me, the 5060/1 should not even answer. No?


telnetq This is using telnet to check if sip carrier has port 5060 open just to test
you can see using sip provider public ip and port 5060 status is connected so this indicates the port is open
you can also use web service like “can you see me”

just very eay way to test connectivity on far end devices facing the internet we use it a lot for checking open ports on exchnage severs and other application servers. just today rdp ports 3389 was closed cient could not connect was very quick to test the issue.


Well, I’ll be.

I never thought for a second that this would work. Thanks.


That’s a clever trade secret kind of statement. Thank you.