Firewalls are commonly used to protect networks, including those that transport voice traffic. Firewalls inspect the header and sometimes can inspect also the payload of packets. Stateful firewalls also maintain state information so that they know which traffic forms part of permitted flows and should be allowed.
For voice traffic, mandatory traffic are required as MGCP,H323,SIP,SCCP,RTP and RTCP. In case of RTP and RTCP, the amount of ports must be larger as it represents thousands ports.
Be also cautious where you put your VPN gateway because if the VPN gateway is placed in front of a firewall, the VPN IPSec will be added or removed so then you can inspect your traffic. But in the case where your VPN gateway is behind the firewall, this one can’t inspect anymore the traffic so it could be a backdoor for intruder.Same thing for the placement of NAT in your firewall.
Note also that ALG doesn’t work with signaling encryption
So pay attention that by default, Cisco firewalls/ALG don’t support in native Unity, IPCC Express, IPCC Enterprise, Attendant Console and SCCP video. It is then require to configure manually your firewall manually to authorize the traffic for these ports.