A private network firewall 225 is treated as if it were a media gateway network entity. Doing so allows a media gateway controller 205 to exchange messages with the firewall 225 for purposes of securely setting up and tearing down pinholes in the firewall. With this ability comes the ability to provide secure VoIP calls between public 250 and private 220 networks. A call server or media gateway controller 205, that is approving the VoIP communication stream in a private packet data network requests, via a secure tunnel 230, that the firewall 225 open a pinhole filter for a specific source and destination address pair corresponding to media gateway endpoints, 210 and 260 respectively, using either MGCP (H.248) or COPS messages, for instance. The pinhole filter is then disabled when the session is complete.