If you are deploying Couchbase behind a secondary firewall, you should open the ports that Couchbase Server uses for communication. In particular, the following ports should be kept open: 11211, 11210, 4369, 8091 and the port range from 21100 to 21199.
The server-side Moxi port is 11211. Pre-existing Couchbase and Memcached (non-smart) client libraries that are outside the 2nd level firewall would just need port 11211 open to work.
If you want to use the web admin console from outside the 2nd level firewall, also open up port 8091 (for REST/HTTP traffic).
If you're using smart clients or client-side Moxi from outside the 2nd level firewall, also open up port 11210 (in addition to the above port 8091), so that the smart client libraries or client-side Moxi can directly connect to the data nodes.
Server-side Couchbase nodes (aka, nodes joined into a Couchbase cluster) need all the above ports open to work: 11211, 11210, 4369 (erlang), 8091, and the port range from 21100 to 21199 (erlang).