Well CA's communicate via AD replication either intra site or intersite.

If your AD replication is working then there is no problem, you dont need to open a specific port for CA comms.

We have 4 seperate sites all seperated by firewall and they communicate fine through AD replication.

Unless im missing something in your question ?