Cisco Cisco Expressway
Purpose
Source Destination
Source
IP
IP
Source port Transport
protocol
Dest. IP
Dest.
port
port
Logging
EXPe
Syslog server
192.0.2.2 30000 to
35999
UDP
10.0.0.13 514
Management
EXPe
Cisco TMS
server
server
192.0.2.2 >=1024
TCP
10.0.0.14 80 / 443
LDAP (for log in, if
required)
required)
EXPe
LDAP server
192.0.2.2 30000 to
35999
TCP
389 /
636
636
NTP (time sync)
EXPe
Local NTP
server
server
192.0.2.2 123
UDP
123
DNS
EXPe
Local DNS
server
server
192.0.2.2 >=1024
UDP
53
Traffic destined for logging or management server addresses (using specific destination ports) must be
routed to the internal network.
routed to the internal network.
External firewall configuration requirement
In this example it is assumed that outbound connections (from DMZ to external network) are all permitted by
the firewall device.
the firewall device.
Ensure that any SIP or H.323 "fixup" ALG or awareness functionality is disabled on the NAT firewall – if
enabled this will adversely interfere with the Expressway functionality.
enabled this will adversely interfere with the Expressway functionality.
Inbound (Internet > DMZ)
Purpose
Source
Dest. Source
IP
Source
port
port
Transport
protocol
protocol
Dest. IP
Dest. port
H.323 calls using Assent
Q.931/H.225 and
H.245
H.245
Endpoint EXPe Any
>=1024
TCP
192.0.2.2 2776
RTP Assent
Endpoint EXPe Any
>=1024
UDP
192.0.2.2 36000
RTCP Assent
Endpoint EXPe Any
>=1024
UDP
192.0.2.2 36001
H.323 endpoints with public IP addresses
Q.931/H.225
Endpoint EXPe Any
>=1024
TCP
192.0.2.2 1720
H.245
Endpoint EXPe Any
>=1024
TCP
192.0.2.2 15000 to
19999
RTP & RTCP
Endpoint EXPe Any
>=1024
UDP
192.0.2.2 36002 to
59999
SIP endpoints using UDP / TCP or TLS
SIP TCP
Endpoint EXPe Any
>=1024
TCP
192.0.2.2 5060
SIP UDP
Endpoint EXPe Any
>=1024
UDP
192.0.2.2 5060
SIP TLS
Endpoint EXPe Any
>=1024
TCP
192.0.2.2 5061
Cisco Expressway Basic Configuration Deployment Guide
Page 43 of 57
Appendix 3: Firewall and NAT settings