Cisco Cisco Expressway
Inbound (DMZ > Internal network)
As Expressway-C to Expressway-E communications are always initiated from the Expressway-C to the Expressway-E
(Expressway-E sending messages by responding to Expressway-C’s messages) no ports need to be opened from DMZ
to Internal for call handling.
(Expressway-E sending messages by responding to Expressway-C’s messages) no ports need to be opened from DMZ
to Internal for call handling.
However, if the Expressway-E needs to communicate with local services, such as a Syslog server, some of the following
NAT configurations may be required:
NAT configurations may be required:
Purpose
Source
Destination
Source
IP
IP
Source port
Transport
protocol
protocol
Dest. IP
Dest.
port
port
Logging
EXPe
Syslog server
192.0.2.2
30000 to
35999
35999
UDP
10.0.0.13
514
Management
EXPe
Cisco TMS
server
server
192.0.2.2
>=1024
TCP
10.0.0.14
80 /
443
443
LDAP (for log in, if
required)
required)
EXPe
LDAP server
192.0.2.2
30000 to
35999
35999
TCP
389 /
636
636
NTP (time sync)
EXPe
Local NTP
server
server
192.0.2.2
123
UDP
123
DNS
EXPe
Local DNS
server
server
192.0.2.2
>=1024
UDP
53
Traffic destined for logging or management server addresses (using specific destination ports) must be routed to the
internal network.
internal network.
External Firewall Configuration Requirement
In this example it is assumed that outbound connections (from DMZ to external network) are all permitted by the firewall
device.
device.
Ensure that any SIP or H.323 "fixup" ALG or awareness functionality is disabled on the NAT firewall – if enabled this will
adversely interfere with the Expressway functionality.
adversely interfere with the Expressway functionality.
Inbound (Internet > DMZ)
Purpose
Source
Dest.
Source IP Source port Transport protocol
Dest. IP
Dest. port
H.323 calls using Assent
Q.931/H.225 and
H.245
H.245
Endpoint EXPe
Any
>=1024
TCP
192.0.2.2
2776
RTP Assent
Endpoint EXPe
Any
>=1024
UDP
192.0.2.2
36000
RTCP Assent
Endpoint EXPe
Any
>=1024
UDP
192.0.2.2
36001
H.323 endpoints with public IP addresses
Q.931/H.225
Endpoint EXPe
Any
>=1024
TCP
192.0.2.2
1720
H.245
Endpoint EXPe
Any
>=1024
TCP
192.0.2.2
15000 to 19999
RTP & RTCP
Endpoint EXPe
Any
>=1024
UDP
192.0.2.2
36002 to 59999
SIP endpoints using UDP / TCP or TLS
SIP TCP
Endpoint EXPe
Any
>=1024
TCP
192.0.2.2
5060
42
Cisco Expressway-E and Expressway-C - Basic Configuration Deployment Guide