Cisco Cisco Expressway
Appendix 3: Firewall and NAT settings
Internal firewall configuration
In many deployments outbound connections (from internal network to DMZ) will be permitted by the
NAT/firewall device. If the administrator wants to restrict this further, the following tables provide the
permissive rules required. For further information, see
NAT/firewall device. If the administrator wants to restrict this further, the following tables provide the
permissive rules required. For further information, see
.
Ensure that any SIP or H.323 ‘fixup’ ALG or awareness functionality is disabled on the NAT firewall – if
enabled this will adversely interfere with the Expressway functionality.
enabled this will adversely interfere with the Expressway functionality.
Outbound (Internal network > DMZ)
Purpose
Source
Dest. Source
IP
Source
port
port
Transport
protocol
protocol
Dest. IP
Dest. port
Management
Management
computer
computer
EXPe As
required
>=1024
TCP
192.0.2.2 80 / 443 / 22 / 23
SNMP
monitoring
monitoring
Management
computer
computer
EXPe As
required
>=1024
UDP
192.0.2.2 161
H.323 traversal calls using Assent
Q.931/H.225
and H.245
and H.245
EXPc
EXPe Any
15000 to
19999
19999
TCP
192.0.2.2 2776
RTP Assent
EXPc
EXPe Any
36002 to
59999 *
59999 *
UDP
192.0.2.2 36000 *
RTCP Assent
EXPc
EXPe Any
36002 to
59999 *
59999 *
UDP
192.0.2.2 36001 *
SIP traversal calls
SIP TCP/TLS
EXPc
EXPe 10.0.0.2
25000 to
29999
29999
TCP
192.0.2.2 Traversal zone
ports, e.g. 7001
RTP Assent
EXPc
EXPe 10.0.0.2
36002 to
59999 *
59999 *
UDP
192.0.2.2 36000 *
RTCP Assent
EXPc
EXPe 10.0.0.2
36002 to
59999 *
59999 *
UDP
192.0.2.2 36001 *
* The default media port range is 36000 to 59999. In Large systems the first 12 ports in the range – 36000 to
36011 – are used for multiplexed traffic only. In Small/Medium systems you can either explicitly specify the 2
ports to use for multiplexed traffic or use the first 2 ports from the media port range.
36011 – are used for multiplexed traffic only. In Small/Medium systems you can either explicitly specify the 2
ports to use for multiplexed traffic or use the first 2 ports from the media port range.
Inbound (DMZ > Internal network)
As Expressway-C to Expressway-E communications are always initiated from the Expressway-C to the
Expressway-E (Expressway-E sending messages by responding to Expressway-C’s messages) no ports
need to be opened from DMZ to Internal for call handling.
Expressway-E (Expressway-E sending messages by responding to Expressway-C’s messages) no ports
need to be opened from DMZ to Internal for call handling.
However, if the Expressway-E needs to communicate with local services, such as a Syslog server, some of
the following NAT configurations may be required:
the following NAT configurations may be required:
Cisco Expressway Basic Configuration Deployment Guide (X8.2)
Page 42 of 57
Appendix 3: Firewall and NAT settings