Cisco Cisco Expressway
Appendix 3: Firewall and NAT Settings
Internal Firewall Configuration
In many deployments outbound connections (from internal network to DMZ) will be permitted by the NAT/firewall
device. If the administrator wants to restrict this further, the following tables provide the permissive rules required. For
further information, see
device. If the administrator wants to restrict this further, the following tables provide the permissive rules required. For
further information, see
Ensure that any SIP or H.323 ‘fixup’ ALG or awareness functionality is disabled on the NAT firewall – if enabled this
will adversely interfere with the Expressway functionality.
will adversely interfere with the Expressway functionality.
Outbound (Internal Network > DMZ)
Purpose
Source
Dest.
Source
IP
IP
Source
port
port
Transport
protocol
protocol
Dest. IP
Dest. port
Management
Management
computer
computer
EXPe
As
required
required
>=1024
TCP
192.0.2.2 80 / 443 / 22 / 23
SNMP
monitoring
monitoring
Management
computer
computer
EXPe
As
required
required
>=1024
UDP
192.0.2.2 161
H.323 traversal calls using Assent
Q.931/H.225
and H.245
and H.245
EXPc
EXPe
Any
15000 to
19999
19999
TCP
192.0.2.2 2776
RTP Assent
EXPc
EXPe
Any
36002 to
59999 *
59999 *
UDP
192.0.2.2 36000 *
RTCP Assent
EXPc
EXPe
Any
36002 to
59999 *
59999 *
UDP
192.0.2.2 36001 *
SIP traversal calls
SIP TCP/TLS
EXPc
EXPe
10.0.0.2 25000 to
29999
TCP
192.0.2.2 Traversal zone
ports, e.g. 7001
RTP Assent
EXPc
EXPe
10.0.0.2 36002 to
59999 *
UDP
192.0.2.2 36000 *
RTCP Assent
EXPc
EXPe
10.0.0.2 36002 to
59999 *
UDP
192.0.2.2 36001 *
When ICE is enabled on
Expressway-C
zones and the
Expressway-E
is used as the TURN server
TURN server
control
control
EXPc
EXPe
Any
>=1024
UDP
192.0.2.2 3478 **
TURN server
media
media
EXPc
EXPe
Any
>=1024
UDP
192.0.2.2 24000 to 29999
* The default media traversal port range is 36000 to 59999, and is set on the Expressway-C at Configuration
> Traversal Subzone. In Large Expressway systems the first 12 ports in the range – 36000 to 36011 by default – are
always reserved for multiplexed traffic. The Expressway-E listens on these ports. You cannot configure a distinct
range of demultiplex listening ports on Large systems: they always use the first 6 pairs in the media port range. On
Small/Medium systems you can explicitly specify which 2 ports listen for multiplexed RTP/RTCP traffic, on the
Expressway-E (Configuration > Traversal > Ports). If you choose not to configure a particular pair of ports (Use
configured demultiplexing ports = No), then the Expressway-E will listen on the first pair of ports in the media
traversal port range (36000 and 36001 by default).
> Traversal Subzone. In Large Expressway systems the first 12 ports in the range – 36000 to 36011 by default – are
always reserved for multiplexed traffic. The Expressway-E listens on these ports. You cannot configure a distinct
range of demultiplex listening ports on Large systems: they always use the first 6 pairs in the media port range. On
Small/Medium systems you can explicitly specify which 2 ports listen for multiplexed RTP/RTCP traffic, on the
Expressway-E (Configuration > Traversal > Ports). If you choose not to configure a particular pair of ports (Use
configured demultiplexing ports = No), then the Expressway-E will listen on the first pair of ports in the media
traversal port range (36000 and 36001 by default).
56
Cisco Expressway-E and Expressway-C - Basic Configuration Deployment Guide
Appendix 3: Firewall and NAT Settings