Cisco Cisco Expressway
Appendix 3: Firewall and NAT settings
Internal firewall configuration
In many deployments outbound connections (from internal network to DMZ) will be permitted by the
NAT/firewall device. If the administrator wants to restrict this further, the following tables provide the
permissive rules required. For further information, see
NAT/firewall device. If the administrator wants to restrict this further, the following tables provide the
permissive rules required. For further information, see
.
Ensure that any SIP or H.323 ‘fixup’ ALG or awareness functionality is disabled on the NAT firewall – if
enabled this will adversely interfere with the Expressway functionality.
enabled this will adversely interfere with the Expressway functionality.
Outbound (Internal network > DMZ)
Purpose
Source
Dest.
Source
IP
IP
Source
port
port
Transport
protocol
protocol
Dest. IP
Dest. port
Management
Management
computer
computer
EXPe
As
required
required
>=1024
TCP
192.0.2.2 80 / 443 / 22 / 23
SNMP
monitoring
monitoring
Management
computer
computer
EXPe
As
required
required
>=1024
UDP
192.0.2.2 161
H.323 traversal calls using Assent
Q.931/H.225
and H.245
and H.245
EXPc
EXPe
Any
15000 to
19999
19999
TCP
192.0.2.2 2776
RTP Assent
EXPc
EXPe
Any
36002 to
59999 *
59999 *
UDP
192.0.2.2 36000 *
RTCP Assent
EXPc
EXPe
Any
36002 to
59999 *
59999 *
UDP
192.0.2.2 36001 *
SIP traversal calls
SIP TCP/TLS
EXPc
EXPe
10.0.0.2
25000 to
29999
29999
TCP
192.0.2.2 Traversal zone
ports, e.g. 7001
RTP Assent
EXPc
EXPe
10.0.0.2
36002 to
59999 *
59999 *
UDP
192.0.2.2 36000 *
RTCP Assent
EXPc
EXPe
10.0.0.2
36002 to
59999 *
59999 *
UDP
192.0.2.2 36001 *
When ICE is enabled on
Expressway-C
zones and the
Expressway-E
is used as the TURN server
TURN server
control
control
EXPc
EXPe
Any
>=1024
UDP
192.0.2.2 3478 **
TURN server
media
media
EXPc
EXPe
Any
>=1024
UDP
192.0.2.2 24000 to 29999
* The default media traversal port range is 36000 to 59999, and is set on the Expressway-C at
Configuration
> Traversal Subzone
. In Large Expressway systems the first 12 ports in the range – 36000 to 36011 by
default – are always reserved for multiplexed traffic. The Expressway-E listens on these ports. You cannot
configure a distinct range of demultiplex listening ports on Large systems: they always use the first 6 pairs in
the media port range. On Small/Medium systems you can explicitly specify which 2 ports listen for
multiplexed RTP/RTCP traffic, on the Expressway-E (
configure a distinct range of demultiplex listening ports on Large systems: they always use the first 6 pairs in
the media port range. On Small/Medium systems you can explicitly specify which 2 ports listen for
multiplexed RTP/RTCP traffic, on the Expressway-E (
Configuration > Traversal > Ports
). If you choose
not to configure a particular pair of ports (Use configured demultiplexing ports = No), then the
Cisco Expressway Basic Configuration Deployment Guide (X8.6)
Page 42 of 57
Appendix 3: Firewall and NAT settings