Cisco Cisco TelePresence Video Communication Server Expressway
As per the recommendations in the Introduction section of this appendix, it is highly recommended to disable SIP and
H.323 ALGs on routers/firewalls carrying network traffic to or from a VCS Expressway, as, when enabled this is
frequently found to negatively affect the built-in firewall/NAT traversal functionality of the VCS Expressway itself.
This is also mentioned in
H.323 ALGs on routers/firewalls carrying network traffic to or from a VCS Expressway, as, when enabled this is
frequently found to negatively affect the built-in firewall/NAT traversal functionality of the VCS Expressway itself.
This is also mentioned in
Other Deployment Examples
Note:
Using the VCS Expressway as shown in these examples could have a serious impact on your network
Single Subnet DMZ Using Single VCS Expressway LAN Interface and Static NAT
In this case, FW A can route traffic to FW B (and vice versa). VCS Expressway allows video traffic to be passed
through FW B without pinholing FW B from outside to inside. VCS Expressway also handles firewall traversal on its
public side.
through FW B without pinholing FW B from outside to inside. VCS Expressway also handles firewall traversal on its
public side.
Figure 14 Single Subnet DMZ - Single LAN Interface and Static NAT
This deployment consists of the following elements:
■
Single subnet DMZ (10.0.10.0/24) with the following interfaces:
—
Internal interface of firewall A – 10.0.10.1
—
External interface of firewall B – 10.0.10.2
—
LAN1 interface of VCS Expressway – 10.0.10.3
■
LAN subnet (10.0.30.0/24) with the following interfaces:
—
Internal interface of firewall B – 10.0.30.1
—
LAN1 interface of VCS Control – 10.0.30.2
—
Network interface of Cisco TMS – 10.0.30.3
A static 1:1 NAT has been configured on firewall A, NATing the public address 64.100.0.10 to the LAN1 address of
the VCS Expressway. Static NAT mode is enabled for LAN1 on the VCS Expressway, with a static NAT address of
64.100.0.10.
the VCS Expressway. Static NAT mode is enabled for LAN1 on the VCS Expressway, with a static NAT address of
64.100.0.10.
__________________________________________________________________
Note:
You must enter the FQDN of the VCS Expressway, as it is seen from outside the network, as the peer address on the
VCS Control's secure traversal zone. The reason for this is that in static NAT mode, the VCS Expressway requests
that incoming signaling and media traffic should be sent to its external FQDN, rather than its private name.
VCS Control's secure traversal zone. The reason for this is that in static NAT mode, the VCS Expressway requests
that incoming signaling and media traffic should be sent to its external FQDN, rather than its private name.
This also means that the external firewall must allow traffic from the VCS Control to the VCS Expressway's
external FQDN. This is known as NAT reflection, and may not be supported by all types of firewalls.
external FQDN. This is known as NAT reflection, and may not be supported by all types of firewalls.
__________________________________________________________________
70
Cisco VCS Expressway and VCS Control - Basic Configuration Deployment Guide
Appendix 4: Advanced Network Deployments