Cisco Cisco TelePresence Video Communication Server Expressway
Other Deployment Examples
Note:
Using the VCS Expressway as shown in these examples could have a serious impact on your network bandwidth,
. Read
Single Subnet DMZ Using Single VCS Expressway LAN Interface and Static NAT
In this case, FW A can route traffic to FW B (and vice versa). VCS Expressway allows video traffic to be passed through
FW B without pinholing FW B from outside to inside. VCS Expressway also handles firewall traversal on its public side.
FW B without pinholing FW B from outside to inside. VCS Expressway also handles firewall traversal on its public side.
This deployment consists of:
■
a single subnet DMZ – 10.0.10.0/24, containing:
—
the internal interface of firewall A – 10.0.10.1
—
the external interface of firewall B – 10.0.10.2
—
the LAN1 interface of the VCS Expressway – 10.0.10.3
■
a LAN subnet – 10.0.30.0/24, containing:
—
the internal interface of firewall B – 10.0.30.1
—
the LAN1 interface of the VCS Control – 10.0.30.2
—
the network interface of Cisco TMS – 10.0.30.3
A static 1:1 NAT has been configured on firewall A, NATing the public address 64.100.0.10 to the LAN1 address of the
VCS Expressway. Static NAT mode has been enabled for LAN1 on the VCS Expressway, with a static NAT address of
64.100.0.10.
VCS Expressway. Static NAT mode has been enabled for LAN1 on the VCS Expressway, with a static NAT address of
64.100.0.10.
__________________________________________________________________
Note:
You must enter the FQDN of the VCS Expressway, as it is seen from outside the network, as the peer address on the
VCS Control's secure traversal zone. The reason for this is that in static NAT mode, the VCS Expressway requests that
incoming signaling and media traffic should be sent to its external FQDN, rather than its private name.
VCS Control's secure traversal zone. The reason for this is that in static NAT mode, the VCS Expressway requests that
incoming signaling and media traffic should be sent to its external FQDN, rather than its private name.
This also means that the external firewall must allow traffic from the VCS Control to the VCS Expressway's external
FQDN. This is known as NAT reflection, and may not be supported by all types of firewalls.
FQDN. This is known as NAT reflection, and may not be supported by all types of firewalls.
__________________________________________________________________
So, in this example, firewall A must allow NAT reflection of traffic coming from the VCS Control that is destined for the
external address, that is 64.100.0.10, of the VCS Expressway. The traversal zone on the VCS Control must have
64.100.0.10 as the peer address.
external address, that is 64.100.0.10, of the VCS Expressway. The traversal zone on the VCS Control must have
64.100.0.10 as the peer address.
The VCS Expressway should be configured with a default gateway of 10.0.10.1. Whether or not static routes are needed
in this scenario depends on the capabilities and settings of FW A and FW B. VCS Control to VCS Expressway
communications will be to the 64.100.0.10 address of the VCS Expressway; the return traffic from the VCS Expressway
to VCS Control might have to go via the default gateway. If a static route is added to the VCS Expressway so that reply
traffic goes from the VCS Expressway and directly through FW B to the 10.0.30.0/24 subnet, this will mean that
asymmetric routing will occur and this may or may not work, depending on the firewall capabilities.
in this scenario depends on the capabilities and settings of FW A and FW B. VCS Control to VCS Expressway
communications will be to the 64.100.0.10 address of the VCS Expressway; the return traffic from the VCS Expressway
to VCS Control might have to go via the default gateway. If a static route is added to the VCS Expressway so that reply
traffic goes from the VCS Expressway and directly through FW B to the 10.0.30.0/24 subnet, this will mean that
asymmetric routing will occur and this may or may not work, depending on the firewall capabilities.
59
Cisco VCS Expressway and VCS Control - Basic Configuration Deployment Guide