Cisco Cisco TelePresence Video Communication Server Expressway
xCommand RouteAdd Address: 10.0.30.0 PrefixLength: 24 Gateway: 10.0.20.1
Interface: LAN1
In this example, the Interface parameter could also be set to Auto as the gateway address (10.0.20.1) is
only reachable via LAN1.
only reachable via LAN1.
If firewall B is not doing NAT and the VCS Expressway needs to communicate with devices in subnets other
than 10.0.30.0 which are also located behind firewall B (for example for communicating with management
stations for HTTPS and SSH management or for reaching network services such as NTP, DNS, LDAP/AD
and syslog servers), static routes will also have to be added for these devices/subnets.
than 10.0.30.0 which are also located behind firewall B (for example for communicating with management
stations for HTTPS and SSH management or for reaching network services such as NTP, DNS, LDAP/AD
and syslog servers), static routes will also have to be added for these devices/subnets.
The xCommand RouteAdd command and syntax is described in full detail in VCS Administrator Guide.
Example deployments
The following section contains additional reference designs which depict other possible deployment
scenarios.
scenarios.
Single subnet DMZ using single VCS Expressway LAN interface
In this case, FW A can route traffic to FW B (and vice versa). VCS Expressway allows video traffic to be
passed through FW B without pinholing FW B from outside to inside. VCS Expressway also handles firewall
traversal on its public side.
passed through FW B without pinholing FW B from outside to inside. VCS Expressway also handles firewall
traversal on its public side.
This deployment consists of:
n
a single subnet DMZ – 10.0.10.0/24, containing:
l
the internal interface of firewall A – 10.0.10.1
l
the external interface of firewall B – 10.0.10.2
l
the LAN1 interface of the VCS Expressway – 10.0.10.3
n
a LAN subnet – 10.0.30.0/24, containing:
l
the internal interface of firewall B – 10.0.30.1
l
the LAN1 interface of the VCS Control – 10.0.30.2
l
the network interface of Cisco TMS – 10.0.30.3
A static 1:1 NAT has been configured on firewall A, NATing the public address 64.100.0.10 to the LAN1
address of theVCS Expressway. Static NAT mode has been enabled for LAN1 on the VCS Expressway,
with a static NAT address of 64.100.0.10.
address of theVCS Expressway. Static NAT mode has been enabled for LAN1 on the VCS Expressway,
with a static NAT address of 64.100.0.10.
The traversal client zone on the VCS Control needs to be configured with a peer address which matches the
static NAT address of the VCS Expressway, in this case 64.100.0.10. This is because, since the VCS
Expressway has static NAT mode enabled, it will request that incoming signaling and media traffic should be
sent to its static NAT address, which means that the traversal client zone has to be configured accordingly.
static NAT address of the VCS Expressway, in this case 64.100.0.10. This is because, since the VCS
Expressway has static NAT mode enabled, it will request that incoming signaling and media traffic should be
sent to its static NAT address, which means that the traversal client zone has to be configured accordingly.
This means that firewall A must allow traffic from the VCS Control with a destination address of
64.100.0.10. This is also known as NAT reflection, and it should be noted that this is not supported
by all types of firewalls.
64.100.0.10. This is also known as NAT reflection, and it should be noted that this is not supported
by all types of firewalls.
Cisco VCS Basic Configuration (Control with Expressway) Deployment Guide
Page 61 of 65
Appendix 4: Advanced network deployments