Cisco Cisco TelePresence Video Communication Server Expressway
Appendix 4 – Static NAT and Dual Network Interface architectures
Cisco VCS Basic Configuration (Control with Expressway) Deployment Guide
Page 58 of 69
Appendix 4 – Static NAT and Dual Network
Interface architectures
Interface architectures
Prerequisites
Deploying a VCS Expressway behind a NAT mandates the use of the Dual Network Interfaces option key.
It enables the static NATing functionality of the VCS Expressway as well as dual network interfaces.
Although certain call scenarios involving a VCS-E behind NAT could potentially work with the help of
router/firewall-based ALGs, proper functionality cannot be guaranteed; you must use the VCS to perform the
static NATing on its own interface. More background on this can be found in the
It enables the static NATing functionality of the VCS Expressway as well as dual network interfaces.
Although certain call scenarios involving a VCS-E behind NAT could potentially work with the help of
router/firewall-based ALGs, proper functionality cannot be guaranteed; you must use the VCS to perform the
static NATing on its own interface. More background on this can be found in the
When deploying a VCS-E behind a NAT with static NAT configuration in place on the VCS-E, it is highly
recommended to disable SIP and H.323 ALGs (SIP / H.323 awareness) on routers/firewalls carrying network
traffic to or from the VCS-E (experience shows that these tend to be unable to handle video traffic properly).
recommended to disable SIP and H.323 ALGs (SIP / H.323 awareness) on routers/firewalls carrying network
traffic to or from the VCS-E (experience shows that these tend to be unable to handle video traffic properly).
Although the Dual Network Interfaces option is available for both the VCS Expressway and VCS Control,
only the Expressway supports static NAT.
only the Expressway supports static NAT.
Background
When deploying a VCS Expressway for business to business communications, or for supporting home
workers and travelling workers, it is usually desirable to deploy the Expressway in a NATed DMZ rather than
having the Expressway configured with a publicly routable IP address.
workers and travelling workers, it is usually desirable to deploy the Expressway in a NATed DMZ rather than
having the Expressway configured with a publicly routable IP address.
Network Address Translation (NAT) poses a challenge with SIP and H.323 applications, as with these
protocols, IP addresses and port numbers are not only used in OSI layer 3 and 4 packet headers, but are also
referenced within the packet payload data of H.323 and SIP messages themselves.
protocols, IP addresses and port numbers are not only used in OSI layer 3 and 4 packet headers, but are also
referenced within the packet payload data of H.323 and SIP messages themselves.
This usually breaks SIP/H.323 call signaling and RTP media packet flows, since NAT routers/firewalls will
normally translate the IP addresses and port numbers of the headers, but leave the IP address and port
references within the SIP and H.323 message payloads unchanged.
normally translate the IP addresses and port numbers of the headers, but leave the IP address and port
references within the SIP and H.323 message payloads unchanged.
To provide an example of this, assume you have a VCS Expressway deployed behind a NAT router and two
endpoints. The VCS-E has static NAT disabled on LAN2, but the NAT router is configured with a static 1:1
NAT, NATing the public address 64.100.0.10 to the VCS-E LAN2 IP address 10.0.10.2:
endpoints. The VCS-E has static NAT disabled on LAN2, but the NAT router is configured with a static 1:1
NAT, NATing the public address 64.100.0.10 to the VCS-E LAN2 IP address 10.0.10.2:
Figure 2: Example NAT deployment
n
NAT router with local IP address 10.0.10.1 and NAT IP address 64.100.0.10, statically NATed to 10.0.10.2
n
VCS-E LAN1 (internally-facing interface) with IP address 10.0.20.2