Cisco Cisco TelePresence Video Communication Server Expressway
Appendix 4 – Static NAT and Dual Network Interface architectures
Cisco VCS Basic Configuration (Control with Expressway) Deployment Guide
Page 65 of 69
Example deployments
The following section contains additional reference designs which depict other possible deployment
scenarios.
scenarios.
Single subnet DMZ using single VCS-E LAN interface
In this case, FW A can route traffic to FW B (and vice versa). VCS-E allows video traffic to be passed
through FW B without pinholing FW B from outside to inside. VCS-E also handles firewall traversal on its
public side.
through FW B without pinholing FW B from outside to inside. VCS-E also handles firewall traversal on its
public side.
Figure 7: Single subnet DMZ using single LAN interface
This deployment consists of:
n
a single subnet DMZ – 10.0.10.0/24, containing:
l
the internal interface of firewall A – 10.0.10.1
l
the external interface of firewall B – 10.0.10.2
l
the LAN1 interface of the VCS-E – 10.0.10.3
n
a LAN subnet – 10.0.30.0/24, containing:
l
the internal interface of firewall B – 10.0.30.1
l
the LAN1 interface of the VCS-C – 10.0.30.2
l
the network interface of TMS – 10.0.30.3
A static 1:1 NAT has been configured on firewall A, NATing the public address 64.100.0.10 to the LAN1
address of the VCS-E. Static NAT mode has been enabled for LAN1 on the VCS-E, with a static NAT
address of 64.100.0.10.
address of the VCS-E. Static NAT mode has been enabled for LAN1 on the VCS-E, with a static NAT
address of 64.100.0.10.
The traversal client zone on the VCS-C needs to be configured with a peer address which matches the static
NAT address of the VCS-E, in this case 64.100.0.10. This is because, since the VCS-E has static NAT
mode enabled, it will request that incoming signaling and media traffic should be sent to its static NAT
address, which means that the traversal client zone has to be configured accordingly.
NAT address of the VCS-E, in this case 64.100.0.10. This is because, since the VCS-E has static NAT
mode enabled, it will request that incoming signaling and media traffic should be sent to its static NAT
address, which means that the traversal client zone has to be configured accordingly.
This means that firewall A must allow traffic from the VCS-C with a destination address of
64.100.0.10. This is also known as NAT reflection, and it should be noted that this is not supported
by all types of firewalls.
64.100.0.10. This is also known as NAT reflection, and it should be noted that this is not supported
by all types of firewalls.
The VCS-E should be configured with a default gateway of 10.0.10.1. Whether or not static routes are
needed in this scenario depends on the capabilities and settings of FW A and FW B. VCS-C to VCS-E
communications will be to the 64.100.0.10 address of the VCS-E; the return traffic from the VCS-E to VCS-C
might have to go via the default gateway. If a static route is added to the VCS-E so that reply traffic goes
from the VCS-E and directly through FW B to the 10.0.30.0/24 subnet, this will mean that asymmetric routing
will occur and this may or may not work, depending on the firewall capabilities.
needed in this scenario depends on the capabilities and settings of FW A and FW B. VCS-C to VCS-E
communications will be to the 64.100.0.10 address of the VCS-E; the return traffic from the VCS-E to VCS-C
might have to go via the default gateway. If a static route is added to the VCS-E so that reply traffic goes
from the VCS-E and directly through FW B to the 10.0.30.0/24 subnet, this will mean that asymmetric routing
will occur and this may or may not work, depending on the firewall capabilities.