Cisco Cisco TelePresence Video Communication Server Expressway
Appendix 4 – Static NAT and Dual Network Interface architectures
Cisco VCS Deployment Guide: Basic configuration – VCS Control with VCS Expressway
Page 67 of 69
The VCS-E can be added to TMS with the IP address 10.0.10.3 (or with IP address 64.100.0.10 if FW A
allows this), since TMS management communications are not affected by static NAT mode settings on the
VCS-E.
allows this), since TMS management communications are not affected by static NAT mode settings on the
VCS-E.
3-port firewall DMZ using single VCS-E LAN interface
Figure 8: 3-port firewall DMZ using single VCS-E LAN interface
In this deployment, a 3-port firewall is used to create
n
a DMZ subnet (10.0.10.0/24), containing:
l
the DMZ interface of firewall A - 10.0.10.1)
l
the LAN1 interface of the VCS-E - 10.0.10.2
n
a LAN subnet (10.0.30.0/24), containing
l
the LAN interface of firewall A - 10.0.30.1
l
the LAN1 interface of the VCS-C – 10.0.30.2
l
the network interface of TMS – 10.0.30.3
A static 1:1 NAT has been configured on firewall A, NATing the public address 64.100.0.10 to the LAN1
address of the VCS-E. Static NAT mode has been enabled for LAN1 on the VCS-E, with a static NAT
address of 64.100.0.10.
address of the VCS-E. Static NAT mode has been enabled for LAN1 on the VCS-E, with a static NAT
address of 64.100.0.10.
The VCS-E should be configured with a default gateway of 10.0.10.1. Since this gateway must be used for all
traffic leaving the VCS-E, no static routes are needed in this type of deployment.
traffic leaving the VCS-E, no static routes are needed in this type of deployment.
The traversal client zone on the VCS-C needs to be configured with a peer address which matches the static
NAT address of the VCS-E, in this case 64.100.0.10, for the same reasons as those described in the
previous example deployment, "Single subnet DMZ using single VCS-E LAN interface".
NAT address of the VCS-E, in this case 64.100.0.10, for the same reasons as those described in the
previous example deployment, "Single subnet DMZ using single VCS-E LAN interface".
This means that firewall A must allow traffic from the VCS-C with a destination address of
64.100.0.10. This is also known as NAT reflection, and it should be noted that this is not supported
by all types of firewalls.
64.100.0.10. This is also known as NAT reflection, and it should be noted that this is not supported
by all types of firewalls.
The VCS-E can be added to TMS with the IP address 10.0.10.2 (or with IP address 64.100.0.10 if FW A
allows this), since TMS management communications are not affected by static NAT mode settings on the
VCS-E.
allows this), since TMS management communications are not affected by static NAT mode settings on the
VCS-E.