Showing results for 
Search instead for 
Did you mean: 

Andrei Fokin

Access to CWMS (Public VIP) over NAT

Colleagues, hello!

I developed in the test CWMS 2.5 environment on 50 users on Split-Horizon topology. I allocated external static IP and I adjusted static NAT for this address to the IRP server address Public VIP. I can't access ещ CWMS through external IP, while on Public VIP I acccess normally. I.e. if I access to external IP my browser show "ERR_EMPTY_RESPONSE" and if I access to Public VIP - everything is normal, the invitation to input of login and the password is issued. It is sure that NAT is adjusted correctly. Why I can't to access over NAT? Any ideas?

My NAT string:
ip nat inside source static X.X.X.X Y.Y.Y.Y

, where X.X.X.X - Private VIP, Y.Y.Y.Y - external IP


ping to Y.Y.Y.Y response successfully.

Nishad Ismail

Am also getting the same kind of error

I am getting the error  while accessing

experts please suggest

There isn't enough information to understand your deployment to be able to provide any meaningful advice. Can you please add more details about your deployment and the issue itself?

Thank you.


CWMS Split DNS deployment..

50 ports deployment --IRP Server in DMZ ---Admin Server in Internal Netwok

IRP server shows connected to the Admin server

We are able to access WebEx services from internal network ,Public access enabled in the CWMS ,Public VIP is same Subnet of the IRP real IP

Public VIP is Nated to one Public IP from the ISP ,Port 443,80 is opened

In Public DNS server ,meeting URL is resolves to Public ip address

When access the URL from outside ,Giving the certificate trust error and giving error "ERR_EMPTY_RESPONSE"(Chrome)

This page can’t be displayed(Explorer)

Thank you, Nishad.

If in CWMS Dashbaord, IRP shows as Good and everything seems to be fine, you can run an easy and quick test to ensure IRP is working fine.

First, if your DMZ firewall allows connection to PUBLIC VIP on IRP VM on port 443, check if you can connect from internal machine to PUBLIC VIP via port 443.

For example: publicVIPIPaddress =

telnet 443

If that connects, means your IRP VM has Public VIP up and running and accepts connections on port 443.

Since you are using Split-Horizon DNS, currently, internally your WebEx Site URL is routed to Private VIP on Admin VM. To bypass that and go to Public VIP internally do the following:

1. Open Notepad (Run as Administrator)

2. File > Open and browse to c:\Windows\System32\Drivers\etc\hosts file

3. In hosts file add the entry with PUBLIC VIP Ip address configured on the IRP VM and WebEx Site URL

For example:

4. Save the change, but don't close the file just yet as you will remove this entry after testing is done.

5. Open Command Prompt and ping (WebEx Site URL), and confirm that now it resolves with the Public VIP IP.

6. Once confirmed that your machine is sending requests for Webex Site URL to Public VIP on IRP VM, open the browser and try accessing WebEx Site URL.

If this works fine, it means IRP is working fine, and internally you can access WebEx Site using Public VIP. Hence, you are having an issue with NAT-ing on the external firewall where the requests are not properly routed to PUBLIC VIP.

Try this and let me know how it goes.


Hi Dejan,

It was really great explanation.

We were not able to access webEx through IRP ,Even we tested from Same subnet of the IRP server 

Finally we got to know ,The internal firewall blocking few ports between Admin and IRP server .

Now the IRP server is working fine

I am glad to hear that all is working fine now, Nishad.

Take care,


Content for Community-Ad