cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
497
Views
0
Helpful
3
Replies
Highlighted
Beginner

vcse server nat on firepower

we have vcsc and vcse servers

the private ip  of vcsc is supposed to reach the public ip of vcse in order to work properly on local network

although we write manual nat rule ,vcsc server cannot ping public ip of vcse .

note that both servers are on same network

attached you can see nat rules we wrote

can you help me this issue

3 REPLIES 3
Highlighted
VIP Advisor

Re: vcse server nat on firepower

Hi

 

Not sure i get you correctly.

You want to reach vcse public ip from vcsc?

If so why you want to nat vcsc to vcse public ip?

If these 2 servers have different IPs, why you said they're in same network?

 

On your 2nd screenshot, what's NET_ALL?

 

On your 1st screenshot, few remarks:

- set your nat source and destination interface

- you should have your vcsc server as original source and any as destination

- and public ip as translated source and keep any as destination

 

But again, you don't want to nat your vcsc with vcse public ip.

 

Your requirement is reachability? Because you can't just authorize traffic using acl and routing with natting traffic (nat exemption).

Otherwise you have to Nat to a different public IP or nat using your outside interface.

 

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Beginner

Re: vcse server nat on firepower

thank you for your reply

i guess i can express the issue clearer by the scenario below

let's assume that;

 

fw public network10.34.110.0/24

local network  10.10.10.0/24

 

vcsc 

public ip 10.34.110.50

private ip 10.10.10.50

 

vcse

public ip 10.34.110.51

private ip 10.10.10.51

 

we want to ping 10.34.110.51 from 10.10.10.50

 

what can you suggest me for this

 

 

Highlighted
VIP Advisor

Re: vcse server nat on firepower

Ok I get it, you want to ping your vcse public ip from vcsc private.

Is this an expressway deployment? Because normally you should have vcsc on your private lan and vcse on your DMZ. I’m not a voice guy but taking a look at the deployment guide this is what it’s shown.

 

I believe vcsc isn’t able to route traffic

Anyway, if you still want to allow private ip of vcsc to access public ip of vcse, you have 2 solutions:

 - Nat your vcsc private ip to a public ip that’s not already use on a specific interface and managed by your Firewall like a new ip of using interface ip.

 - Or allowing routing and adding a nat exemption for this traffic.

 

Can you confirm that’s expressway you’re trying to deploy?

Take a look on this deployment guide:

https://www.cisco.com/c/dam/en/us/td/docs/telepresence/infrastructure/vcs/config_guide/X8-9/Cisco-VCS-Basic-Configuration-Control-with-Expressway-Deployment-Guide-X8-9.pdf

 

If you need more assistance in this deployment, I would suggest to open a new thread on this forum in the voice category.

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question