12-01-2011 10:38 AM - edited 03-13-2019 07:38 PM
I have an implementation where I have 2 VCS Control and 1 VCS Expressway software version X6. The end costumer has a Internet firewall Fortinet woroking in routed mode with NAT. My question is about the placement of the VCS Expressway in the environment. Is it mandatory put the Expressway in front of the firewall with a Internet valid IP address on it? Is it possible put the Expressway behind of the firewall and configure a NAT for it? Make sense having VCS control and VC expressway in the IP subnet without NAT between them?
Thanks in advance.
Everaldo
12-23-2011 02:39 AM
Hi Andreas,
Thanks for your quick and thorough explanation!
This is very helpful.
But I am wondering about one more thing - aren't the modern firewalls capable of changing the IP addresses in the payloads of SIP/H323 messages?
Maciek
12-23-2011 03:02 AM
Hi Maciek,
although many firewalls have SIP and H323 ALG capabilities which might work well for voice applications, my experience is that application-aware firewalls are usually not able to perform the required modifications for H323 and SIP traffic involving complex video with functions such as encryption, H.239 and similar. Many firewalls support older versions of H323 for example, and will therefore have problems when trying to inspect and modify H323 and SIP traffic generated by modern endpoints.
Also, the same firewalls would not be able to inspect/modify the contents of TLS-based SIP traffic since this is encrypted (And therefore should be the signalling type which you would want to use).
Because of the above reasons, the dual network interface option key is required in order to be eligble for support for VCS-E deployments in a NAT/DMZ environment.
Regards
Andreas
12-23-2011 06:07 AM
Hi Andreas,
Thanks for the comment.
One last question - why can't you point the VCS Control to the private IP address of Expressway?
It is NATted anyway.
Kind regards
Maciek
12-30-2011 01:59 AM
Maciek,
you shouldn't point the VCS Control towards the actual (private) IP address of the VCS-E interface which has static NAT enabled on it since all SIP and H323 traffic sent out this interface on the VCS-E will have relevant SIP and H323 payloads rewritten to make it appear as this interface actually has the static NAT address, thus causing a mismatch between the client and server end of the traversal zone which will induce problems when attempting to set up calls across this zone.
Regards
Andreas
01-02-2012 03:03 AM
Hi Andreas,
Since I don't have the Dual Network Interface license yet, I have configured the VCS Control to point to the private IP address of Expressway 192.168.x.x.
And suprisingly calls to external aliases work.
However they do not work to external IP addresses (the Indirect / Direct calls to unknown ip addresses settings are correct).
Any ideas why calls to aliases work and to IP addresses don't?
Kind Regards
Maciek
01-02-2012 03:13 AM
Maciek,
the reason for the 'Dual network interfaces' option being a requirement in scenarios with the VCS-E being located in behind a NAT/in a private DMZ is exactly this, that some call scenarios (in fact, most scenarios) will not work properly unless the VCS-E rewrites certain parts of H323 and SIP payloads.
When this is not done, you will see calls failing to connect properly or one-way media, depending on the call scenario and direction of the call.
I can't tell you straight up why your purticular scenario does not work, but in any case it does not really matter since the only supported deployment for a VCS-E behind NAT and/or in a private DMZ warrants the use of the Dual NIC option.
Best regards
Andreas
01-02-2012 03:59 AM
Andreas,
You mean in order to be able to open a TAC case and receive support you need to have this option, right?
Kind regards
Maciek
01-02-2012 04:17 AM
Yes that is correct.
- Andreas
01-02-2012 04:40 AM
Thanks Andreas for your time. Your help is highly appreciated.
01-02-2012 06:47 AM
Hi Andreas!
Regarding NAT and pointing to the external ip.
I did not had a customer case with the VCS but I had seen various NAT and DMZ installations
where it was not possible to connect from the inside to the external NAT address.
So your suggested method on pointing to the external IP might not work.
I had seen it on a cisco nat as well, as well as I had seen there some DNS workaround
which automatically translated the NAT IP to the internal instead of the external one
for internal lookups, but this would also just point to the internal ip, ...
Sure, the easiest workaround would be to use the second interface just for the internal
traversal zone and the "NATed" interface for the external communication.
(though I guess that I assume it right that both ips shall not be in the same l3 network)
But I would still like the idea that the VCS-C and -E would be able to handle a traversal zone poitning to the internal ip of the "NATed" interface.
Martin
Please remember to rate helpful responses and identify
01-23-2012 11:16 AM
Hi Martin,
I fully agree with you: Routing the external IP from an internal Subnet to the DMZ would be very tricky. There should be the possibility to set the external NAT IP based on source IPs instead of setting it to a dedicated NIC. Some customers do have several static 1:1 NATs from/to foreign networks and I believe the only way to solve this today is to set up a dedicated VCS-E per foreign network.
Additionally I´m wondering, if there is no "simple solution" for the most common scenario:
3 Network segments: Internal (private IPs), DMZ (private IPs), Internet (public IPs with Portforwarding/1:1-NAT to DMZ).
Because the restriction, that you´re not allowed to set both VCS-E NIC into the same subnet (in our Case DMZ) and the fact, that the NAT IP would also be used to the VCS-C on internal LAN, I do not see a working solution for that very common case.
Any ideas from Cisco on that?
cheers
Tino
01-25-2012 12:58 AM
Tino,
from what I understand, the scenario which you are describing resembles a 3-port firewall. If this is the case, why are you not able to allow the VCS-C to communicate with the public NAT address of the VCS-E? This should be possible with the use of NAT reflection.
It would be helpful if you could describe in more detail why this scenario poses a challenge in your environment.
Thanks,
Andreas
01-25-2012 08:44 AM
Hi Andreas,
let´s say I´ve got the following common scenario:
Usually, direct traffic beetween Firewall1 and Firewall2 is not allowed, like Martin mentioned before.
Questions:
Thanks
Tino
01-25-2012 02:12 PM
Tino,
for this design, it would make sense to connect LAN1 of the VCS-E to the DMZ firewall subnet and LAN2 of the VCS-E to the Internet firewall subnet, with static NAT enabled for the LAN2 interface of the VCS-E. LAN1 and LAN2 need to be in separate, non-overlapping subnets. With this deployment, the VCS-E would not route any network packets, and the only data which would be proxied between LAN1 and LAN2 would be the payload data of RTP media packets and H323/SIP signaling.
This way, the VCS-C will be set up with a traversal client zone towards the LAN1 address of the VCS-E, while external endpoints can register to the public NAT address of the VCS-E.
Why would you need multiple public static NAT addresses for the VCS-E? As long as the public NAT address is publicly routable and accessible for devices connecting via the Internet, you shouldn't need to assign multiple static NAT addresses for the VCS-E (The VCS-E is in any case limited to a single public NAT address).
Regards
Andreas
01-25-2012 11:24 PM
Hi Andreas,
most of our customers are not allowed to install any device directly to the Internet Subnet, as of their security policies. That´s why they set up a DMZ. Additionally, VCS-E would be open for management access via public internet in this scenario. I like Martin´s idea of beeing able to exclude the NAT IP in the traversal zone to VCS-C.
The foreign networks are connected to a separated Firewall Subnet and are not connected to the public internet. This often happens at customers, who own private interconnection networks to other partners. For example financial Institutions or public departments. Either they are using overlapping private IP addresses or public IPs, but without connecting them to the public internet. For those scenarios we have to use Static NATs to give access to Servers within the DMZ. That´s why i´m asking for the need to set up multiple NAT Adresses on VCS-E.
Also helpful would be the possibility to be able to use LAN3 and LAN4 Interfaces on VCS-E and beeing able to set them into the same subnet.
thanks
Tino
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide