Hi Maciek,

although many firewalls have SIP and H323 ALG capabilities which might work well for voice applications, my experience is that application-aware firewalls are usually not able to perform the required modifications for H323 and SIP traffic involving complex video with functions such as encryption, H.239 and similar. Many firewalls support older versions of H323 for example, and will therefore have problems when trying to inspect and modify H323 and SIP traffic generated by modern endpoints.

Also, the same firewalls would not be able to inspect/modify the contents of TLS-based SIP traffic since this is encrypted (And therefore should be the signalling type which you would want to use).

Because of the above reasons, the dual network interface option key is required in order to be eligble for support for VCS-E deployments in a NAT/DMZ environment.

Regards

Andreas

Hi Andreas,

Thanks for the comment.

One last question - why can't you point the VCS Control to the private IP address of Expressway?

It is NATted anyway.

Kind regards

Maciek

Maciek,

you shouldn't point the VCS Control towards the actual (private) IP address of the VCS-E interface which has static NAT enabled on it since all SIP and H323 traffic sent out this interface on the VCS-E will have relevant SIP and H323 payloads rewritten to make it appear as this interface actually has the static NAT address, thus causing a mismatch between the client and server end of the traversal zone which will induce problems when attempting to set up calls across this zone.

Regards

Andreas

Hi Andreas,

Since I don't have the Dual Network Interface license yet, I have configured the VCS Control to point to the private IP address of Expressway 192.168.x.x.

And suprisingly calls to external aliases work.

However they do not work to external IP addresses (the Indirect / Direct calls to unknown ip addresses settings are correct).

Any ideas why calls to aliases work and to IP addresses don't?

Kind Regards

Maciek

Maciek,

the reason for the 'Dual network interfaces' option being a requirement in scenarios with the VCS-E being located in behind a NAT/in a private DMZ is exactly this, that some call scenarios (in fact, most scenarios) will not work properly unless the VCS-E rewrites certain parts of H323 and SIP payloads.

When this is not done, you will see calls failing to connect properly or one-way media, depending on the call scenario and direction of the call.

I can't tell you straight up why your purticular scenario does not work, but in any case it does not really matter since the only supported deployment for a VCS-E behind NAT and/or in a private DMZ warrants the use of the Dual NIC option.

Best regards

Andreas

Andreas,

You mean in order to be able to open a TAC case and receive support you need to have this option, right?

Kind regards

Maciek

Yes that is correct.

- Andreas

Thanks Andreas for your time. Your help is highly appreciated.

Hi Andreas!

Regarding NAT and pointing to the external ip.

I did not had a customer case with the VCS but I had seen various NAT and DMZ installations

where it was not possible to connect from the inside to the external NAT address.

So your suggested method on pointing to the external IP might not work.

I had seen it on a cisco nat as well, as well as I had seen there some DNS workaround

which automatically translated the NAT IP to the internal instead of the external one

for internal lookups, but this would also just point to the internal ip, ...

Sure, the easiest workaround would be to use the second interface just for the internal

traversal zone and the "NATed" interface for the external communication.

(though I guess that I assume it right that both ips shall not be in the same l3 network)

But I would still like the idea that the VCS-C and -E would be able to handle a traversal zone poitning to the internal ip of the "NATed" interface.

Martin

Hi Martin,

I fully agree with you: Routing the external IP from an internal Subnet to the DMZ would be very tricky. There should be the possibility to set the external NAT IP based on source IPs instead of setting it to a dedicated NIC. Some customers do have several static 1:1 NATs from/to foreign networks and I believe the only way to solve this today is to set up a dedicated VCS-E per foreign network.

Additionally I´m wondering, if there is no "simple solution" for the most common scenario:

3 Network segments: Internal (private IPs), DMZ (private IPs), Internet (public IPs with Portforwarding/1:1-NAT to DMZ).

Because the restriction, that you´re not allowed to set both VCS-E NIC into the same subnet (in our Case DMZ) and the fact, that the NAT IP would also be used to the VCS-C on internal LAN, I do not see a working solution for that very common case.

Any ideas from Cisco on that?

cheers

Tino

Tino,

from what I understand, the scenario which you are describing resembles a 3-port firewall. If this is the case, why are you not able to allow the VCS-C to communicate with the public NAT address of the VCS-E? This should be possible with the use of NAT reflection.

It would be helpful if you could describe in more detail why this scenario poses a challenge in your environment.

Thanks,

Andreas

Hi Andreas,

let´s say I´ve got the following common scenario:

Usually, direct traffic beetween Firewall1 and Firewall2 is not allowed, like Martin mentioned before.

Questions:

• How can I handle traffic between VCS-C and VCS-E without routing via Firewall Internet?
• How can I handle several Static NATs from Outside to one VCS-E?

Thanks

Tino

Tino,

for this design, it would make sense to connect LAN1 of the VCS-E to the DMZ firewall subnet and LAN2 of the VCS-E to the Internet firewall subnet, with static NAT enabled for the LAN2 interface of the VCS-E. LAN1 and LAN2 need to be in separate, non-overlapping subnets. With this deployment, the VCS-E would not route any network packets, and the only data which would be proxied between LAN1 and LAN2 would be the payload data of RTP media packets and H323/SIP signaling.

This way, the VCS-C will be set up with a traversal client zone towards the LAN1 address of the VCS-E, while external endpoints can register to the public NAT address of the VCS-E.

Why would you need multiple public static NAT addresses for the VCS-E? As long as the public NAT address is publicly routable and accessible for devices connecting via the Internet, you shouldn't need to assign multiple static NAT addresses for the VCS-E (The VCS-E is in any case limited to a single public NAT address).

Regards

Andreas

Hi Andreas,

most of our customers are not allowed to install any device directly to the Internet Subnet, as of their security policies. That´s why they set up a DMZ. Additionally, VCS-E would be open for management access via public internet in this scenario. I like Martin´s idea of beeing able to exclude the NAT IP in the traversal zone to VCS-C.

The foreign networks are connected to a separated Firewall Subnet and are not connected to the public internet. This often happens at customers, who own private interconnection networks to other partners. For example financial Institutions or public departments. Either they are using overlapping private IP addresses or public IPs, but without connecting them to the public internet. For those scenarios we have to use Static NATs to give access to Servers within the DMZ. That´s why i´m asking for the need to set up multiple NAT Adresses on VCS-E.

Also helpful would be the possibility to be able to use LAN3 and LAN4 Interfaces on VCS-E and beeing able to set them into the same subnet.

thanks

Tino