cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
56448
Views
51
Helpful
71
Replies

VCS Control and VCS Expressway design

e.lopessilva
Level 1
Level 1

I have an implementation where I have 2 VCS Control and 1 VCS Expressway software version X6. The end costumer has a Internet firewall Fortinet woroking in routed mode with NAT. My question is about the placement of the VCS Expressway in the environment. Is it mandatory put the Expressway in front of the firewall with a Internet valid IP address on it? Is it possible put the Expressway behind of the firewall and configure a NAT for it? Make sense having VCS control and VC expressway in the IP subnet without NAT between them?

Thanks in advance.

Everaldo

71 Replies 71

You can log in as root via SSH and use ping, traceroute and nslookup from there.

If Google DNS is not working for you, you most likely have a firewall issue.

Andreas

Sent from Cisco Technical Support iPhone App

I switched back to the google DNS and nothing the I did a reset after the reset now it is working.

Thanks for the support...

Do you know if there is a guide to deploy the ISDN blade for the MSE8000?

Sent from Cisco Technical Support iPhone App

Alejandro,

I'm pleased to hear it's working now.

As with all Cisco Telepresence products, support documents can be found at www.cisco.com/support.

For Cisco (Codian) ISDN Gateway products,

http://www.cisco.com/en/US/partner/products/ps11448/tsd_products_support_series_home.html would be the right section to look in.

Regards

Andreas

For your info, the new VCS Basic configuration guide for VCS Control and Expressway has now been released for X7.1.

This new document contains a new appendix (Appendix 4) covering Dual NIC and Static NAT deployments in detail.

The new guide can downloaded here.

Comments and feedback for the document in general and the appendix in particular is appreciated, so feel free to PM me with this if possible.

Regards

Andreas

Andreas,

The documents that you refer to are not complete enough.  The NAT discussion is non existant and that is key to any installation.  The NAT section points to the port usage guide which does not discuss NAT at all.  This document should be similar to the integration guides that Cisco publishes for PBX integration with CUCM.  These guides go through all the details of each of the devices involved.  In the case of VCS that would mean covering an example firewall and endpoints.

My .02

Mike

Hello Andreas,

I have been following this thread and all the documents you have on the cisco website very carefully, but I cannot find the answer to this concern of mine:

The customer opted for not utilizing the Dual Network license for the VCS-E and the initial problem was routing from their internal network to the public DMZ segment with public IP addresses, where the VCS-E sits with its LAN 1 interface configured with a public IP address.

Now they are willing to solve this issue, so that they install a host route only for the VCS-E public IP address.

Consequently the Traversal Client zone on the VCS-C will be configured with the VCS-E LAN 1 interface public IP address.

Now, my question is the following:

Traffic from VCS-C to VCS-E will be PAT/NATed, meaning the destination address will stay the same but the VCS-C source address will be PATed by the firewall.

VCS-C (VCS-C_S_IP, VCS-E_D_IP) -----------> FW (FW_DMZ_IP, VCS-E_D_IP)

Is this supported with the traversal setup between VCS-C and VCS-E ?

Will the traversal zone function as it is supposed so ?

I have read about this scenario when using the dual network interface setup, as to whether to add or not static routes, and it is explained that you do not need to, if the internal FW in that setup does NAT.

I know that my scenario is very similar to the one mentioned above, even the traversal setup is between the same pair of interfaces. Anyway I wanted to check if this should work as it is supposed so.

Thank you and best regards,

Mihail

Hi Mihail,

NAT/PAT of the VCS-C address for traffic sent from VCS-C to VCS-E is perfectly fine for a traversal zone and is very common. Make sure that the FW only does layer3/layer4 NAT/PAT (e.g only changes source IP/port), and that the FW does not mangle/ALG the H323 or SIP application data.

Regards

Andreas

Thank you Andreas for your swift and precise reply.

Excellent news.

Best regards,

Mihail

HI Andreas,

I need to deploy VCS expressway, we don’t have dual NIC license on expressway. I have doubt as to where to deploy Expressway behind the firewall (in local network) or in front of the firewall ( in public network).

If we deploy VCS ex behind the firewall then we need to enable Static NAT on LAN1 which is not recommended as i can see that on this discussion & if i directly put it on public network then we need give the access to this on firewall for the traversal link from VCS control.( which might have security issues.)

Kindly suggest me some solution.

Regards

Nikhil

msuszyn80
Level 1
Level 1

Hi,

I have another question

lan---vcs-c--fwA---NIC1-VCS-E--NIC2--FWB----Internet

Configuration guide talks about dns setup, but only  for single nic expressway flawour. Can someone advise, which interface to use for external DNS config for dual nic with static nat setup?

thanks

I have used NIC2 of the VCS-E for external DNS config.