12-01-2011 10:38 AM - edited 03-13-2019 07:38 PM
I have an implementation where I have 2 VCS Control and 1 VCS Expressway software version X6. The end costumer has a Internet firewall Fortinet woroking in routed mode with NAT. My question is about the placement of the VCS Expressway in the environment. Is it mandatory put the Expressway in front of the firewall with a Internet valid IP address on it? Is it possible put the Expressway behind of the firewall and configure a NAT for it? Make sense having VCS control and VC expressway in the IP subnet without NAT between them?
Thanks in advance.
Everaldo
12-01-2011 12:14 PM
Everaldo,
You are not limited...you can do either.
Cesar Fiestas
12-01-2011 12:24 PM
Cesar,
Thank you for your answer. If I decide put the Expressway behind of the firewall with NAT and in the same subnet of the VCS Control woud be a aceptable design since I don't have a NAT between the Expressway and the VCS Control? The Expressway would be useful for the solution?
Tks,
Everaldo
12-01-2011 02:52 PM
Everaldo,
Example
10.10.10.2 10.10.10.3 <--------------> 68.x.x.x(public natted to .3)
VCSC VCSE
Just make sure you have the dual nic option installed eventhough you will not need the sec interface, and that the natted ip address this case 68.x.x.x is on the respective lan interface most likely where .3 is configured.
Enjoy
Cesar Fiestas
03-15-2012 05:50 AM
If I have the same requirements you are discribing above where my VCSC is in the same subnet as my VCSE
10.10.10.2 10.10.10.3 <--------------> 68.x.x.x(public natted to .3)
VCSC VCSE
Which model to a follow in the guide to setup the traversal? None of them talk about this scenario the closest one would be the 3 port firewall. Anyway I would like to make it work as you discribed above in this example.
On my VCSC I have pointed my Traversal peer to be 10.10.10.3 and it shows "ACTIVE"
On my VCSE I have my "IP" configuration setup as follows
LAN 1 IPv4 = 10.10.10.3
IPv4 Static nat = On
IPv4 Static nat address = 68.X.X.X
Lan2 = Not plugged in
I have it setup as follows and when I make and outbound call from endpoint to external client <
When I reverse the process and make a call from Jabber to endpoint@example.com I get the user can not be found and I see no search history in my expressway.
I suspect my issues are FW related and DNS SRV releated.
What is the easiest way to test the the DNS SRV records are setup properly?
What is the easiest way to test the FW Static NAT rules are setup properly?
Thanks
03-15-2012 06:05 AM
Ryan,
with your scenario, you should configure the VCS-C's traversal client zone to speak with the public NAT IP, that is the only way the traversal zone will work properly.
You could optionally starting using LAN2 (making sure that LAN1 and LAN2 are in different subnets) and then configure the traversal client zone on the VCS-C to communicate with the VCS-E LAN interface which is not in static NAT mode.
In this scenario, the SRV records for example.com should point to the DNS name of your public NAT IP 68.x.x.x (SRV records should ideally not point to an IP address, so I recommend creating a DNS A record which points to the NAT IP and then point the SRV records towards this A record.).
The easiest way to verify that static NAT is set up properly would simply be to check that incoming and outgoing calls are working on both H323 and SIP
You could optionally extend the testing to involve calls to external IP addresses, incoming/outgoing interworked calls and so forth.
Regards
Andreas
03-15-2012 07:53 PM
Andreas,
Can you help me understand your comment "you should configure the VCS-C's traversal client zone to speak with the public NAT IP, that is the only way the traversal zone will work properly" On my VCS-C I now having it pointing to a peer address of 68.x.x.x but when i do this the Traversal Client is unable to connect to the VCS-E. Is this what you ment? If I point my traversal zone to the public IP is the firewall suppose to hairpin it back to the VCS-E??
So now my setup now goes as follows
On my VCSC I have pointed my Traversal peer to be 68.x.x.x and it shows "FAILED"
On my VCSE I have my "IP" configuration setup as follows
LAN 1 IPv4 = 10.10.10.3
IPv4 Static nat = On
IPv4 Static nat address = 68.X.X.X
Lan2 = Not plugged in
When I change the Peer back to 10.10.10.3 at least it goes to "ACTIVE"
Cheers
03-16-2012 01:34 AM
Hi Ryan,
yes, if your VCS-E is only using one LAN interface, and this LAN interface has static NAT enabled on it, all traversal clients (as well as endpoints registering to this VCS-E) will have to address this VCS-E through it's static NAT address, in this case 68.x.x.x.
This means that your firewall has to hairpin traffic from the VCS-C to the VCS-E, as you have noted. This is also referred to as NAT reflection.
Please consult Appendix 4 of "http://www.cisco.com/en/US/docs/telepresence/infrastructure/vcs/config_guide/Cisco_VCS_Basic_Configuration_Cisco_VCS_Control_with_Cisco_VCS_Expressway_Deployment_Guide_X7-1.pdf" for more details and an explanation of why it must be configured this way.
Regards
Andreas
03-16-2012 06:29 AM
Andreas,
Would you happen to know a url or guide that shows how to configure "nat reflection" on an ASA running 8.4. When I search for this term all I get is links to this post. Does it go by some other name in ASA features?
03-16-2012 07:22 AM
Ryan,
I believe the relevant ASA command in this case would be 'same-security-traffic permit intra-interface'.
More information about that command here:
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s1.html#wp1392814
I would however strongly suggest that you consider utilizing both LAN interfaces of the VCS-E instead of just one, so that the VCS-C can communicate with the non-NATed LAN interface of the VCS-E, since hairpinning would force the video traffic through your firewall multiple times, as well as introduce asymmetric routing.
Regards
Andreas
03-16-2012 12:15 PM
Ok so if we decide to do it this way how should my interfaces look whould it be like this?
To do as you suggested my new setup will look like this
10.10.10.2---> (Lan1 = 10.10.10.3 Lan2=10.10.20.2)-------> (fwIn 10.10.20.1<->FWOut)= 68.x.x.x(public natted to 20.2)
VCSC VCSE
LAN 1 IPv4 = 10.10.10.3
IPv4 Static nat = Off
Lan 2 IPv4 = 10.10.20.2
Static Nat On
IPv4 Static nat address = 68.X.X.X
VCSE GW = 10.10.20.1
So if I set it up exactly like above, I gather that I woul Peer with 10.10.10.3 and access the device from 10.10.10.3. Should my Gateway for VCSE be set to 10.10.20.1 or should it be set to the GW of the 10.10.10.x network?
Do I need to do any static routes on the VCSE box ?
Message was edited by: Ryan O'Connell, added picture easier to see
03-16-2012 01:51 PM
Ryan,
with that scenario, you would set the default GW to 10.10.20.1.
Whether or not you need to add static routes depends on if there is a router on the 10.10.10.x subnet which will be used to route traffic to subnets located behind this router (For example for reaching TMS, NTP, DNS and so forth), if that router is not performing NAT. If the router is performing NAT, static routes are usually not needed.
This is described in further detail in the appendix I mentioned earlier, and there is also an example scenario in there which you should be able to use as a guideline, with some adjustments.
- Andreas
11-09-2014 10:49 PM
Hi Ryan / Andreas,
Have you got your solution about your issue? Currently I have the same issue with Expressway C & E while preparing demo for customer. The demo topology is similar with Ryan. Exp C & Exp E are in the same subnet, and Exp E is NAT-ed to public IP address.
When I pointed Exp C to Exp E peer with local IP, it shows ACTIVE. But when I pointed the peer to public IP, it shows FAILED.
I have also read about NAT Reflection in firewall to make this work. But in the customer site, unfortunately we cannot directly see the firewall configuration / device type to check whether it is support that feature or not.
From Exp C, we can ping both Exp E private IP Address and NAT-ed IP Address. My question is, how could I know if customer's 3rd party firewall support NAT Reflection feature or not besides ping result?
Thank you.
Regards,
Yohanes Hartono
12-01-2011 12:21 PM
You need to use public ip without nat if you want to place the VCS expressway behind a firewall
Note: if the Cisco VCS Expressway is in the DMZ, the outside IP address of the Cisco VCS Expressway must be a public IP address.
http://www.cisco.com/en/US/docs/telepresence/infrastructure/articles/vcs_benefits_placing_expressway_dmz_not_public_internet_kb_196.shtml
HTH
if helpful rate
Sent from Cisco Technical Support iPhone App
12-02-2011 12:48 AM
Marwanshawi,
that is not entirely correct. The article you linked to states that the "outside IP address" of the VCS-E needs to be a publicly routable IP address, which is correct. In this case, "outside IP address" means the public static NAT IP address for the VCS-E on the firewall/router outside the VCS-E (For a scenario where the VCS-E is located in a DMZ behind a static NAT).
In order for the VCS-E to be located behind a static NAT, the VCS-E must have the Dual Network Interfaces option key, which unlocks both the second LAN interface of the VCS-E as well as unlocking the static NAT functionality which is built into the VCS-E.
Regards
Andreas
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide