Showing results for 
Search instead for 
Did you mean: 

VCS expressway deployed in a 3 port firewall configuration

Tarik Admani
VIP Alumni
VIP Alumni


I am deploying a setup per the following design referenced in this document:

Currently the customer doesnt want to purchase the license to enable a two arm deployment so we need to make this work. I have looked through the reference guides and dedicated a NAT translation on my firewall for the VCS-c and dedicated a nat entry for the VCS-e. This is deployed on a Cisco ASA 8.6 and the issue really seems to be related to the concept of nat reflection.

Currently the VCS-s is on the inside interface, the VCS-e is in the dmz, and the devices that are attached to the outside interface can register to the VCS-e, however the VCS-s is unable to connect to the VCS-e to the dedicated public ip address that is natted to it.

I have read all the guides on how to turn up nat reflection (ie. same-security-traffic permit intra-interface), I have also turned off inspect for sip, h323, and I still can not get the two way communication leaving the firewall. I have captures configured on the inside, outside, and the dmz, and the VCS-c is sending the traversal requests (tcp 7001 along with discovery packets on udp 6001), however I do not see this traffic leaving any of the firewall interfaces.

I know this issue is related to the firewall configuration but I wanted to post here to see if anyone has ran into this issue and if they have figured this out.


Tarik Admani
*Please rate helpful posts*       

1 Reply 1

Level 4
Level 4

have you established traversal zones between VCSC and VCSE? what is the status there? what ports did you use there and are those ports open between VCSC and VCSE firewall?

a simple diagram of your setup helps to get more replies.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: