Hi,

I am deploying a setup per the following design referenced in this document:

http://www.cisco.com/en/US/docs/telepresence/infrastructure/vcs/config_guide/Cisco_VCS_Basic_Configuration_Cisco_VCS_Control_with_Cisco_VCS_Expressway_Deployment_Guide_X7-1.pdf

Currently the customer doesnt want to purchase the license to enable a two arm deployment so we need to make this work. I have looked through the reference guides and dedicated a NAT translation on my firewall for the VCS-c and dedicated a nat entry for the VCS-e. This is deployed on a Cisco ASA 8.6 and the issue really seems to be related to the concept of nat reflection.

Currently the VCS-s is on the inside interface, the VCS-e is in the dmz, and the devices that are attached to the outside interface can register to the VCS-e, however the VCS-s is unable to connect to the VCS-e to the dedicated public ip address that is natted to it.

I have read all the guides on how to turn up nat reflection (ie. same-security-traffic permit intra-interface), I have also turned off inspect for sip, h323, and I still can not get the two way communication leaving the firewall. I have captures configured on the inside, outside, and the dmz, and the VCS-c is sending the traversal requests (tcp 7001 along with discovery packets on udp 6001), however I do not see this traffic leaving any of the firewall interfaces.

I know this issue is related to the firewall configuration but I wanted to post here to see if anyone has ran into this issue and if they have figured this out.

Thanks,

Tarik Admani
*Please rate helpful posts*