I am deploying a setup per the following design referenced in this document:
Currently the customer doesnt want to purchase the license to enable a two arm deployment so we need to make this work. I have looked through the reference guides and dedicated a NAT translation on my firewall for the VCS-c and dedicated a nat entry for the VCS-e. This is deployed on a Cisco ASA 8.6 and the issue really seems to be related to the concept of nat reflection.
Currently the VCS-s is on the inside interface, the VCS-e is in the dmz, and the devices that are attached to the outside interface can register to the VCS-e, however the VCS-s is unable to connect to the VCS-e to the dedicated public ip address that is natted to it.
I have read all the guides on how to turn up nat reflection (ie. same-security-traffic permit intra-interface), I have also turned off inspect for sip, h323, and I still can not get the two way communication leaving the firewall. I have captures configured on the inside, outside, and the dmz, and the VCS-c is sending the traversal requests (tcp 7001 along with discovery packets on udp 6001), however I do not see this traffic leaving any of the firewall interfaces.
I know this issue is related to the firewall configuration but I wanted to post here to see if anyone has ran into this issue and if they have figured this out.
Tarik Admani
*Please rate helpful posts*