05-26-2012 10:55 AM - edited 03-17-2019 11:13 PM
I have an new implementation where have 1 VCS Control in internal LAN and 1 VCS Expressway in DMZ.
VCS Expressway has a public ip address/NAT.
Currently, we have a group of VC endpoint, each endpoint has a public IP/NAT to LAN, to allow internet to make H.323 call by dialing endpoint's public IP directly.
My question is, after implemented VCS Expressway in DMZ, how do I make the dial plan to allow outside call each internal endpoint via VCS Expressway? Do I still need to give each endpoint a publich ip/NAT.
Thanks much.
Solved! Go to Solution.
05-27-2012 01:58 AM
Much simpler, and in my opinion, more elegant and scalable solution would be to not use IP addresses for calling, but allocate and register you end-points with E.164 Aliases. That way you all you need is the internal IP address.
So external end-points can, in this case, call your end-points by using Alias@domain or Alias@VCS-E_IP_address.
Internal end-points can call each other using alias only as long as you have the appropriate search rules in place, and so can external end-points you allow to register with you VCS-E for one reason or another.
If you have external Polycom end-points with older software version which does not support Annex O URI dialling, then it's very simple to include a pre-search transform on the VCS-E which will allow these end-points to call using proprietary "URI dialling"; VCS-E_IP_address##Alias - and if you have, on the odd occasion, an end-point which cannot use anything but IP addresses, then you can configure the fallback alias on the VCS-E to point to a specific end-point or to an auto-attendant on a MCU etc.
Using a dial-plan like the above will also allow you to use DHCP addresses, as the alias stays static, and that is what counts, much simpler addresses to give to people; i.e. 123456 is much easier to remember than 202.138.98.23 etc, not to mention IPv6 addresses, and, since you are registering your end-points with domain, then SIP clients will also be able to connect quite easily.
/jens
05-27-2012 02:12 AM
Hello Curtis,
The VCS documentation is a good source. You will also find plenty of information under:
http://www.cisco.com/en/US/products/ps11337/tsd_products_support_series_home.html
In your case its more "how do I design a number/address plan".
Ine intention to use a VCS is to be able to use URIs (email like addresses) instead of using
IPs to dial and with the VCS-E the capability to have endpoints behind a generic NAT without
a specific port forward to the inside.
So or your case it should be more
which can then be reached from the outside if you add the proper (srv) domain records.
If its a fixed requirement that you need to dial up ip addresses you could also add a Cisco IPGW
http://www.cisco.com/en/US/products/ps11343/index.html
Which could for example be set up to be reached by dialing the external VCS-E ip address
It would get you a menu where you could either configure your endpoints or have a field where you can dial
the wanted internal IP.
This being said, the local VCS-E IP has anyhow not to be NATed (like you do) unless you have the
dual interface option key. Even if you only use one interface, if you use NAT its a requirement.
I would recommend you to get some help to review your network and give you some advise!
Curtis: please rate the messages using the stars below!
Please remember to rate helpful responses and identify
05-27-2012 02:45 AM
Hi Curtis,
two things i want to say..however its already been put by Martin also.
One thing is when you say calling to internal endpoints registered on vcs control it would in a form of a URI. for. e.g.
alok.jaiswal@cisco.com or may be 12345@cisco.com.
or alok.jaiswal@
when the outside endpoint calls internal endpoint the call will hit you expressway and then to control and finally to the endpoint. In this case media also travel in same fashion as thats the basic idea behind a traversal setup so that you don't expose your whole internal network.
For a NAT on vcs-expressway you need the dual nic option key, and it will enable static nat configuration on expressway, without this key the media flow will not work.
Thanks
Alok
05-26-2012 11:21 PM
Hi Curtis,
for outside endpoints to call internal endpoints registered on control you do not require any NAT for the endpoints.
The call setup plus the media would be flowed via expressway to control and then to endpoint. Thats the whole point of traversal setup in the organization.
go through the below documentation for more details
Check Appendix 4.
only thing you need is proper search rules and ports need to be opened on firewall.
Please ensure you do not have packet inspection on firewall .
Thanks
alok
05-26-2012 11:55 PM
Hi Alok,
Thank you very much, I don't use the dual network option. I read the document and it seems didn't explain the actual call flow from outside to internal endpoint.
For example, In the following case, if an outside endpoint want to call Internal endpoint 1, which IP address should to dial?
Internal endpoint 1: 10.10.10.100
Internal endpoint 2: 10.10.10.101
VCS-C: 10.10.1.10
VCS-E: 10.11.1.10 (NAT Public IP: 69.10.10.100)
05-27-2012 01:58 AM
Much simpler, and in my opinion, more elegant and scalable solution would be to not use IP addresses for calling, but allocate and register you end-points with E.164 Aliases. That way you all you need is the internal IP address.
So external end-points can, in this case, call your end-points by using Alias@domain or Alias@VCS-E_IP_address.
Internal end-points can call each other using alias only as long as you have the appropriate search rules in place, and so can external end-points you allow to register with you VCS-E for one reason or another.
If you have external Polycom end-points with older software version which does not support Annex O URI dialling, then it's very simple to include a pre-search transform on the VCS-E which will allow these end-points to call using proprietary "URI dialling"; VCS-E_IP_address##Alias - and if you have, on the odd occasion, an end-point which cannot use anything but IP addresses, then you can configure the fallback alias on the VCS-E to point to a specific end-point or to an auto-attendant on a MCU etc.
Using a dial-plan like the above will also allow you to use DHCP addresses, as the alias stays static, and that is what counts, much simpler addresses to give to people; i.e. 123456 is much easier to remember than 202.138.98.23 etc, not to mention IPv6 addresses, and, since you are registering your end-points with domain, then SIP clients will also be able to connect quite easily.
/jens
05-27-2012 02:12 AM
Hello Curtis,
The VCS documentation is a good source. You will also find plenty of information under:
http://www.cisco.com/en/US/products/ps11337/tsd_products_support_series_home.html
In your case its more "how do I design a number/address plan".
Ine intention to use a VCS is to be able to use URIs (email like addresses) instead of using
IPs to dial and with the VCS-E the capability to have endpoints behind a generic NAT without
a specific port forward to the inside.
So or your case it should be more
which can then be reached from the outside if you add the proper (srv) domain records.
If its a fixed requirement that you need to dial up ip addresses you could also add a Cisco IPGW
http://www.cisco.com/en/US/products/ps11343/index.html
Which could for example be set up to be reached by dialing the external VCS-E ip address
It would get you a menu where you could either configure your endpoints or have a field where you can dial
the wanted internal IP.
This being said, the local VCS-E IP has anyhow not to be NATed (like you do) unless you have the
dual interface option key. Even if you only use one interface, if you use NAT its a requirement.
I would recommend you to get some help to review your network and give you some advise!
Curtis: please rate the messages using the stars below!
Please remember to rate helpful responses and identify
05-27-2012 02:45 AM
Hi Curtis,
two things i want to say..however its already been put by Martin also.
One thing is when you say calling to internal endpoints registered on vcs control it would in a form of a URI. for. e.g.
alok.jaiswal@cisco.com or may be 12345@cisco.com.
or alok.jaiswal@
when the outside endpoint calls internal endpoint the call will hit you expressway and then to control and finally to the endpoint. In this case media also travel in same fashion as thats the basic idea behind a traversal setup so that you don't expose your whole internal network.
For a NAT on vcs-expressway you need the dual nic option key, and it will enable static nat configuration on expressway, without this key the media flow will not work.
Thanks
Alok
05-28-2012 11:04 AM
Thanks all for the great help, now I understand how's that works.
Much appreciated.
05-29-2012 04:42 AM
Thank you for rating and setting the thread to answered. +5 for you!
Good success!
Please remember to rate helpful responses and identify
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide