cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3385
Views
0
Helpful
6
Replies

VCS Expressway Starter Pack Firewall Settings

twiesboeck
Level 1
Level 1

Hi Community,

I have installed a VCS Starterpack

I allready had installed some VCS-C VCS-E Installations an they are working fine.

So now this is the first VCS-E Starterpackinstallation.

It is located in the DMZ there it has a public IP adress.

The DNS Entries are working.

In my LAN i have two endpoints registered over SIP to the VCS E in the DMZ.

But it is not possible to call from one to the other endpoint or calling someone located in the internet.

I have opend the firewall Ports from the VCSE Starterpack DEPLOYMENT GUIDE:

Firewall ports

If the Cisco VCS is placed in a DMZ, to enable SIP calls to be received the following IP ports must be open to the Cisco VCS through the firewall:

5060 (if basic SIP connection is required)

5061 (for SIP over TLS)

50000 to 52399 (for media)

If the Cisco VCS Expressway Starter Pack services Movi users that are behind a firewall, the Cisco VCS must have a public IP address – the local (DMZ) firewall must pass the specific public IP address traffic to the Cisco VCS.

I dont have the Dual Network interface option

So do i need to open some more Ports on the Firewall or do I really need the dual network interface for this ???

Best Regards

Thomas

6 Replies 6

Tomonori Taniguchi
Cisco Employee
Cisco Employee

Does VCS in DMZ using different IP address than public IP address that also mapped in DNS host registration?

Unless firewall is configured as pass through and using same IP address in DMZ (and public network), yes you will need dual network interface option.

Dual network interface option is enable 1) 2nd network interface on VCS, and 2) NAT feature on both 1st and 2nd network interfaces on VCS.

VCS will add public IP address information in SIP negotiation if NAT has configured otherwise VCS only include own IP address which may not reachable from far end endpoint/sip ua.

Other possibility if this is not NAT related issue…

Does VCS have all default links (DefaultSubZone-DefaultZone, DefaultSubZone-TrafersalSubZone, TraversalSubZone-DefaultZone, and DefaultSubZone-ClusterSubZone)?

If any of above default links are missing, execture “xcommand DefaultLinksAdd” command from ssh/telnet/console session will add back it.

To diagnose this issue further we would need to collect a diagnostics log from your VCS Expressway Starter Pack (“debug” level logging on network log from diagnostic logging page under maintenance).

Regarding to port setting, VCS use 1024-65535 for DNS lookup as outbound ports (from X7.2 release you may modify range that VCS will use for DNS lookup).

Hi, shouldn't the TURN ports also be allowed to pass the firewall?

BR Paul

Sent from Cisco Technical Support iPad App

Regards, Paul

Hi,

Thanks for the infos,

My VCSE has only one Public IP address

There is no nat from WAN to the DMZ Interface

There is nat from DMZ to the LAN Interface  because in the LAN

I m using private Ip Adresses.

So my question is do i now nedd the dual network interface option ?

From DMZ to WAN all Ports > 1024 in and out are opened to the Public

Ip address from the VCSE.

The Deployment Guide says no if the VCSE has a public Ip address !!!!

The VCSE is reachable over this public Ip address from LAN an WAN.

Also the DNS entries are correct checcked with VCS DNS Tool.

My setup below:

------- LAN --------------                   ------- Nat over Firewall to DMZ -----              --------- WAN ---------

EX40 or c40                                 VCSE Starterpack                                  WAN External Clients

Using Private Ip Adresses              Public IP Adress from WAN                  Public Ip Adress Range

NAT to WAN !!!                               No NAT To WAN Interface !!!!

Best Regards

Thomas

Tomonori Taniguchi
Cisco Employee
Cisco Employee

> So my question is do i now nedd the dual network interface option?

Based on your explanation about your deployment scenario, no, you don't need the dual interface option to configure the NAT on VCS Expressway Starter Pack.

VCS currently use “Media Latching” for SIP NAT traversal.

=========================================================

How Does Latching Work?

1) VCS determined destination is NAT’d

- Contact address differs from source IP address (for your deployment, C40 in local network registered on VCS with NAT address via firewall).

- For request sent-by in Via address differs from address request was received from.

2) Media (RTP&RTCP) is sent to remote end after media packet is received (this opens up the NAT binding).

3) Media sent to network address from which the media packet is received

=========================================================

So if firewall doesn't allow VCS to send back media (and ACK for invite) to port that Endpoint transmits to VCS, then call may fail.

Again to diagnose this issue further we would need to collect a diagnostics log from your VCS Expressway Starter Pack (“debug” level logging on network log from diagnostic logging page under maintenance).

Hi,

Thanks for the infos,

The issue was that the Internal Endpooints are only registered over SIP,

And the firewal was only configured to allow the Sip Ports from LAN to DMZ,

but not in the other direction since opening the ports also in the other direction

the Internal calls from one Endpoint to the other are working fine.

In the depolyment guide is only mentioned to open the firewall ports to the VCS

which is located in the DMZ. Now are all Ports are also opened from DMZ to the LAN

where the Endpoints are connected.

5060 (if basic SIP connection is required)

5061 (for SIP over TLS)

50000 to 52399 (for media)

All Endpoints registered over SIP TLS on the VCSE.

The actual status now is that one endpoint can call to the other one when located in the customer network.

External conneted devidces to the VCS E over the internet can cal each other. So it is working fine

on the internal network and on the Internet to call each other wit voice & video.

It is possible to call from an external to an internal client an also in the other direction.

But only the call setup over Port 5061 is working. No video or audio stream is established between the endpoints.

H323 & Sip inspection is disabled on the Firewall.

No blockings for UDP ports can be seen on the firewall.

I ll collect a traces on the Vcs-E today.

Best Regards

Thomas

Port usage for firewall traversal deployment guide maybe useful to double check firewall port configuration.

http://www.cisco.com/en/US/docs/telepresence/infrastructure/vcs/config_guide/Cisco_VCS_IP_Port_Usage_for_Firewall_Traversal_Deployment_Guide_X4_to_X7.pdf

Please note that log from Endpoint and VCS will contain private information (especially device on public network), I'd suggest to open case with TAC for further investigation, if necessary (please careful with posting any logs on this community site).