09-11-2012 02:08 PM - edited 03-17-2019 11:46 PM
Hello, Everyone.
We were donated some equipment to setup a SIP network and have been experiencing some issues.
For internal endpoints we have an EX90, C90, and MOVI clients. We also have a single VCS Starter Pack Expressway (*without* the dual NIC option).
For our firewall imagine 3 interfaces: inside, outside, and DMZ. The DMZ has public/Internet IP addresses. There is no NATing between the inside and DMZ--it only NATs when traversing the outside interface (which of course is the interface connected to the Internet).
So let me just make up some addresses here for communications sake:
VCS Expressway: 20.0.0.2/25 <-- public address
Internal Endpoint EX90: 10.0.0.2/24
Internal Endpoint MOVI: 10.0.0.3/24
Again, there is no NATing between the 10.0.0.0/24 and 20.0.0.0/25 network.
Everything works internally (registered through our VCS). When we make an external call, say from the MOVI client, media gets to the external endpoint but we do not receive any media on the internal endpoint (not a single UDP packet). We also noticed the media stream we send out is going directly to the external endpoint (or it's VCS), and not through our VCS Expressway.
Another interesting fact, when we put a small linksys router between the endpoints and our corporate network (endpoints on the LAN, corporate network on they WAN) everything works, and media from us paths through our VCS in the DMZ. The only thing I can fathom is the VCS realizes there is now a NAT between the internal endpoint and himself, and alters the path.
I've looked through a lot of different documents (VCS Basic Config Guide, Expressway Starter Pack Deployment Guide, VCS IP Port Usage for Firewall Traversal Deployment Guide, etc.) and none of them that I've seen really cover our scenario. Does anyone have any ideas on why the media isn't working properly? I don't have access to the corporate firewall, but I'm told the UDP stream never gets back to us.
From what I've read in other discussions posted here, it seems like you only need the Dual NIC option if your VCS Expressway is being NATed to the Internet (which ours is not). Is this correct?
Thanks,
-Matthew Pinkston
Solved! Go to Solution.
09-12-2012 12:41 AM
Hi Matthew,
in addition to the suggestions provided by Tomo and Alok, you could also leverage the 'Media encryption mode' zone/subzone setting on the VCS (This is available in X7.2) to force the Expressway to take media even for your internal SIP endpoints.
If you for example configure the 'Media encryption mode' for the Default Subzone on your VCS-E to 'Best effort', a call between two internal SIP devices registered to the VCS-E would be media routed via your VCS-E, as well as a call between an internal SIP device an an external/remote device.
Hope this helps,
Andreas
09-11-2012 02:12 PM
Just to clarify, the VCS is in the DMZ and the internal endpoints hang off the inside interface of the firewall.
09-11-2012 04:07 PM
Is EX90 (and other Endpoints) registered on VCS-E as SIP device?
The call between SIP UA and both SIP UA’s have same sip contact address and source IP address, VCS-E will treat the call as “non-traversal” call.
This mean VCS-E will not stay in media routing therefore media flow directly between two SIP UAs.
To make this works, and as you tested by using Linksys router, VCS-E need to see SIP UA as traversal client (SIP UA has different IP address in source IP address and Contact address).
Other quick way to make it works, register EX90 (and other Endpoint) to VCS-E as H.323 Endpoint.
Call between Movi and EX90 will be interworking call therefore media will go through VCS-E.
You might need to add search rule for converting SIP URL to E.164 Alias and E.164 to SIP URL (unless E90 registered with full URL format by using H.323 ID configuration).
09-11-2012 05:08 PM
Hi Matt,
this is expected with SIP in the your scenario. The quick solution is to have Ex90 registered as H.323 as pointed by tomo and use interworking.
you can also use the second nic on the expressway and registered the internal endpoints using internal interface. but you need a "dual nic option key " for that and i believe you don't have it right now.
The only other option i can think and which you already know is to have NAT in internal ip's and DMZ network.
Thanks
Alok
09-12-2012 12:41 AM
Hi Matthew,
in addition to the suggestions provided by Tomo and Alok, you could also leverage the 'Media encryption mode' zone/subzone setting on the VCS (This is available in X7.2) to force the Expressway to take media even for your internal SIP endpoints.
If you for example configure the 'Media encryption mode' for the Default Subzone on your VCS-E to 'Best effort', a call between two internal SIP devices registered to the VCS-E would be media routed via your VCS-E, as well as a call between an internal SIP device an an external/remote device.
Hope this helps,
Andreas
09-12-2012 07:55 AM
Thanks a lot for the clarrifications and suggestion everyone. That helps validate my suspicions from what I was seeing.
In response to Tomonori's question, the EX90 is registered to our VCS-E in the DMZ. Again, this would work to one of our internal MOVI clients. It's when we establish a call with one of the internal endpoints and an external one, that things start to fail (so EX90 connecting to some external SIP address at Cisco).
It seems like the second NIC option is designed for a completely different setup than how we currently do things. If we got the second NIC, and put the internal LAN on the VCS on the inside of the firewall we're bridging networks with a single piece of hardware--which is no good.
I've read in the discussions where people said you didn't necessarily have to have both LAN interfaces connected, you just had to have the Dual NIC option. With that in mind, would it be possible to do the following?
-Purchase the Dual NIC option
-Setup a LAN interface on the VCS as "External"
-Assign it an IP address of 10.0.0.4/24
-Create a static NAT on the firewall to map to a public address 20.0.0.2 (this is the part that's different for our current network infrastructure)
-Create the necessary allows in the firewall ACLs
-Setup the Static NAT option on the external VCS interface, informing it what the public IP is (this part is actually very misleading in the documentation I read)
-Connect local clients to the 10.0.0.4 address (I may need to setup some kind of overriding DNS to properly do this)
In this scenario I would only be connecting the "External" VCS LAN interface to the inside network.
Then when I make calls, it should know to do a traversal call, right?
I've got some lab time coming up; as soon as I verify the posted solutions work, I'll mark them as correct. Thanks again!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide