Solved: Hello Martin,Thanks a lot for

macieknowak · ‎10-20-2015

Hello,

I need help regarding Advanced Networking on VCS.

I configured this Advanced Networking on client site. The client is using only LAN1.

page 20 on http://www.cisco.com/c/dam/en/us/td/docs/telepresence/infrastructure/vcs/admin_guide/Cisco-VCS-Administrator-Guide-X8-6.pdf.

I have to know what port I have to open. in this documentation I find in this documentation:

"When Advanced Networking is enabled, all ports configured on the Expressway, including those relating to firewall traversal, apply to both IP addresses;

You cannot configure ports separately for each IP address." page 43, 45

It is nessesery to open media and signaling ports 2776, 2777, 7001 from EXP-C to EXP-E on both IP adres (private and public) ?

Which address should I use to configure traversal zone between Exp-C and Exp-E ?

In this documet http://www.cisco.com/c/dam/en/us/td/docs/telepresence/infrastructure/vcs/admin_guide/Cisco-VCS-Administrator-Guide-X8-6.pdf. on page 20 i see In such a deployment, traversal clients should be configured to use the internally-facing IPaddress of theVCS.

but in this document : http://www.cisco.com/c/dam/en/us/td/docs/telepresence/infrastructure/vcs/config_guide/X8-6/Cisco-VCS-Basic-Configuration-Control-with-Expressway-Deployment-Guide-X8-6.pdf page 63

The traversal zone on the VCS Control must have 64.100.0.10 (public) as the peer
address.

If I open firewall for port 2777,2776,7001 only to private adres of EXp-E i see on firewall that the media 2777, 2776 and signaling 7001 try reach te public adres of EXP-E.

IF I open por 2777,2776,7001 to both adres of EXP-E (public and internall) the solution works ok.

I try also for travelsal setting (on EXP-C) both adreses of exp-E public and interall adn works OK on both cases (I still have open port to public and private adres to VCS-E).

What is the proper configuration ? /Where can I find the media and signalig flow ?

Best regards

Thanks for help

Martin Koch · ‎10-26-2015

It is different/even stricter than Acevirgil said, if you only use one interface and that with NAT on the VCS-E you HAVE to point the VCS-C to the public ip address.

The VCS-C will not try to connect to the internal IP of the VCS-E but sure you might see something in the connection tracking table of the FW.

If you use clustering (which does not support NAT on the cluster interface) or you can not run NAT deflection you would have to use the second interface of the VCS-E to get the VCS-C connected to it.

Please remember to rate helpful responses and identify

View solution in original post

Martin Koch · ‎10-28-2015

Hello!

(first thx to setting the thread to answered 5 point for that).

You seem to be interested, so I would recomend you to look a bit into generic networking.

On the ip level sure, when you trace on the VCS itself you see the packets

coming in or be send out with the local ip address even when doing NAT.

But its exacly what NAT does, rewriting the addresses.

To look a bit more into how Layer2 and 3 work will give some more

insight.

This kind of IP change with NAT is easy and most home networks will do that as well and your source IP is a private one from your computer and still this Cisco
and hopefully all other websites can send information back yo you.

On voice over ip, like H323 or SIP you have an other chalange. The setup of the call via SIP or H323 messages is often called signaling, but this message also

contains the info where the media is intended to be send to.

If you do not have the dual interface option and you would try to do NAT

The signaling message will then still contain the internal IP address and then the remote site might fail to send the message to you as it is sending it to a unroutable network.

Some calls might even work, especially if the remote site itself is on a public ip.

But such a deployment is doomed to generate issues sooner or sooner and

you have a problem.

To do all its features the VCS must know how things work. And that also requires that things are set up, so the VCS knows what to expect and how to behave.

Regards your example, most people will have a network seperation so what you desribe does not happen. Also you could have a firewall which for example only allows the related answers though, then it must follow the exact path on how the nat was traversed to the VCS (or in your case expressway, they behave the same).

As you already have the key, I would have deployed it with the secondary interface.

Public traffic via NAT, internal traffic via the internal network.

Please remember to rate helpful responses and identify

View solution in original post

Acevirgil de Ocampo · ‎10-20-2015

The VCS IP Port Usage for Firewall Traversal Guide is very helpful.

http://www.cisco.com/c/dam/en/us/td/docs/telepresence/infrastructure/vcs/config_guide/X8-6/Cisco-VCS-IP-Port-Usage-for-Firewall-Traversal-Deployment-Guide-X8-6.pdf

If you are only using one network interface of the VCS-E with NAT enabled, peer address configured on VCS-C as a traversal client should be the NAT IP (public) of the VCS-E if your firewall supports NAT reflection (NAT loopback/NAT hairpinning) and most supports this. Otherwise, use the private IP of the VCS-E as the peer address on the VCS-C (client) traversal zone.

IP address of the VCS-E as source and destination address on the firewall definitions should only be the IP address configured as peer address on the VCS-C (client) traversal zone.

I already deployed some projects with this kind of setup and works fine.

regards,

Acevirgil

macieknowak · ‎10-20-2015

Thank a lot.

I have alos configured a peer adres on VCS-C public adres of VSC-E (nat adres).

Coudl I close port media 2666, 2667 and signaling 7001 from VCS-C to VCS-E private adress ?

If I had configured the private addres of VCS-E as the peer adres on VCS-C and open only ports for private adres of VCS-E wasn't work.

On Firewall I see that VCS-C aloso try to connect to public adres of VCS-E. (when I open port to both adres is wokrks OK).

Best regards

Acevirgil de Ocampo · ‎10-20-2015

Ports 2666 and 2667 are not used by VCS. Do you mean ports 2776 and 2777 which are H323 signaling ports for H323 traversal, 7001 as listening port of VCS-E for SIP signaling. If you will close these ports H323, SIP and interworking (H323<--->SIP) traversal calls would not be possible.

Did you try to configure the peer address on the VCS-C (client) traversal zone with the public IP (NAT) of the VCS-E only? And firewall defined as source and destination is VCS-E public IP (NAT) only.

For example VCS-C to VCS-E SIP traversal, your firewall ports defined will be:

regards,

Acevirgil

macieknowak · ‎10-22-2015

Hello,

On version 8.6 VCS use 2777 and 2776 port to media travrsal by daefoult.

Yes I try use public (NAT IP) on VCS to seeting zone. It is working. ( I don't know if also I have to open port to both adres of VCS -E. I will check this )

The client would like to connetc VCS-C to privat addres of VCS-E.

I can do this , but i have to open ports from VCS-C to both adres on VCS-E (NAT IP and private). In attachemnt you can see the log files.

We see in log the both adress are used on VCE-E to call (NAT IP and private).

Core - 10.0.61.90
Exp -10.0.20.90 194.146.120.90
CUCM - 10.0.61.91

The client would like know if we the media and signaling go to public adres are still safe (trawesal zone was working).

Acevirgil de Ocampo · ‎10-23-2015

You don't need to open ports for both IP addresses of the VCS-E. The VCS-C will communicate directly to the NAT IP of the VCS-E. Let the firewall do its job and use its feature "NAT reflection" to route the packet to 10.0.20.90 (VCS-E Physical IP).

This means if a packet is sent to the 194.146.120.90 (VCS-E NAT IP) by the 10.0.61.90 (VCS-C), the packet would normally be routed to the VCS-E default gateway. The firewall with NAT reflection feature detects that 194.146.120.90 is the address of its interface facing the internet, and treats the packet as if coming from that interface. It determines the destination for that packet based on DNAT (port forwarding) rules for destination. If the data were sent to port 7001 for example and a rule exist for port 7001 directed to 10.0.20.90, then the VCS-E receives the packet.

You can see on the firewall that the VCS-C is trying to connect to both VCS-E IP addresses because of NAT reflection.

regards,

Acevirgil

Martin Koch · ‎10-26-2015

It is different/even stricter than Acevirgil said, if you only use one interface and that with NAT on the VCS-E you HAVE to point the VCS-C to the public ip address.

The VCS-C will not try to connect to the internal IP of the VCS-E but sure you might see something in the connection tracking table of the FW.

If you use clustering (which does not support NAT on the cluster interface) or you can not run NAT deflection you would have to use the second interface of the VCS-E to get the VCS-C connected to it.

Please remember to rate helpful responses and identify

macieknowak · ‎10-27-2015

Hello,

Thanks for answers. I don't have cluster on my site. I have configured the zone on VCS-C on private address of VCS-E. The firewall rules are open for two addresses of VCS -E (NETTeD and private). It is works OK.

I also configured the zone on VCS-C with public addres of VCS-E. It also works OK.

I choose the configuration with a private address on UCS-C, because I will not have problem with DNS.

I also connact with TAC in this case :

"In your setup using one LAN port and NATing, when the exp-C is reaching the exp-E, it the destination would be the public IP of the exp-E.

However, when the exp-E is sending data to exp-E, the source IP would be the private IP of the exp-E.

For example:

Exp-E has IP address 192.168.1.2 (Nated: 85.4.3.2)

Exp-C has IP address 10.1.1.2

Firewall in between has 2 ports (1- 192.168.1.1 [exp-E side], 2- 10.1.1.1 [exp-C side]

Exp-C is sending data to exp-E, the:
- Source IP: 10.1.1.2
- Destination IP: 85.4.3.2
Exp-E is sendind data to exp-C:
- Source IP: 192.168.1.2
- Destination IP: 10.1.1.2

So on your firewall traffic going from your exp-C to the NATed IP should be permitted, and traffic coming from exp-E private IP to exp-C private IP should also be going through.

This is the normal behavior of the VCS’s in your setup, so if configured correctly on the firewall, then the setup should be safe "

Martin Koch · ‎10-28-2015

Hello!

(first thx to setting the thread to answered 5 point for that).

You seem to be interested, so I would recomend you to look a bit into generic networking.

On the ip level sure, when you trace on the VCS itself you see the packets

coming in or be send out with the local ip address even when doing NAT.

But its exacly what NAT does, rewriting the addresses.

To look a bit more into how Layer2 and 3 work will give some more

insight.

This kind of IP change with NAT is easy and most home networks will do that as well and your source IP is a private one from your computer and still this Cisco
and hopefully all other websites can send information back yo you.

On voice over ip, like H323 or SIP you have an other chalange. The setup of the call via SIP or H323 messages is often called signaling, but this message also

contains the info where the media is intended to be send to.

If you do not have the dual interface option and you would try to do NAT

The signaling message will then still contain the internal IP address and then the remote site might fail to send the message to you as it is sending it to a unroutable network.

Some calls might even work, especially if the remote site itself is on a public ip.

But such a deployment is doomed to generate issues sooner or sooner and

you have a problem.

To do all its features the VCS must know how things work. And that also requires that things are set up, so the VCS knows what to expect and how to behave.

Regards your example, most people will have a network seperation so what you desribe does not happen. Also you could have a firewall which for example only allows the related answers though, then it must follow the exact path on how the nat was traversed to the VCS (or in your case expressway, they behave the same).

As you already have the key, I would have deployed it with the secondary interface.

Public traffic via NAT, internal traffic via the internal network.

Please remember to rate helpful responses and identify

macieknowak · ‎11-16-2015

Hello Martin,
Thanks a lot for clarification.
I have tested the solution with bouth cases.
The First :
The traversal zone from VCS-C to private adres of VCS-E.
The point to point video call works fine, but multicasting (conference call) is not working. (This configuration is not supported by Cisco)
The second :
The traversal zone from VCS-C to public adres of VCS-E, as you say and Cioso say. Everything works OK.
I also check traces. Media goes from VCS-C directly to the public address of VCS-E.

Advanced Networking feture on VCS