Solved: How does Cisco Expressway allow UDP ports in firewall traversal?

techToddler · ‎12-30-2020

Hello,

I am trying to understand the concept of firewall traversal between Expressway E and C. The traversal server and client concept is understood. However I am getting how the UDP packets are sent between the firewall. For example,

The traversal server and client connection between the core and edge is a TCP over TLS connection on port 7001 and say 24001 on Core side.

When a call signal (TCP) comes from the public network it hits the expressway edge and edge rewrites the invite and forward that to core using that using that connection that is already established. At this point, it uses a single for TCP connection and I wanted to know how the UDP ports are passed using this connection or trunk after the ack.

Why only two ports are needed to opened in firewall?

So if there are 100 calls coming in how does edge uses the same connection or port to allow all 100 calls?

Please help.

Thanks

Sanjay

Roger Kallberg · ‎01-01-2021

The traffic from E to C is carried within the SSH tunnel.

See it like similar to a VPN tunnel where traffic is encrypted within the tunnel and outside of it you can’t tell what traffic is carried in the encrypted channel.

View solution in original post

Roger Kallberg · ‎12-31-2020

There is a tunnel formed from C to E that carries all other traffic. That’s why only a few ports needs to be opened in the firewall.

techToddler · ‎12-31-2020

Thanks for your reply.

So from an incoming call from outside what really happens from Expressway E to Expressway C?

so for 100 calls at a time, do you say all 100 calls are processed with those few ports? how are the UDP ports traversing firewall?

Thank you.

Roger Kallberg · ‎01-01-2021

The traffic from E to C is carried within the SSH tunnel.

See it like similar to a VPN tunnel where traffic is encrypted within the tunnel and outside of it you can’t tell what traffic is carried in the encrypted channel.