Re: Webex Local Gateway - NAT compatible?

TONY SMITH · ‎12-23-2021

Hi,

This is a lab configuration, trying to register a local gateway to Webex calling. At the gateway end I have the choice of routing to Webex via the existing firewall, which means it will be going through NAT. Or connecting an outside IP address directly, which means I need a proper firewall configuration of some sort on the gateway.

Before I go too far does anyone know if the Webex local gateway configuration of SIP over TCP/TLS will survive NAT?

By the way is there a better section for Webex Calling discussions?

Thanks, Tony S

Nuno Melo · ‎12-26-2021

Yes it will work under a nat but you have to enable stun on the cube as described on the deployment guide

https://help.webex.com/en-US/article/jr1i3r/Configure-Local-Gateway-on-IOS-XE-for-Webex-Calling#id_100573

Firewall Port Reference:

https://help.webex.com/en-US/article/b2exve/Port-Reference-Information-for-Cisco-Webex-Calling

Alternatively as you mentioned you can assign a public address directly to the cube and use an inboud ACL to allow only the webex ip addresses and ports.

TONY SMITH · ‎12-27-2021

Thanks. We have a spare public address and a spare interface so I could assign that directly. At the moment the CUBE doesn't have the Security feature set though, so would have to be protected with static old-school ACLs. That's not ideal as there's a huge list or Webex subnets and ports which would have to be left open.

If we went for public address I think I'd want the ZBF so that at least these"holes" can be opened dynamically.

Nuno Melo · ‎12-28-2021

ZBF would be the best option, regarding the security feature set on the cube, keep in mind that the outbound sip leg has to be tls encrypted towards webex for this you need at least the basic sec-k9 feature set present on the cube,

TONY SMITH · ‎12-28-2021

Thanks but that's an interesting point. I have TLS established, indeed the gateway registers, so maybe it does have the Security feature set.