cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
54792
Views
51
Helpful
71
Replies

VCS Control and VCS Expressway design

e.lopessilva
Level 1
Level 1

I have an implementation where I have 2 VCS Control and 1 VCS Expressway software version X6. The end costumer has a Internet firewall Fortinet woroking in routed mode with NAT. My question is about the placement of the VCS Expressway in the environment. Is it mandatory put the Expressway in front of the firewall with a Internet valid IP address on it? Is it possible put the Expressway behind of the firewall and configure a NAT for it? Make sense having VCS control and VC expressway in the IP subnet without NAT between them?

Thanks in advance.

Everaldo

71 Replies 71

cfiestas
Level 1
Level 1

Everaldo,

You are not limited...you can do either.

Cesar Fiestas

Cesar Fiestas

Cesar,

Thank you for your answer. If I decide put the Expressway behind of the firewall with NAT and in the same subnet of the VCS Control woud be a aceptable design since I don't have a NAT between the Expressway and the VCS Control? The Expressway would be useful for the solution?

Tks,

Everaldo

Everaldo,

Example

10.10.10.2          10.10.10.3   <-------------->    68.x.x.x(public natted to .3)

VCSC                      VCSE

Just make sure you have the dual nic option installed eventhough you will not need the sec interface, and that the natted ip address this case 68.x.x.x is on the respective lan interface most likely where .3 is configured.

Enjoy

Cesar Fiestas

Cesar Fiestas

If I have the same requirements you are discribing above where my VCSC is in the same subnet as my VCSE

10.10.10.2          10.10.10.3   <-------------->    68.x.x.x(public natted to .3)

VCSC                      VCSE

Which  model to a follow in the guide to setup the traversal? None of them  talk about this scenario the closest one would be the 3 port firewall.  Anyway I would like to make it work as you discribed above in this  example.

On my VCSC I have pointed my Traversal peer to be 10.10.10.3 and it shows "ACTIVE"

On my VCSE I have my "IP" configuration setup as follows

LAN 1 IPv4 = 10.10.10.3

IPv4 Static nat = On

IPv4 Static nat address = 68.X.X.X

Lan2 = Not plugged in

I have it setup  as follows and when I make and outbound call from endpoint to external  client <>@jabber.com the call proceeds, my jabber  client rings and I can answer, and I get "no incoming video"

When  I reverse the process and make a call from Jabber to  endpoint@example.com I get the user can not be found and I see no search  history in my expressway.

I suspect my issues are FW related and DNS SRV releated.

What is the easiest way to test the the DNS SRV records are setup properly?

What is the easiest way to test the FW Static NAT rules are setup properly?

Thanks

Ryan,

with your scenario, you should configure the VCS-C's traversal client zone to speak with the public NAT IP, that is the only way the traversal zone will work properly.

You could optionally starting using LAN2 (making sure that LAN1 and LAN2 are in different subnets) and then configure the traversal client zone on the VCS-C to communicate with the VCS-E LAN interface which is not in static NAT mode.

In this scenario, the SRV records for example.com should point to the DNS name of your public NAT IP 68.x.x.x (SRV records should ideally not point to an IP address, so I recommend creating a DNS A record which points to the NAT IP and then point the SRV records towards this A record.).

The easiest way to verify that static NAT is set up properly would simply be to check that incoming and outgoing calls are working on both H323 and SIP

You could optionally extend the testing to involve calls to external IP addresses, incoming/outgoing interworked calls and so forth.

Regards

Andreas

Andreas,

Can you help me understand your comment "you should configure the VCS-C's traversal client zone to speak with the  public NAT IP, that is the only way the traversal zone will work  properly" On my VCS-C I now having it pointing to a peer address of 68.x.x.x but when i do this the Traversal Client is unable to connect to the VCS-E. Is this what you ment?  If I point my traversal zone to the public IP is the firewall suppose to hairpin it back to the VCS-E??

So now my setup now goes as follows

On my VCSC I have pointed my Traversal peer to be 68.x.x.x and it shows "FAILED"

On my VCSE I have my "IP" configuration setup as follows

LAN 1 IPv4 = 10.10.10.3

IPv4 Static nat = On

IPv4 Static nat address = 68.X.X.X

Lan2 = Not plugged in

When I change the Peer back to 10.10.10.3 at least it goes to "ACTIVE"

Cheers

Hi Ryan,

yes, if your VCS-E is only using one LAN interface, and this LAN interface has static NAT enabled on it, all traversal clients (as well as endpoints registering to this VCS-E) will have to address this VCS-E through it's static NAT address, in this case 68.x.x.x.

This means that your firewall has to hairpin traffic from the VCS-C to the VCS-E, as you have noted. This is also referred to as NAT reflection.

Please consult Appendix 4 of "http://www.cisco.com/en/US/docs/telepresence/infrastructure/vcs/config_guide/Cisco_VCS_Basic_Configuration_Cisco_VCS_Control_with_Cisco_VCS_Expressway_Deployment_Guide_X7-1.pdf" for more details and an explanation of why it must be configured this way.

Regards

Andreas

Andreas,

Would you happen to know a url or guide that shows how to configure "nat reflection" on an ASA running 8.4. When I search for this term all I get is links to this post. Does it go by some other name in ASA features?

Ryan,

I believe the relevant ASA command in this case would be 'same-security-traffic permit intra-interface'.

More information about that command here:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s1.html#wp1392814

I would however strongly suggest that you consider utilizing both LAN interfaces of the VCS-E instead of just one, so that the VCS-C can communicate with the non-NATed LAN interface of the VCS-E, since hairpinning would force the video traffic through your firewall multiple times, as well as introduce asymmetric routing.

Regards

Andreas

Ok so if we decide to do it this way how should my interfaces look whould it be like this?

To do as you suggested my new setup will look like this

10.10.10.2--->  (Lan1 = 10.10.10.3 Lan2=10.10.20.2)-------> (fwIn 10.10.20.1<->FWOut)= 68.x.x.x(public natted to 20.2)

VCSC                                      VCSE

LAN 1 IPv4 = 10.10.10.3

IPv4 Static nat = Off

Lan 2 IPv4 = 10.10.20.2

Static Nat On

IPv4 Static nat address = 68.X.X.X

VCSE GW = 10.10.20.1

So if I set it up exactly like above, I gather that I woul Peer with 10.10.10.3 and access the device from 10.10.10.3. Should my Gateway for VCSE be set to 10.10.20.1 or should it be set to the GW of the 10.10.10.x network?

Do I need to do any static routes on the VCSE box ?

Message was edited by: Ryan O'Connell, added picture easier to see

Ryan,

with that scenario, you would set the default GW to 10.10.20.1.

Whether or not you need to add static routes depends on if there is a router on the 10.10.10.x subnet which will be used to route traffic to subnets located behind this router (For example for reaching TMS, NTP, DNS and so forth), if that router is not performing NAT. If the router is performing NAT, static routes are usually not needed.

This is described in further detail in the appendix I mentioned earlier, and there is also an example scenario in there which you should be able to use as a guideline, with some adjustments.

- Andreas

Hi Ryan / Andreas,

Have you got your solution about your issue? Currently I have the same issue with Expressway C & E while preparing demo for customer. The demo topology is similar with Ryan. Exp C & Exp E are in the same subnet, and Exp E is NAT-ed to public IP address.

When I pointed Exp C to Exp E peer with local IP, it shows ACTIVE. But when I pointed the peer to public IP, it shows FAILED.

I have also read about NAT Reflection in firewall to make this work. But in the customer site, unfortunately we cannot directly see the firewall configuration / device type to check whether it is support that feature or not.

From Exp C, we can ping both Exp E private IP Address and NAT-ed IP Address. My question is, how could I know if customer's 3rd party firewall support NAT Reflection feature or not besides ping result?

 

Thank you.

Regards,

Yohanes Hartono

 

Be more initiative, innovative, and creative

Marwan ALshawi
VIP Alumni
VIP Alumni

You need to use public ip without nat if you want to place the VCS expressway behind a firewall

Note: if the Cisco VCS Expressway is in the DMZ, the outside IP address of the Cisco VCS Expressway must be a public IP address.

http://www.cisco.com/en/US/docs/telepresence/infrastructure/articles/vcs_benefits_placing_expressway_dmz_not_public_internet_kb_196.shtml

HTH

if helpful rate

Sent from Cisco Technical Support iPhone App

Marwanshawi,

that is not entirely correct. The article you linked to states that the "outside IP address" of the VCS-E needs to be a publicly routable IP address, which is correct. In this case, "outside IP address" means the public static NAT IP address for the VCS-E on the firewall/router outside the VCS-E (For a scenario where the VCS-E is located in a DMZ behind a static NAT).

In order for the VCS-E to be located behind a static NAT, the VCS-E must have the Dual Network Interfaces option key, which unlocks both the second LAN interface of the VCS-E as well as unlocking the static NAT functionality which is built into the VCS-E.

Regards

Andreas

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: