Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VCS Control and VCS Expressway design

I have an implementation where I have 2 VCS Control and 1 VCS Expressway software version X6. The end costumer has a Internet firewall Fortinet woroking in routed mode with NAT. My question is about the placement of the VCS Expressway in the environment. Is it mandatory put the Expressway in front of the firewall with a Internet valid IP address on it? Is it possible put the Expressway behind of the firewall and configure a NAT for it? Make sense having VCS control and VC expressway in the IP subnet without NAT between them?

Thanks in advance.

Everaldo

71 REPLIES
New Member

VCS Control and VCS Expressway design

Everaldo,

You are not limited...you can do either.

Cesar Fiestas

Cesar Fiestas
New Member

VCS Control and VCS Expressway design

Cesar,

Thank you for your answer. If I decide put the Expressway behind of the firewall with NAT and in the same subnet of the VCS Control woud be a aceptable design since I don't have a NAT between the Expressway and the VCS Control? The Expressway would be useful for the solution?

Tks,

Everaldo

New Member

VCS Control and VCS Expressway design

Everaldo,

Example

10.10.10.2          10.10.10.3   <-------------->    68.x.x.x(public natted to .3)

VCSC                      VCSE

Just make sure you have the dual nic option installed eventhough you will not need the sec interface, and that the natted ip address this case 68.x.x.x is on the respective lan interface most likely where .3 is configured.

Enjoy

Cesar Fiestas

Cesar Fiestas
New Member

VCS Control and VCS Expressway design

If I have the same requirements you are discribing above where my VCSC is in the same subnet as my VCSE

10.10.10.2          10.10.10.3   <-------------->    68.x.x.x(public natted to .3)

VCSC                      VCSE

Which  model to a follow in the guide to setup the traversal? None of them  talk about this scenario the closest one would be the 3 port firewall.  Anyway I would like to make it work as you discribed above in this  example.

On my VCSC I have pointed my Traversal peer to be 10.10.10.3 and it shows "ACTIVE"

On my VCSE I have my "IP" configuration setup as follows

LAN 1 IPv4 = 10.10.10.3

IPv4 Static nat = On

IPv4 Static nat address = 68.X.X.X

Lan2 = Not plugged in

I have it setup  as follows and when I make and outbound call from endpoint to external  client <>@jabber.com the call proceeds, my jabber  client rings and I can answer, and I get "no incoming video"

When  I reverse the process and make a call from Jabber to  endpoint@example.com I get the user can not be found and I see no search  history in my expressway.

I suspect my issues are FW related and DNS SRV releated.

What is the easiest way to test the the DNS SRV records are setup properly?

What is the easiest way to test the FW Static NAT rules are setup properly?

Thanks

Gold

VCS Control and VCS Expressway design

Ryan,

with your scenario, you should configure the VCS-C's traversal client zone to speak with the public NAT IP, that is the only way the traversal zone will work properly.

You could optionally starting using LAN2 (making sure that LAN1 and LAN2 are in different subnets) and then configure the traversal client zone on the VCS-C to communicate with the VCS-E LAN interface which is not in static NAT mode.

In this scenario, the SRV records for example.com should point to the DNS name of your public NAT IP 68.x.x.x (SRV records should ideally not point to an IP address, so I recommend creating a DNS A record which points to the NAT IP and then point the SRV records towards this A record.).

The easiest way to verify that static NAT is set up properly would simply be to check that incoming and outgoing calls are working on both H323 and SIP

You could optionally extend the testing to involve calls to external IP addresses, incoming/outgoing interworked calls and so forth.

Regards

Andreas

New Member

VCS Control and VCS Expressway design

Andreas,

Can you help me understand your comment "you should configure the VCS-C's traversal client zone to speak with the  public NAT IP, that is the only way the traversal zone will work  properly" On my VCS-C I now having it pointing to a peer address of 68.x.x.x but when i do this the Traversal Client is unable to connect to the VCS-E. Is this what you ment?  If I point my traversal zone to the public IP is the firewall suppose to hairpin it back to the VCS-E??

So now my setup now goes as follows

On my VCSC I have pointed my Traversal peer to be 68.x.x.x and it shows "FAILED"

On my VCSE I have my "IP" configuration setup as follows

LAN 1 IPv4 = 10.10.10.3

IPv4 Static nat = On

IPv4 Static nat address = 68.X.X.X

Lan2 = Not plugged in

When I change the Peer back to 10.10.10.3 at least it goes to "ACTIVE"

Cheers

Gold

Re: VCS Control and VCS Expressway design

Hi Ryan,

yes, if your VCS-E is only using one LAN interface, and this LAN interface has static NAT enabled on it, all traversal clients (as well as endpoints registering to this VCS-E) will have to address this VCS-E through it's static NAT address, in this case 68.x.x.x.

This means that your firewall has to hairpin traffic from the VCS-C to the VCS-E, as you have noted. This is also referred to as NAT reflection.

Please consult Appendix 4 of "http://www.cisco.com/en/US/docs/telepresence/infrastructure/vcs/config_guide/Cisco_VCS_Basic_Configuration_Cisco_VCS_Control_with_Cisco_VCS_Expressway_Deployment_Guide_X7-1.pdf" for more details and an explanation of why it must be configured this way.

Regards

Andreas

New Member

Re: VCS Control and VCS Expressway design

Andreas,

Would you happen to know a url or guide that shows how to configure "nat reflection" on an ASA running 8.4. When I search for this term all I get is links to this post. Does it go by some other name in ASA features?

Gold

Re: VCS Control and VCS Expressway design

Ryan,

I believe the relevant ASA command in this case would be 'same-security-traffic permit intra-interface'.

More information about that command here:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s1.html#wp1392814

I would however strongly suggest that you consider utilizing both LAN interfaces of the VCS-E instead of just one, so that the VCS-C can communicate with the non-NATed LAN interface of the VCS-E, since hairpinning would force the video traffic through your firewall multiple times, as well as introduce asymmetric routing.

Regards

Andreas

New Member

Re: VCS Control and VCS Expressway design

Ok so if we decide to do it this way how should my interfaces look whould it be like this?

To do as you suggested my new setup will look like this

10.10.10.2--->  (Lan1 = 10.10.10.3 Lan2=10.10.20.2)-------> (fwIn 10.10.20.1<->FWOut)= 68.x.x.x(public natted to 20.2)

VCSC                                      VCSE

LAN 1 IPv4 = 10.10.10.3

IPv4 Static nat = Off

Lan 2 IPv4 = 10.10.20.2

Static Nat On

IPv4 Static nat address = 68.X.X.X

VCSE GW = 10.10.20.1

So if I set it up exactly like above, I gather that I woul Peer with 10.10.10.3 and access the device from 10.10.10.3. Should my Gateway for VCSE be set to 10.10.20.1 or should it be set to the GW of the 10.10.10.x network?

Do I need to do any static routes on the VCSE box ?

Message was edited by: Ryan O'Connell, added picture easier to see

Gold

Re: VCS Control and VCS Expressway design

Ryan,

with that scenario, you would set the default GW to 10.10.20.1.

Whether or not you need to add static routes depends on if there is a router on the 10.10.10.x subnet which will be used to route traffic to subnets located behind this router (For example for reaching TMS, NTP, DNS and so forth), if that router is not performing NAT. If the router is performing NAT, static routes are usually not needed.

This is described in further detail in the appendix I mentioned earlier, and there is also an example scenario in there which you should be able to use as a guideline, with some adjustments.

- Andreas

New Member

Hi Ryan / Andreas,Have you

Hi Ryan / Andreas,

Have you got your solution about your issue? Currently I have the same issue with Expressway C & E while preparing demo for customer. The demo topology is similar with Ryan. Exp C & Exp E are in the same subnet, and Exp E is NAT-ed to public IP address.

When I pointed Exp C to Exp E peer with local IP, it shows ACTIVE. But when I pointed the peer to public IP, it shows FAILED.

I have also read about NAT Reflection in firewall to make this work. But in the customer site, unfortunately we cannot directly see the firewall configuration / device type to check whether it is support that feature or not.

From Exp C, we can ping both Exp E private IP Address and NAT-ed IP Address. My question is, how could I know if customer's 3rd party firewall support NAT Reflection feature or not besides ping result?

 

Thank you.

Regards,

Yohanes Hartono

 

Re: VCS Control and VCS Expressway design

You need to use public ip without nat if you want to place the VCS expressway behind a firewall

Note: if the Cisco VCS Expressway is in the DMZ, the outside IP address of the Cisco VCS Expressway must be a public IP address.

http://www.cisco.com/en/US/docs/telepresence/infrastructure/articles/vcs_benefits_placing_expressway_dmz_not_public_internet_kb_196.shtml

HTH

if helpful rate

Sent from Cisco Technical Support iPhone App

Gold

Re: VCS Control and VCS Expressway design

Marwanshawi,

that is not entirely correct. The article you linked to states that the "outside IP address" of the VCS-E needs to be a publicly routable IP address, which is correct. In this case, "outside IP address" means the public static NAT IP address for the VCS-E on the firewall/router outside the VCS-E (For a scenario where the VCS-E is located in a DMZ behind a static NAT).

In order for the VCS-E to be located behind a static NAT, the VCS-E must have the Dual Network Interfaces option key, which unlocks both the second LAN interface of the VCS-E as well as unlocking the static NAT functionality which is built into the VCS-E.

Regards

Andreas

Re: VCS Control and VCS Expressway design

Hi Anreas,

This article looks like stating or implying no static nat but either a DMZ with public ip not nated DMZ

Or the other option you mentioned with two interfaces where one ip can be places in a not anted DMZ and the other interface in private DMZ

Personally I had issue with one interface with static nat one to one with ASA till got it changed to non nated DMZ things fixed

Which is I believe stated clearly in the above article ! Let me know if I missunderstood anythingnhere ?

Regards,

VCS Control and VCS Expressway design

Like Andreas stated, its possible to have the VCS-E behind a static 1:1 nat, but then you need the

dual interface option. Even if you only use one interface, as this also enables the NAT ip address configuration.

If there is NAT in between the VCS-C and VCS-E or not does not matter.

Both would work fine out of the box with the traversal zone.

If the VCS-E (towards the public, for example on a private ip) is behind 1:1 NAT or two interfaces

(one internal one public) are required, the dual interface option is needed.

You find some more information in the VCS admin guide.

Martin

Please remember to rate helpful responses and identify

Gold

VCS Control and VCS Expressway design

Marwanshawi,

also please note that the article at

http://www.cisco.com/en/US/docs/telepresence/infrastructure/articles/vcs_benefits_placing_expressway_dmz_not_public_internet_kb_196.shtml has been modified and now contains more detailed information about placing the VCS in a DMZ and/or behind a static NAT.

VCS Control and VCS Expressway design

Thanks Andreas and Martin

But the two interfaces option with one to be placed in the public is not accepted by most of the customers due to the security risk

If the two interfaces option chosen then one interface can be placed in a not NATed DMZ,  public IPs only which will make sure there is no firewall bypass from security point of view

Gold

VCS Control and VCS Expressway design

Marwanshawi,

with the dual network interfaces option key installed on your VCS-E, you will have quite a lot of flexibility in terms of how you deploy the VCS-E:

- Using 1 network interface in a DMZ with a publicly routable IP address

- Using 1 network interface in a DMZ with a private IP address with Static NAT enabled

- Using 2 network interfaces in one or more DMZ's with a publicly routable IP address assigned to the externally-facing interface

- Using 2 network inerfaces in one or more DMZ's with private IP addresses assigned to both interfaces with Static NAT enabled

In any scenario where both NIC's are used, it is recommended that these interfaces have IP addresses in different subnets. It is also recommended that any firewalls which carry traffic to and from this VCS-E is not performing any sort of SIP and H323 application inspection/fixup as this might interfere with the built-in firewall traversal functionality (H.460 and Assent) of the VCS-E.

Hope this helps,

Andreas

VCS Control and VCS Expressway design

Thanks :)

New Member

Re: VCS Control and VCS Expressway design

Andreas,

Could you tell me what would be the options with a license for just one LAN interface actived?

Tks,

Everaldo

Gold

Re: VCS Control and VCS Expressway design

Hi Everaldo,

assuming that with "license for just one LAN interface", you mean not having the dual network interfaces option key, the only supported option is to assign LAN 1 with a publicly routable IP address not behind any sort of NAT (If connectivity with public networks/Internet is required, that is).

Re: VCS Control and VCS Expressway design

Agree with Andreas and if you refer to my first post you will see same recommendation !

New Member

VCS Control and VCS Expressway design

So say I have a dsl in bridge mode.  Then I will have to connect my VCS Starter Pack's only NIC to it and assign public ip to it.

So my internal endpoints will have to register through the public internet to get to this VCS-E?

Can you elaborate on how a call to username@cisco.com finds their VCS?  For SIP is it just the two domain records _sip_ , _sips that need to resolve to your VCS outside address?

Do you have any solutions in a scenario where SIP traffic through a firewall needs to go to a CUBE setup for SIP trunk provider while video traffic needs to go to the VCS with option key enabled for NAT?

Gold

VCS Control and VCS Expressway design

Ricardo,

yes your endpoints would then have to register with the public IP address of your Expressway.

The VCS will, as you state, use DNS SRV records for locating remote gatekeepers/SIP proxies, you can find more details about which records are used in the VCS Admin guide.

I'm not too familiar with CUBE and which DNS SRV records usually point to the CUBE, and I guess if the VCS and CUBE "share" similar SRV records that could pose a problem.

For the VCS, it is most common to receive SIP calls over TCP or TLS, e.g _sip._tcp and _sips._tcp.

Hope this helps,

Andreas

VCS Control and VCS Expressway design

Marwan, Thanks for sharing. Very helpful, 5+

Regrads

Lavany

New Member

VCS Control and VCS Expressway design

Dont forget in your Control Traversal zone to point the peer to the public IP of the Expressway

New Member

VCS Control and VCS Expressway design

Hi,

What about the following scenario?

expresswayNAT.jpg

If the VCS Expressway is in DMZ 2 with a private IP address will I need the Dual Network Interface Option?

From this topic I understand that yes but why can't it work without the option?

What configuration is necessary on Expressway for it to work?

And which IP do I point the VCS Control to? Private IP 192.168.x.x or NATed 212.212.x.x?

Unfotunately there is not much information in documentation for such deployments.

Thanks for help

Maciek

Gold

VCS Control and VCS Expressway design

Maciek,

the reason why the VCS-E will need the dual network interfaces option key while deployed in DMZ is because you will need the static NAT feature of the VCS-E for this deployment to work.

In H323 and SIP, call signaling and media addresses are embedded into the signalling payloads of the H323 and SIP messages, and when the VCS-E is located behind a NAT, these payloads need to be altered to contain the public NAT IP of the VCS-E to ensure that external parties are able to reach the VCS-E when attempting to set up signaling and media exchange.

For instance, if you were to place a call from an endpoint registered to the VCS Control towards an endpoint at a remote location (For example username@cisco.com), the call would be proxied via the VCS-E. Without using the static NAT feature of the VCS-E, the VCS-E would tell the remote endpoint to send media to the 192.168.x.x address which the VCS-E is assigned with (References to the 192.168.x.x address would be made inside H323/SIP messages). This would obviously not work, but with the static NAT feature of the VCS-E, the VCS-E would replace those embedded IP address references withthe public address 212.212.x.x, which means that the remote endpoint would send relevant traffic to this address instead, and connectivity should work properly (Assuming you have also configured the static NAT properly on the edge firewall/router.

Also, as vipers points out, using the above diagram as an example, where you are using only the LAN1 interface of the VCS-E, you would have to enable static NAT on this interface and configure the traversal client zone on the VCS-C with 212.212.x.x as the peer address in order for this to work.

Hope this helps,

Andreas

45931
Views
51
Helpful
71
Replies