Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Scenario VCS and ASA

Hello,

this is the last problem i should solve.I would be very happy if you could help me with this one too

scenario.png

So this - 1 is the scenario that i have, but in this scenario i should have an ASA in front of the endpoint and make a VPN tunnel betwenn the two networks so that the endpoint can register in the VCS. My question is :Let's look at scenario 2   Can i make a port forwarding on the ASA so that when the endpoint tries to register and connect to the VCS on the ip 213.133.144.155 the ASA sends it to the VCS. Is this scenario possible or am i dreaming Thanks!

Regards Svetoslav

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Scenario VCS and ASA

Hi,

The scenario 2 should work just fine. However, in order to use NAT to forward connections to VCS, you need to have VCS Expressway with the external address (213.133.144.155) configured in the VCSe as the NAT address, otherwise, VCS won't recognize the external NAT address that will placed in H323 and SIP headers, so that communication won't work properly. Another option (not recommended) is, you can have it working by enabling SIP and H323 inspection/ALG features on the firewall, so that firewall will "NAT" the ip address in the SIP and H323 headers as well, however, it doesn't work well in many cases. Then the best solution is to leave the "NAT job" to VCS Expressway alone. This is what Cisco recommends.

Be aware that, in order to configure NAT address on the VCS, you need to have a VCS Expressway with "Dual nic" option key installed, this key enables dual interface and the NAT configuration as well.

Also, when configuring NAT in the firewall, I recommend you to configure 1 to 1 NAT instead of using a shared IP address with port forwarding. However, you can get port forwarding working as well, although this is not the most recommended delpoyment, once you can have conflict with another applications, because VCS use many and different numbers of ports.

Therefore, to achieve your option 2, I would recommend you to use VCS Expressway with dual nic option key enabled and with 1 to 1 NAT configuration on the firewall.

I hope this help.

Regards

Paulo Souza

Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".

Paulo Souza Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".
1 REPLY

Re: Scenario VCS and ASA

Hi,

The scenario 2 should work just fine. However, in order to use NAT to forward connections to VCS, you need to have VCS Expressway with the external address (213.133.144.155) configured in the VCSe as the NAT address, otherwise, VCS won't recognize the external NAT address that will placed in H323 and SIP headers, so that communication won't work properly. Another option (not recommended) is, you can have it working by enabling SIP and H323 inspection/ALG features on the firewall, so that firewall will "NAT" the ip address in the SIP and H323 headers as well, however, it doesn't work well in many cases. Then the best solution is to leave the "NAT job" to VCS Expressway alone. This is what Cisco recommends.

Be aware that, in order to configure NAT address on the VCS, you need to have a VCS Expressway with "Dual nic" option key installed, this key enables dual interface and the NAT configuration as well.

Also, when configuring NAT in the firewall, I recommend you to configure 1 to 1 NAT instead of using a shared IP address with port forwarding. However, you can get port forwarding working as well, although this is not the most recommended delpoyment, once you can have conflict with another applications, because VCS use many and different numbers of ports.

Therefore, to achieve your option 2, I would recommend you to use VCS Expressway with dual nic option key enabled and with 1 to 1 NAT configuration on the firewall.

I hope this help.

Regards

Paulo Souza

Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".

Paulo Souza Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".
233
Views
0
Helpful
1
Replies
CreatePlease login to create content