Manual

ManualsBrandsCisco ManualsCommunication SolutionsCisco Expressway

Appendix 3: Firewall and NAT settings

Internal firewall configuration

In many deployments outbound connections (from internal network to DMZ) will be permitted by the

NAT/firewall device. If the administrator wants to restrict this further, the following tables provide the

permissive rules required. For further information, see Expressway IP Port Usage for Firewall Traversal.

Ensure that any SIP or H.323 ‘fixup’ ALG or awareness functionality is disabled on the NAT firewall – if

enabled this will adversely interfere with the Expressway functionality.

Outbound (Internal network > DMZ)

Purpose Source Dest. Source

Source

port

Transport

protocol

Dest. IP Dest. port

Management Management

computer

EXPe As

required

>=1024 TCP 192.0.2.2 80 / 443 / 22 / 23

SNMP

monitoring

Management

computer

EXPe As

required

>=1024 UDP 192.0.2.2 161

H.323 traversal calls using Assent

Q.931/H.225

and H.245

EXPc EXPe Any 15000 to

19999

TCP 192.0.2.2 2776

RTP Assent EXPc EXPe Any 36002 to

59999 *

UDP 192.0.2.2 36000 *

RTCP Assent EXPc EXPe Any 36002 to

59999 *

UDP 192.0.2.2 36001 *

SIP traversal calls

SIP TCP/TLS EXPc EXPe 10.0.0.2 25000 to

29999

TCP 192.0.2.2 Traversal zone

ports, e.g. 7001

RTP Assent EXPc EXPe 10.0.0.2 36002 to

59999 *

UDP 192.0.2.2 36000 *

RTCP Assent EXPc EXPe 10.0.0.2 36002 to

59999 *

UDP 192.0.2.2 36001 *

* The default media traversal port range is 36000 to 59999, and is set on the Expressway-C at Configuration

> Traversal Subzone. In Large Expressway systems the first 12 ports in the range – 36000 to 36011 by

default – are always reserved for multiplexed traffic. The Expressway-E listens on these ports. You cannot

configure a distinct range of demultiplex listening ports on Large systems: they always use the first 6 pairs in

the media port range. On Small/Medium systems you can explicitly specify which 2 ports listen for

multiplexed RTP/RTCP traffic, on the Expressway-E (Configuration > Traversal > Ports). If you choose

not to configure a particular pair of ports (Use configured demultiplexing ports = No), then the

Expressway-E will listen on the first pair of ports in the media traversal port range (36000 and 36001 by

default).

Cisco Expressway Basic Configuration Deployment Guide (X8.5.2) Page 42 of 57

Appendix 3: Firewall and NAT settings