Manual
Inbound (DMZ > Internal network)
As Expressway-C to Expressway-E communications are always initiated from the Expressway-C to the
Expressway-E (Expressway-E sending messages by responding to Expressway-C’s messages) no ports
need to be opened from DMZ to Internal for call handling.
However, if the Expressway-E needs to communicate with local services, such as a Syslog server, some of
the following NAT configurations may be required:
Purpose Source Destination Source
IP
Source port Transport
protocol
Dest. IP Dest.
port
Logging EXPe Syslog server 192.0.2.2 30000 to
35999
UDP 10.0.0.13 514
Management EXPe Cisco TMS
server
192.0.2.2 >=1024 TCP 10.0.0.14 80 / 443
LDAP (for log in, if
required)
EXPe LDAP server 192.0.2.2 30000 to
35999
TCP 389 /
636
NTP (time sync) EXPe Local NTP
server
192.0.2.2 123 UDP 123
DNS EXPe Local DNS
server
192.0.2.2 >=1024 UDP 53
Traffic destined for logging or management server addresses (using specific destination ports) must be
routed to the internal network.
External firewall configuration requirement
In this example it is assumed that outbound connections (from DMZ to external network) are all permitted by
the firewall device.
Ensure that any SIP or H.323 "fixup" ALG or awareness functionality is disabled on the NAT firewall – if
enabled this will adversely interfere with the Expressway functionality.
Inbound (Internet > DMZ)
Purpose Source Dest. Source
IP
Source
port
Transport
protocol
Dest. IP Dest. port
H.323 calls using Assent
Q.931/H.225 and
H.245
Endpoint EXPe Any >=1024 TCP 192.0.2.2 2776
RTP Assent Endpoint EXPe Any >=1024 UDP 192.0.2.2 36000
RTCP Assent Endpoint EXPe Any >=1024 UDP 192.0.2.2 36001
H.323 endpoints with public IP addresses
Q.931/H.225 Endpoint EXPe Any >=1024 TCP 192.0.2.2 1720
H.245 Endpoint EXPe Any >=1024 TCP 192.0.2.2 15000 to
19999
Cisco Expressway Basic Configuration Deployment Guide (X8.5.2) Page 43 of 57
Appendix 3: Firewall and NAT settings