Manual
Table Of Contents
- Preface
- Introduction
- Process Summary
- Prerequisites
- Run the Service Setup Wizard
- VCS System Configuration
- Routing Configuration
- Pre-search Transforms
- Search Rules
- Task 8: Configuring Transforms
- Task 9: Configuring Local Zone Search Rules
- Task 10: Configuring the Traversal Zone
- Neighboring Between VCS Clusters
- Task 11: Configuring Traversal Zone Search Rules
- Task 12: Configuring the DNS Zone
- Task 13: Configuring DNS Zone Search Rules
- Task 14: Configuring External (Unknown) IP Address Routing
- Endpoint Registration
- System Checks
- Maintenance Routine
- Optional Configuration Tasks
- Appendix 1: Configuration Details
- Appendix 2: DNS Records
- Appendix 3: Firewall and NAT Settings
- Appendix 4: Advanced Network Deployments
- Obtaining Documentation and Submitting a Service Request
- Cisco Legal Information
- Cisco Trademark
As per the recommendations in the Introduction section of this appendix, it is highly recommended to disable SIP and
H.323 ALGs on routers/firewalls carrying network traffic to or from a VCS Expressway, as, when enabled this is
frequently found to negatively affect the built-in firewall/NAT traversal functionality of the VCS Expressway itself.
This is also mentioned in Appendix 3: Firewall and NAT Settings, page 59.
Other Deployment Examples
Note: Using the VCS Expressway as shown in these examples could have a serious impact on your network
bandwidth, and may contravene your security policy. We strongly recommend that you use the Recommended: Dual
NIC Static NAT Deployment, page 63. Read Why We Advise Against Using These Types of Deployment, page 72.
Single Subnet DMZ Using Single VCS Expressway LAN Interface and Static NAT
In this case, FW A can route traffic to FW B (and vice versa). VCS Expressway allows video traffic to be passed
through FW B without pinholing FW B from outside to inside. VCS Expressway also handles firewall traversal on its
public side.
Figure 14 Single Subnet DMZ - Single LAN Interface and Static NAT
This deployment consists of the following elements:
■ Single subnet DMZ (10.0.10.0/24) with the following interfaces:
— Internal interface of firewall A – 10.0.10.1
— External interface of firewall B – 10.0.10.2
— LAN1 interface of VCS Expressway – 10.0.10.3
■ LAN subnet (10.0.30.0/24) with the following interfaces:
— Internal interface of firewall B – 10.0.30.1
— LAN1 interface of VCS Control – 10.0.30.2
— Network interface of Cisco TMS – 10.0.30.3
A static 1:1 NAT has been configured on firewall A, NATing the public address 64.100.0.10 to the LAN1 address of
the VCS Expressway. Static NAT mode is enabled for LAN1 on the VCS Expressway, with a static NAT address of
64.100.0.10.
__________________________________________________________________
Note:
You must enter the FQDN of the VCS Expressway, as it is seen from outside the network, as the peer address on the
VCS Control's secure traversal zone. The reason for this is that in static NATmode, the VCS Expressway requests
that incoming signaling and media traffic should be sent to its external FQDN, rather than its private name.
This also means that the external firewall must allow traffic from the VCS Control to the VCS Expressway's
external FQDN. This is known as NAT reflection, and may not be supported by all types of firewalls.
__________________________________________________________________
70
Cisco VCS Expressway and VCS Control - Basic Configuration Deployment Guide
Appendix 4: Advanced Network Deployments