Cisco Unified Border Element

ASA 8.0.4/8.2.1 and CUBE Configuration to Allow Video Calls to Internet Based Video Endpoints

Document ID: 110942

Updated: Oct 14, 2009



This document provides information on how to utilize the Adaptive Security Appliance (ASA) and the Cisco Unified Border Element (CUBE) to facilitate video calls to Internet based video endpoints.



There are no specific requirements for this document.


Refer to the Cisco Technical Tips Conventions for more information on document conventions.

Background Information

This document addresses utilizing the ASA and the CUBE to facilitate video calls to Internet based video endpoints. Video calls are initiated from video endpoints hanging off the CUBE when the CUBE is deployed on the DMZ interface of the ASA.

Note: This addresses a configuration finding with respect to NAT on the ASA when CUBE is deployed on the DMZ. Testing showed that this situation does not impact networks where the CUBE is deployed on the inside interface of the ASA.

This is the generic network topology which should be referenced throughout this document:


When utilizing video devices from any interface other than the Inside interface and initiating a video session outbound (through the Outside interface), a number of configuration caveats must be observed in order for a video session to function properly from these interfaces.

There is a condition that occurs where the ASA 8.0.4 and 8.2.1, h.323 engine will utilize the configured “Global PAT” address in the CS Setup packet field “sourceCallSignalAddress” when a video session is initiated from a “DMZ” interface while an overlapping static NAT is configured from the Inside interface to that DMZ interface. This condition does not effect video sessions initiated from the Inside to the Outside using a host Static NAT, while the below line is in place.

Static (inside,DMZ) netmask

To further illustrate this issue, the next screenshot indicates that the IP address contained in the “sourceCallSignalAddress” field does not match the sender’s IP address (configured Static NAT for this device). Instead the IP address belongs to the Global PAT address that is configured.

This breaks a video session.


The static NAT translation statement for the device as configured is as follows:

static (dmz,outside) netmask

Where is the network utilized for the DMZ interface. This IP space overlaps with the following:

Static (inside,DMZ) netmask

Overlapping Static NAT does not effect Inside Video Sessions.


In this screenshot, a video session utilizing the same Static NAT translation that was used in the previous example that originated from the DMZ Interface is seen.

static (dmz,outside) netmask

As indicated in the above screenshot, the sourceCallSignalAddress matches the sender’s IP address and is properly translated by the h.323 engine. The summarized overlapping Static NAT statement does not effect video sessions initiated and sourced from the Inside network interface.


In order to properly initiate video sessions from a DMZ interface requires that the IP address either be completely different from the Inside network spaces used, for example in this case not part of the address space; or be excluded via the static NAT translations from the Inside to the DMZ.

For example:

static (inside,dmz) netmask 
static (inside,dmz) netmask 
static (inside,dmz) netmask 
static (inside,dmz) netmask 
static (inside,dmz) netmask 
static (inside,dmz) netmask 
static (inside,dmz) netmask 
static (inside,dmz) netmask

These static NAT statements comprise the entire space with the exception of the space.

It is essential as part of the design where a Video Proxy device such as the CUBE is placed in a DMZ environment, that overlapping statics be taken into account.

Cisco development test advises that this is not a bug or abnormal behavior for this configuration and is developed by design.


There is currently no verification procedure available for this configuration.


There is currently no specific troubleshooting information available for this configuration.

Related Information

Updated: Oct 14, 2009
Document ID: 110942