Cisco supports
Network Address Translation (NAT) traversal with this product for virtual
machine IP addresses and for the virtual IP addresses (Public and Private VIPs)
that are used in your system.
The following
schematic diagram illustrates a typical NAT traversal for a 50 user system
without High Availability (HA). By using NAT, you can reduce the number of
public IP
addresses required for the product to just one IP address, instead of two
(or three if you deploy HA). You can also deploy similar NAT deployments as
long as these meet the overall system requirements.
Important:
The use of multiple NATs and firewalls tends to increase latency,
affecting the quality of real time-traffic for users.
Also, when using
multiple NAT domains, routing between these various NAT domains can be
challenging. You can use NAT-ed IP addresses as long as the following
requirements are met:
-
All the
virtual machines in the system can use NAT-ed IP addresses, with the exception
of the Internet Reverse Proxy virtual machine. NAT between the Administration
virtual machine and the Internet Reverse Proxy virtual machine is not
supported. The IP address of the Internet Reverse Proxy virtual machine (its
real IP address) must be reachable by the Administration virtual machine
through the internal network.
-
The public VIP
address itself does not need to be publicly visible, but it must be
translatable from the Internet.
-
When deploying
public access, the WebEx site URL must be mapped to an Internet-visible IP
address. This Internet-visible IP address must be accessible by external users
and
also map
to the public VIP address you configure during the system deployment.
You can choose
to make the public VIP address visible from the Internet. If you choose not to
make it publicly visible, then it must be translatable from the Internet.
In the diagram, an
external user accesses the WebEx site to join or host a meeting. Following a
DNS lookup, the IP address for the WebEx site is the NAT public IP address
(Eth0). This NAT public IP address is for the external NAT firewall router
(Firewall and NAT router 1), between the external network and the DMZ network.
The firewall router
receives this request from the external user, and internally routes the request
to the NAT private IP address for the router (Eth1, exposed to the DMZ
network). Eth1 then sends the request to the public VIP address (also a NAT IP
address in the private networking segment for the WebEx site).
You can use NAT IP
addresses for the public VIP address, and the Internet Reverse Proxy IP
addresses. The only NAT public IP address is the Eth0 IP address for the NAT
firewall router.
 Note |
To ensure this NAT
firewall router (between the Internet and DMZ network) routes the incoming
packet correctly, set port mapping configuration on the NAT device, or apply
other similar mechanisms to ensure the packet is routed correctly to the public
VIP address and the Internet Reverse Proxy.
|
There is usually a
second internal NAT firewall router between the DMZ network and the internal
network. Similar to the external NAT firewall router, Eth0 is a DMZ NAT private
IP address and is an interface to the DMZ network. Eth1 is also a NAT private
IP address that is an interface to the internal network.
You can use NAT IP
addresses for the private VIP address and the Administration virtual machine IP
addresses.
For more information about NAT, see
http://www.cisco.com/c/en/us/tech/ip/ip-addressing-services/tech-tech-notes-list.html.