Basic Networking - Expressway
![](/c/dam/en/us/td/i/400001-500000/440001-450000/446001-447000/446143.jpg)
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Purpose |
Src. IP |
Src. Ports |
Protocol |
Dest. IP |
Dest. Ports |
---|---|---|---|---|---|
Administrator SSH |
Admin PCs |
1024-65535 |
TCP |
Expressway-C |
22 or 50221 |
Administrator HTTP* |
Admin PCs |
1024-65535 |
TCP |
Expressway-C |
80 |
Administrator HTTPS |
Admin PCs |
1024-65535 |
TCP |
Expressway-C |
443 |
Name resolution (DNS) |
Expressway-C |
30000-35999 |
UDP & TCP ![]() |
Internal name server |
53 |
Time synchronization (NTP) |
Expressway-C |
123 |
UDP |
Internal time server |
123 |
* Expressway redirects HTTP to HTTPS by default. You don't need to open the HTTP port, but you can allow HTTP for convenience and redirect to HTTPS.
Expressway will attempt DNS resolution over TCP if the response is too large.
![]() Note |
1Port 22 is configured as the Administrator SSH port on Expressway Appliances. The Expressway Virtual Machine can be deployed on port 22 or 5022 when the VM is deployed. |
Purpose |
Src. IP |
Src. Ports |
Protocol |
Dest. IP |
Dest. Ports |
---|---|---|---|---|---|
Administrator SSH |
Admin PCs |
1024-65535 |
TCP |
22 or 50221 |
|
Administrator HTTP* |
Admin PCs |
1024-65535 |
TCP |
Expressway-C |
80 |
Administrator HTTPS |
Admin PCs |
1024-65535 |
TCP |
Expressway-C |
443 |
Name resolution (DNS) |
Expressway-C |
30000-35999 |
UDP & TCP ![]() |
Internal name server |
53 |
Time synchronization (NTP) |
Expressway-C |
123 |
UDP |
Internal time server |
123 |
* Expressway redirects HTTP to HTTPS by default. You don't need to open the HTTP port, but you can allow HTTP for convenience and redirect to HTTPS.
Expressway will attempt DNS resolution over TCP if the response is too large.
![]() Note |
1Port 22 is configured as the Administrator SSH port on Expressway Appliances. The Expressway Virtual Machine can be deployed on port 22 or 5022 when the VM is deployed. |
Purpose |
Src. IP |
Src. Ports |
Protocol |
Dest. IP |
Dest. Ports |
---|---|---|---|---|---|
Administrator SSH |
Admin PCs |
1024-65535 |
TCP |
Expressway-E private IP |
22 or 50221 |
Administrator HTTP |
Admin PCs |
1024-65535 |
TCP |
Expressway-E private IP |
80 |
Administrator HTTPS |
Admin PCs |
1024-65535 |
TLS |
Expressway-E private IP |
443 |
Internal name resolution (DNS)* |
Expressway-E private IP |
30000-35999 |
UDP & TCP |
Internal name server |
53 |
External name resolution (DNS) |
Expressway-E public IP |
30000-35999 |
UDP & TCP |
External name server |
53 |
Internal time synchronization (NTP)* |
Expressway-E private IP |
123 |
UDP |
Internal time server |
123 |
External time synchronization (NTP) |
Expressway-E public IP |
123 |
UDP |
External time server |
123 |
* You may prefer to connect Expressway-E to external DNS and NTP. You do not need both.
![]() Note |
1Port 22 is configured as the Administrator SSH port on Expressway Appliances. The Expressway Virtual Machine can be deployed on port 22 or 5022 when the VM is deployed. |
![]() Note |
Expressway requires a connection to the Smart License server, and the port requirements vary based on the smart license transport setting. The details are listed in the table. |
Purpose |
Src. IP |
Src. Ports |
Protocol |
Dest. IP |
Dest. Ports |
---|---|---|---|---|---|
Smart Licensing requests originating from Expressway-E |
Expressway-E |
Ephemeral (30000- 35999) |
TLS |
https://smartreceiver. cisco.com/ licservice/license |
443 |
Smart License Direct |
Expressway |
1024-65535 |
TLS |
smartreceiver. cisco.com |
443 |
Smart License on-prem CSSM |
Expressway |
1024-65535 |
TLS |
User configured On-prem CSSM IP/FQDN |
443 |
Smart License Proxy |
Expressway |
1024-65535 |
TLS |
User configured proxy server IP/FQDN |
user configured proxy server port |
You can configure Simple Mail Transfer Protocol (SMTP) server for implicit or explicit connections. This is the difference between the two connection types:
Explicit mode — The client connects to the SMTP server first. Later the server explicitly requests switching on TLS/SSL encryption. The default ports are 25 and 587.
Implicit mode — The client connects to the SMTP server. Soon after establishing the channel, the server switches on TLS/SSL encryption implicitly. The default TCP port is 465.