Cisco Cisco Expressway
This deployment consists of:
■
a single subnet DMZ – 10.0.10.0/24, containing:
—
the internal interface of firewall A – 10.0.10.1
—
the external interface of firewall B – 10.0.10.2
—
the LAN1 interface of the Expressway-E – 10.0.10.3
■
a LAN subnet – 10.0.30.0/24, containing:
—
the internal interface of firewall B – 10.0.30.1
—
the LAN1 interface of the Expressway-C – 10.0.30.2
A static 1:1 NAT has been configured on firewall A, NATing the public address 64.100.0.10 to the LAN1 address of the
Expressway-E. Static NAT mode has been enabled for LAN1 on the Expressway-E, with a static NAT address of
64.100.0.10.
Expressway-E. Static NAT mode has been enabled for LAN1 on the Expressway-E, with a static NAT address of
64.100.0.10.
__________________________________________________________________
Note:
You must enter the FQDN of the Expressway-E, as it is seen from outside the network, as the peer address on the
Expressway-C's secure traversal zone. The reason for this is that in static NAT mode, the Expressway-E requests that
incoming signaling and media traffic should be sent to its external FQDN, rather than its private name.
Expressway-C's secure traversal zone. The reason for this is that in static NAT mode, the Expressway-E requests that
incoming signaling and media traffic should be sent to its external FQDN, rather than its private name.
This also means that the external firewall must allow traffic from the Expressway-C to the Expressway-E's external
FQDN. This is known as NAT reflection, and may not be supported by all types of firewalls.
FQDN. This is known as NAT reflection, and may not be supported by all types of firewalls.
__________________________________________________________________
So, in this example, firewall A must allow NAT reflection of traffic coming from the Expressway-C that is destined for the
external address, that is 64.100.0.10, of the Expressway-E. The traversal zone on the Expressway-C must have
64.100.0.10 as the peer address.
external address, that is 64.100.0.10, of the Expressway-E. The traversal zone on the Expressway-C must have
64.100.0.10 as the peer address.
The Expressway-E should be configured with a default gateway of 10.0.10.1. Whether or not static routes are needed in
this scenario depends on the capabilities and settings of FW A and FW B. Expressway-C to Expressway-E
communications will be to the 64.100.0.10 address of the Expressway-E; the return traffic from the Expressway-E to
Expressway-C might have to go via the default gateway. If a static route is added to the Expressway-E so that reply traffic
goes from the Expressway-E and directly through FW B to the 10.0.30.0/24 subnet, this will mean that asymmetric routing
will occur and this may or may not work, depending on the firewall capabilities.
this scenario depends on the capabilities and settings of FW A and FW B. Expressway-C to Expressway-E
communications will be to the 64.100.0.10 address of the Expressway-E; the return traffic from the Expressway-E to
Expressway-C might have to go via the default gateway. If a static route is added to the Expressway-E so that reply traffic
goes from the Expressway-E and directly through FW B to the 10.0.30.0/24 subnet, this will mean that asymmetric routing
will occur and this may or may not work, depending on the firewall capabilities.
3-port Firewall DMZ Using Single Expressway-E LAN Interface
In this deployment, a 3-port firewall is used to create
■
a DMZ subnet (10.0.10.0/24), containing:
—
the DMZ interface of firewall A - 10.0.10.1
—
the LAN1 interface of the Expressway-E - 10.0.10.2
48
Cisco Expressway-E and Expressway-C - Basic Configuration Deployment Guide