Cisco Cisco Expressway
In this particular example, we want to tell the Expressway-E that it can reach the 10.0.30.0/24 subnet behind
the 10.0.20.1 firewall (router), which is reachable via the LAN1 interface. This is accomplished using the
following xCommand RouteAdd syntax:
the 10.0.20.1 firewall (router), which is reachable via the LAN1 interface. This is accomplished using the
following xCommand RouteAdd syntax:
xCommand RouteAdd Address: 10.0.30.0 PrefixLength: 24 Gateway: 10.0.20.1
Interface: LAN1
In this example, the Interface parameter could also be set to Auto as the gateway address (10.0.20.1) is
only reachable via LAN1.
only reachable via LAN1.
If firewall B is not doing NAT and the Expressway-E needs to communicate with devices in subnets other
than 10.0.30.0 which are also located behind firewall B (for example for communicating with management
stations for HTTPS and SSH management or for reaching network services such as NTP, DNS, LDAP/AD
and syslog servers), static routes will also have to be added for these devices/subnets.
than 10.0.30.0 which are also located behind firewall B (for example for communicating with management
stations for HTTPS and SSH management or for reaching network services such as NTP, DNS, LDAP/AD
and syslog servers), static routes will also have to be added for these devices/subnets.
The xCommand RouteAdd command and syntax is described in full detail in Expressway Administrator
Guide.
Guide.
Example deployments
The following section contains additional reference designs which depict other possible deployment
scenarios.
scenarios.
Single subnet DMZ using single Expressway-E LAN interface
In this case, FW A can route traffic to FW B (and vice versa). Expressway-E allows video traffic to be
passed through FW B without pinholing FW B from outside to inside. Expressway-E also handles firewall
traversal on its public side.
passed through FW B without pinholing FW B from outside to inside. Expressway-E also handles firewall
traversal on its public side.
This deployment consists of:
n
a single subnet DMZ – 10.0.10.0/24, containing:
l
the internal interface of firewall A – 10.0.10.1
l
the external interface of firewall B – 10.0.10.2
l
the LAN1 interface of the Expressway-E – 10.0.10.3
n
a LAN subnet – 10.0.30.0/24, containing:
l
the internal interface of firewall B – 10.0.30.1
l
the LAN1 interface of the Expressway-C – 10.0.30.2
l
the network interface of Cisco TMS – 10.0.30.3
A static 1:1 NAT has been configured on firewall A, NATing the public address 64.100.0.10 to the LAN1
address of theExpressway-E. Static NAT mode has been enabled for LAN1 on the Expressway-E, with a
static NAT address of 64.100.0.10.
address of theExpressway-E. Static NAT mode has been enabled for LAN1 on the Expressway-E, with a
static NAT address of 64.100.0.10.
The traversal client zone on the Expressway-C needs to be configured with a peer address which matches
the static NAT address of the Expressway-E, in this case 64.100.0.10. This is because, since the
Expressway-E has static NAT mode enabled, it will request that incoming signaling and media traffic should
the static NAT address of the Expressway-E, in this case 64.100.0.10. This is because, since the
Expressway-E has static NAT mode enabled, it will request that incoming signaling and media traffic should
Cisco Expressway Basic Configuration Deployment Guide (X8.2)
Page 52 of 57
Appendix 4: Advanced network deployments