Cisco Cisco Expressway
be sent to its static NAT address, which means that the traversal client zone has to be configured
accordingly.
accordingly.
This means that firewall A must allow traffic from the Expressway-C with a destination address of
64.100.0.10. This is also known as NAT reflection, and it should be noted that this is not supported
by all types of firewalls.
64.100.0.10. This is also known as NAT reflection, and it should be noted that this is not supported
by all types of firewalls.
The Expressway-E should be configured with a default gateway of 10.0.10.1. Whether or not static routes are
needed in this scenario depends on the capabilities and settings of FW A and FW B. Expressway-C to
Expressway-E communications will be to the 64.100.0.10 address of the Expressway-E; the return traffic
from the Expressway-E to Expressway-C might have to go via the default gateway. If a static route is added
to the Expressway-E so that reply traffic goes from the Expressway-E and directly through FW B to the
10.0.30.0/24 subnet, this will mean that asymmetric routing will occur and this may or may not work,
depending on the firewall capabilities.
needed in this scenario depends on the capabilities and settings of FW A and FW B. Expressway-C to
Expressway-E communications will be to the 64.100.0.10 address of the Expressway-E; the return traffic
from the Expressway-E to Expressway-C might have to go via the default gateway. If a static route is added
to the Expressway-E so that reply traffic goes from the Expressway-E and directly through FW B to the
10.0.30.0/24 subnet, this will mean that asymmetric routing will occur and this may or may not work,
depending on the firewall capabilities.
The Expressway-E can be added to Cisco TMS with the IP address 10.0.10.3 (or with IP address
64.100.0.10 if FW A allows this), since Cisco TMS management communications are not affected by static
NAT mode settings on the Expressway-E.
64.100.0.10 if FW A allows this), since Cisco TMS management communications are not affected by static
NAT mode settings on the Expressway-E.
3-port firewall DMZ using single Expressway-E LAN interface
In this deployment, a 3-port firewall is used to create
n
a DMZ subnet (10.0.10.0/24), containing:
l
the DMZ interface of firewall A - 10.0.10.1
l
the LAN1 interface of the Expressway-E - 10.0.10.2
n
a LAN subnet (10.0.30.0/24), containing
l
the LAN interface of firewall A - 10.0.30.1
l
the LAN1 interface of the Expressway-C – 10.0.30.2
l
the network interface of Cisco TMS – 10.0.30.3
A static 1:1 NAT has been configured on firewall A, NATing the public address 64.100.0.10 to the LAN1
address of the Expressway-E. Static NAT mode has been enabled for LAN1 on the Expressway-E, with a
static NAT address of 64.100.0.10.
address of the Expressway-E. Static NAT mode has been enabled for LAN1 on the Expressway-E, with a
static NAT address of 64.100.0.10.
TheExpressway-E should be configured with a default gateway of 10.0.10.1. Since this gateway must be
used for all traffic leaving the Expressway-E, no static routes are needed in this type of deployment.
used for all traffic leaving the Expressway-E, no static routes are needed in this type of deployment.
The traversal client zone on the Expressway-C needs to be configured with a peer address which matches
the static NAT address of the Expressway-E, in this case 64.100.0.10, for the same reasons as those
described in the previous example deployment, "Single subnet DMZ using single Expressway-E LAN
interface".
the static NAT address of the Expressway-E, in this case 64.100.0.10, for the same reasons as those
described in the previous example deployment, "Single subnet DMZ using single Expressway-E LAN
interface".
Cisco Expressway Basic Configuration Deployment Guide (X8.2)
Page 53 of 57
Appendix 4: Advanced network deployments