Cisco Cisco Expressway
nominate which interface is the External LAN interface, to enable Static NAT mode on selected interfaces and
configure an IPv4 static NAT address for each interface.
configure an IPv4 static NAT address for each interface.
When enabling IPv4 static NAT mode on an interface, the Expressway-E will modify the payload of H.323 and SIP
messages sent out via this interface, so that references to the LAN2 interface address are replaced with the IPv4
static NAT address configured for this interface. This means that when looking at the payload of SIP and H.323
messages sent out via this interface, it will appear as if the LAN2 interface has a public IP address.
messages sent out via this interface, so that references to the LAN2 interface address are replaced with the IPv4
static NAT address configured for this interface. This means that when looking at the payload of SIP and H.323
messages sent out via this interface, it will appear as if the LAN2 interface has a public IP address.
It is important to note that the Expressway-E will not modify the layer 3 source address of outgoing H.323 and SIP
packets sent out of this interface, as this will be done by the NAT router.
packets sent out of this interface, as this will be done by the NAT router.
What About Routers/Firewalls with SIP/H.323 ALG?
Some routers and firewalls have SIP and H.323 ALG capabilities. ALG is also referred to as Fixup, Inspection,
Application Awareness, Stateful Packet Inspection, Deep Packet Inspection and so forth. This means that the
router/firewall is able to identify SIP and H.323 traffic as it passes through and inspect, and in some cases modify, the
payload of the SIP and H.323 messages. The purpose of modifying the payload is to help the H.323 or SIP application
from which the message originated to traverse NAT, i.e. to perform a similar process to what the Expressway-E does.
Application Awareness, Stateful Packet Inspection, Deep Packet Inspection and so forth. This means that the
router/firewall is able to identify SIP and H.323 traffic as it passes through and inspect, and in some cases modify, the
payload of the SIP and H.323 messages. The purpose of modifying the payload is to help the H.323 or SIP application
from which the message originated to traverse NAT, i.e. to perform a similar process to what the Expressway-E does.
The challenge with router/firewall-based SIP and H.323 ALGs is that these were originally intended to aid relatively
basic H.323 and SIP applications to traverse NAT, and these applications had, for the most part, very basic
functionality and often only supported audio.
basic H.323 and SIP applications to traverse NAT, and these applications had, for the most part, very basic
functionality and often only supported audio.
Over the years, many H.323 and SIP implementations have become more complex, supporting multiple video streams
and application sharing (H.239, BFCP), encryption/security features (H.235, DES/AES), firewall traversal (Assent,
H.460) and other extensions of the SIP and H.323 standards.
and application sharing (H.239, BFCP), encryption/security features (H.235, DES/AES), firewall traversal (Assent,
H.460) and other extensions of the SIP and H.323 standards.
For a router/firewall to properly perform ALG functions for SIP and H.323 traffic, it is therefore of utmost importance
that the router/firewall understands and properly interprets the full content of the payload it is inspecting. Since H.323
and SIP are standards/recommendations which are in constant development, it is not likely that the router/firewall
will meet these requirements, resulting in unexpected behavior when using H.323 and SIP applications in
combination with such routers/firewalls.
that the router/firewall understands and properly interprets the full content of the payload it is inspecting. Since H.323
and SIP are standards/recommendations which are in constant development, it is not likely that the router/firewall
will meet these requirements, resulting in unexpected behavior when using H.323 and SIP applications in
combination with such routers/firewalls.
There are also scenarios where the router/firewall normally will not be able to inspect the traffic at all, for example
when using SIP over TLS, where the communication is end-to-end secure and encrypted as it passes through the
router/firewall.
when using SIP over TLS, where the communication is end-to-end secure and encrypted as it passes through the
router/firewall.
As per the recommendations in the Introduction section of this appendix, it is highly recommended to disable SIP and
H.323 ALGs on routers/firewalls carrying network traffic to or from a Expressway-E, as, when enabled this is
frequently found to negatively affect the built-in firewall/NAT traversal functionality of the Expressway-E itself. This is
also mentioned in
H.323 ALGs on routers/firewalls carrying network traffic to or from a Expressway-E, as, when enabled this is
frequently found to negatively affect the built-in firewall/NAT traversal functionality of the Expressway-E itself. This is
also mentioned in
.
Other Deployment Examples
Note:
Using the Expressway-E as shown in these examples could have a serious impact on your network bandwidth,
. Read
.
Single Subnet DMZ Using Single Expressway-E LAN Interface and Static NAT
In this case, FW A can route traffic to FW B (and vice versa). Expressway-E allows video traffic to be passed through
FW B without pinholing FW B from outside to inside. Expressway-E also handles firewall traversal on its public side.
FW B without pinholing FW B from outside to inside. Expressway-E also handles firewall traversal on its public side.
62
Cisco Expressway-E and Expressway-C - Basic Configuration Deployment Guide
Appendix 4: Advanced Network Deployments