Cisco Cisco Expressway
Appendix 4: Advanced network deployments
This section discusses network deployments that use static NAT or Dual Network Interface architectures.
Prerequisites
Deploying an Expressway-E behind a NAT mandates the use of the Advanced Networking option key. It
enables the static NATing functionality of the Expressway-E as well as dual network interfaces. Although
certain call scenarios involving an Expressway-E behind NAT could potentially work with the help of
router/firewall-based ALGs, proper functionality cannot be guaranteed; you must use the Expressway to
perform the static NATing on its own interface. More background on this can be found in the
enables the static NATing functionality of the Expressway-E as well as dual network interfaces. Although
certain call scenarios involving an Expressway-E behind NAT could potentially work with the help of
router/firewall-based ALGs, proper functionality cannot be guaranteed; you must use the Expressway to
perform the static NATing on its own interface. More background on this can be found in the
on the Expressway-E.
When deploying an Expressway-E behind a NAT with static NAT configuration in place on the Expressway-
E, it is highly recommended to disable SIP and H.323 ALGs (SIP / H.323 awareness) on routers/firewalls
carrying network traffic to or from the Expressway-E (experience shows that these tend to be unable to
handle video traffic properly).
E, it is highly recommended to disable SIP and H.323 ALGs (SIP / H.323 awareness) on routers/firewalls
carrying network traffic to or from the Expressway-E (experience shows that these tend to be unable to
handle video traffic properly).
Background
When deploying an Expressway-E for business to business communications, or for supporting home
workers and travelling workers, it is usually desirable to deploy the Expressway-E in a NATed DMZ rather
than having the Expressway-E configured with a publicly routable IP address.
workers and travelling workers, it is usually desirable to deploy the Expressway-E in a NATed DMZ rather
than having the Expressway-E configured with a publicly routable IP address.
Network Address Translation (NAT) poses a challenge with SIP and H.323 applications, as with these
protocols, IP addresses and port numbers are not only used in OSI layer 3 and 4 packet headers, but are also
referenced within the packet payload data of H.323 and SIP messages themselves.
protocols, IP addresses and port numbers are not only used in OSI layer 3 and 4 packet headers, but are also
referenced within the packet payload data of H.323 and SIP messages themselves.
This usually breaks SIP/H.323 call signaling and RTP media packet flows, since NAT routers/firewalls will
normally translate the IP addresses and port numbers of the headers, but leave the IP address and port
references within the SIP and H.323 message payloads unchanged.
normally translate the IP addresses and port numbers of the headers, but leave the IP address and port
references within the SIP and H.323 message payloads unchanged.
To provide an example of this, assume you have an Expressway-E deployed behind a NAT router and two
endpoints. The Expressway-E has static NAT disabled on LAN2, but the NAT router is configured with a
static 1:1 NAT, NATing the public address 64.100.0.10 to the Expressway-E LAN2 IP address 10.0.10.2:
endpoints. The Expressway-E has static NAT disabled on LAN2, but the NAT router is configured with a
static 1:1 NAT, NATing the public address 64.100.0.10 to the Expressway-E LAN2 IP address 10.0.10.2:
n
NAT router with local IP address 10.0.10.1 and NAT IP address 64.100.0.10, statically NATed to 10.0.10.2
n
Expressway-E LAN1 (internally-facing interface) with IP address 10.0.20.2
n
Expressway-E LAN2 (externally-facing interface) with IP address 10.0.10.2 (and with static NAT disabled)
n
Expressway-E default gateway set to 10.0.10.1 (inside address of NAT firewall, reachable via LAN2)
Cisco Expressway Basic Configuration Deployment Guide (X8.5.2)
Page 46 of 57
Appendix 4: Advanced network deployments