Cisco Cisco Expressway
The xCommand RouteAdd command and syntax is described in full detail in Expressway Administrator
Guide.
Guide.
Example deployments
The following section contains additional reference designs which depict other possible deployment
scenarios.
scenarios.
Single subnet DMZ using single Expressway-E LAN interface
In this case, FW A can route traffic to FW B (and vice versa). Expressway-E allows video traffic to be
passed through FW B without pinholing FW B from outside to inside. Expressway-E also handles firewall
traversal on its public side.
passed through FW B without pinholing FW B from outside to inside. Expressway-E also handles firewall
traversal on its public side.
This deployment consists of:
n
a single subnet DMZ – 10.0.10.0/24, containing:
l
the internal interface of firewall A – 10.0.10.1
l
the external interface of firewall B – 10.0.10.2
l
the LAN1 interface of the Expressway-E – 10.0.10.3
n
a LAN subnet – 10.0.30.0/24, containing:
l
the internal interface of firewall B – 10.0.30.1
l
the LAN1 interface of the Expressway-C – 10.0.30.2
l
the network interface of Cisco TMS – 10.0.30.3
A static 1:1 NAT has been configured on firewall A, NATing the public address 64.100.0.10 to the LAN1
address of theExpressway-E. Static NAT mode has been enabled for LAN1 on the Expressway-E, with a
static NAT address of 64.100.0.10.
address of theExpressway-E. Static NAT mode has been enabled for LAN1 on the Expressway-E, with a
static NAT address of 64.100.0.10.
Note:
You must enter the FQDN of the Expressway-E, as it is seen from outside the network, as the peer address
on the Expressway-C's secure traversal zone. The reason for this is that in static NAT mode, the
Expressway-E requests that incoming signaling and media traffic should be sent to its external FQDN, rather
than its private name.
on the Expressway-C's secure traversal zone. The reason for this is that in static NAT mode, the
Expressway-E requests that incoming signaling and media traffic should be sent to its external FQDN, rather
than its private name.
This also means that the external firewall must allow traffic from the Expressway-C to the
Expressway-E's external FQDN. This is known as NAT reflection, and may not be supported by all
types of firewalls.
Expressway-E's external FQDN. This is known as NAT reflection, and may not be supported by all
types of firewalls.
So, in this example, firewall A must allow NAT reflection of traffic coming from the Expressway-C that is
destined for the external address, that is 64.100.0.10, of the Expressway-E. The traversal zone on the
Expressway-C must have 64.100.0.10 as the peer address.
destined for the external address, that is 64.100.0.10, of the Expressway-E. The traversal zone on the
Expressway-C must have 64.100.0.10 as the peer address.
The Expressway-E should be configured with a default gateway of 10.0.10.1. Whether or not static routes are
needed in this scenario depends on the capabilities and settings of FW A and FW B. Expressway-C to
needed in this scenario depends on the capabilities and settings of FW A and FW B. Expressway-C to
Cisco Expressway Basic Configuration Deployment Guide (X8.5.2)
Page 53 of 57
Appendix 4: Advanced network deployments