Cisco Cisco Expressway
■
a LAN subnet (10.0.30.0/24), containing
—
the LAN interface of firewall A - 10.0.30.1
—
the LAN1 interface of the Expressway-C – 10.0.30.2
A static 1:1 NAT has been configured on firewall A, NATing the public address 64.100.0.10 to the LAN1 address of the
Expressway-E. Static NAT mode has been enabled for LAN1 on the Expressway-E, with a static NAT address of
64.100.0.10.
Expressway-E. Static NAT mode has been enabled for LAN1 on the Expressway-E, with a static NAT address of
64.100.0.10.
The Expressway-E should be configured with a default gateway of 10.0.10.1. Since this gateway must be used for all
traffic leaving the Expressway-E, no static routes are needed in this type of deployment.
traffic leaving the Expressway-E, no static routes are needed in this type of deployment.
__________________________________________________________________
Note:
The traversal client zone on the Expressway-C needs to be configured with a peer address which matches the
static NAT address of the Expressway-E, in this case 64.100.0.10, for the same reasons as described in
.
This means that firewall A must allow traffic from the Expressway-C with a destination address of 64.100.0.10. This is
also known as NAT reflection, and it should be noted that this is not supported by all types of firewalls.
also known as NAT reflection, and it should be noted that this is not supported by all types of firewalls.
__________________________________________________________________
Why We Advise Against Using These Types of Deployment
For deployments that use only one NIC on the Expressway-E, but also require static NAT for the public address, the
media must "hairpin" or reflect on the external firewall whenever media is handled by the Expressway-E's back to back
user agent (B2BUA).
media must "hairpin" or reflect on the external firewall whenever media is handled by the Expressway-E's back to back
user agent (B2BUA).
For all calls coming in on a Unified Communications Traversal Server zone, or another zone where SIP Media
encryption mode is not
encryption mode is not
Auto, the Expressway-E's B2BUA could be engaged to decrypt or encrypt the media packets. In
these deployments, the B2BUA sees the public IP address of the Expressway-E instead of its private IP address, so the
media stream must go through the network address translator to get to the private IP address.
media stream must go through the network address translator to get to the private IP address.
■
Not all firewalls will allow this reflection, and it is considered by some to be a security risk.
■
Each call where the B2BUA is engaged will consume three times as much bandwidth as it would using the
recommended dual NIC deployment. This could adversely affect call quality.
recommended dual NIC deployment. This could adversely affect call quality.
49
Cisco Expressway-E and Expressway-C - Basic Configuration Deployment Guide