Cisco Cisco Expressway
Expressway-E communications will be to the 64.100.0.10 address of the Expressway-E; the return traffic
from the Expressway-E to Expressway-C might have to go via the default gateway. If a static route is added
to the Expressway-E so that reply traffic goes from the Expressway-E and directly through FW B to the
10.0.30.0/24 subnet, this will mean that asymmetric routing will occur and this may or may not work,
depending on the firewall capabilities.
from the Expressway-E to Expressway-C might have to go via the default gateway. If a static route is added
to the Expressway-E so that reply traffic goes from the Expressway-E and directly through FW B to the
10.0.30.0/24 subnet, this will mean that asymmetric routing will occur and this may or may not work,
depending on the firewall capabilities.
The Expressway-E can be added to Cisco TMS with the IP address 10.0.10.3 (or with IP address
64.100.0.10 if FW A allows this), since Cisco TMS management communications are not affected by static
NAT mode settings on the Expressway-E.
64.100.0.10 if FW A allows this), since Cisco TMS management communications are not affected by static
NAT mode settings on the Expressway-E.
3-port firewall DMZ using single Expressway-E LAN interface
In this deployment, a 3-port firewall is used to create
n
a DMZ subnet (10.0.10.0/24), containing:
l
the DMZ interface of firewall A - 10.0.10.1
l
the LAN1 interface of the Expressway-E - 10.0.10.2
n
a LAN subnet (10.0.30.0/24), containing
l
the LAN interface of firewall A - 10.0.30.1
l
the LAN1 interface of the Expressway-C – 10.0.30.2
l
the network interface of Cisco TMS – 10.0.30.3
A static 1:1 NAT has been configured on firewall A, NATing the public address 64.100.0.10 to the LAN1
address of the Expressway-E. Static NAT mode has been enabled for LAN1 on the Expressway-E, with a
static NAT address of 64.100.0.10.
address of the Expressway-E. Static NAT mode has been enabled for LAN1 on the Expressway-E, with a
static NAT address of 64.100.0.10.
TheExpressway-E should be configured with a default gateway of 10.0.10.1. Since this gateway must be
used for all traffic leaving the Expressway-E, no static routes are needed in this type of deployment.
used for all traffic leaving the Expressway-E, no static routes are needed in this type of deployment.
The traversal client zone on the Expressway-C needs to be configured with a peer address which matches
the static NAT address of the Expressway-E, in this case 64.100.0.10, for the same reasons as those
described in the previous example deployment, "Single subnet DMZ using single Expressway-E LAN
interface".
the static NAT address of the Expressway-E, in this case 64.100.0.10, for the same reasons as those
described in the previous example deployment, "Single subnet DMZ using single Expressway-E LAN
interface".
This means that firewall A must allow traffic from the Expressway-C with a destination address of
64.100.0.10. This is also known as NAT reflection, and it should be noted that this is not supported
by all types of firewalls.
64.100.0.10. This is also known as NAT reflection, and it should be noted that this is not supported
by all types of firewalls.
The Expressway-E can be added to Cisco TMS with the IP address 10.0.10.2 (or with IP address
64.100.0.10 if FW A allows this), since Cisco TMS management communications are not affected by static
NAT mode settings on the Expressway-E.
64.100.0.10 if FW A allows this), since Cisco TMS management communications are not affected by static
NAT mode settings on the Expressway-E.
Cisco Expressway Basic Configuration Deployment Guide (X8.5)
Page 53 of 56
Appendix 4: Advanced network deployments