Cisco Cisco Expressway
n
DMZ subnet 2 – 10.0.20.0/24, containing:
l
the external interface of Firewall B – 10.0.20.1
l
the LAN1 interface of the Expressway-E – 10.0.20.2
n
LAN subnet – 10.0.30.0/24, containing:
l
the internal interface of Firewall B – 10.0.30.1
l
the LAN1 interface of the Expressway-C – 10.0.30.2
l
the network interface of the Cisco TMS server – 10.0.30.3
n
Firewall A is the publicly-facing firewall; it is configured with a NAT IP (public IP) of 64.100.0.10 which is
statically NATed to 10.0.10.2 (the LAN2 interface address of the Expressway-E)
statically NATed to 10.0.10.2 (the LAN2 interface address of the Expressway-E)
n
Firewall B is the internally-facing firewall
n
Expressway-E LAN1 has static NAT mode disabled
n
Expressway-E LAN2 has static NAT mode enabled with Static NAT address 64.100.0.10
n
Expressway-C has a traversal client zone pointing to 10.0.20.2 (LAN1 of the Expressway-E)
n
Cisco TMS has Expressway-E added with IP address 10.0.20.2
With the above deployment, there is no regular routing between the 10.0.20.0/24 and 10.0.10.0/24 subnets.
The Expressway-E bridges these subnets and acts as a proxy for SIP/H.323 signaling and RTP /RTCP
media.
The Expressway-E bridges these subnets and acts as a proxy for SIP/H.323 signaling and RTP /RTCP
media.
Static routes
With a deployment such as that shown in Figure 6, the Expressway-E should be configured with a default
gateway address of 10.0.10.1. This means that all traffic sent out via LAN2 will by default be sent to the IP
address 10.0.10.1.
gateway address of 10.0.10.1. This means that all traffic sent out via LAN2 will by default be sent to the IP
address 10.0.10.1.
If Firewall B is doing NAT for traffic sent from the 10.0.30.0 subnet to the LAN1 interface of the Expressway-
E (for example traversal client traffic from Expressway-C or management traffic from TMS), this means that
this traffic will appear as coming from the external interface of firewall B (10.0.20.1) as it reaches LAN1 of the
Expressway-E. The Expressway-E will therefore be able to reply to this traffic via its LAN1 interface, since
the apparent source of that traffic is located on the same subnet.
E (for example traversal client traffic from Expressway-C or management traffic from TMS), this means that
this traffic will appear as coming from the external interface of firewall B (10.0.20.1) as it reaches LAN1 of the
Expressway-E. The Expressway-E will therefore be able to reply to this traffic via its LAN1 interface, since
the apparent source of that traffic is located on the same subnet.
If firewall B is not doing NAT however, traffic sent from the Expressway-C to LAN1 of the Expressway-E will
appear as coming from 10.0.30.2. If the Expressway does not have a static route added for the 10.0.30.0/24
subnet, it will send replies for this traffic to its default gateway (10.0.10.1) out from LAN2, as it has not been
told that the 10.0.30.0/24 subnet is located behind the 10.0.20.1 firewall. Therefore, a static route needs to be
added, using the xCommand RouteAdd CLI command, which is run from an admin SSH shell on the
Expressway.
appear as coming from 10.0.30.2. If the Expressway does not have a static route added for the 10.0.30.0/24
subnet, it will send replies for this traffic to its default gateway (10.0.10.1) out from LAN2, as it has not been
told that the 10.0.30.0/24 subnet is located behind the 10.0.20.1 firewall. Therefore, a static route needs to be
added, using the xCommand RouteAdd CLI command, which is run from an admin SSH shell on the
Expressway.
In this particular example, we want to tell the Expressway-E that it can reach the 10.0.30.0/24 subnet behind
the 10.0.20.1 firewall (router), which is reachable via the LAN1 interface. This is accomplished using the
following xCommand RouteAdd syntax:
the 10.0.20.1 firewall (router), which is reachable via the LAN1 interface. This is accomplished using the
following xCommand RouteAdd syntax:
xCommand RouteAdd Address: 10.0.30.0 PrefixLength: 24 Gateway: 10.0.20.1
Interface: LAN1
In this example, the Interface parameter could also be set to Auto as the gateway address (10.0.20.1) is
only reachable via LAN1.
only reachable via LAN1.
If firewall B is not doing NAT and the Expressway-E needs to communicate with devices in subnets other
than 10.0.30.0 which are also located behind firewall B (for example for communicating with management
stations for HTTPS and SSH management or for reaching network services such as NTP, DNS, LDAP/AD
and syslog servers), static routes will also have to be added for these devices/subnets.
than 10.0.30.0 which are also located behind firewall B (for example for communicating with management
stations for HTTPS and SSH management or for reaching network services such as NTP, DNS, LDAP/AD
and syslog servers), static routes will also have to be added for these devices/subnets.
Cisco Expressway Basic Configuration Deployment Guide (X8.5.2)
Page 52 of 57
Appendix 4: Advanced network deployments