cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
90
Views
0
Helpful
0
Comments
Meddane
VIP
VIP

 

Meddane_0-1730411000208.png

In Cisco Expressway Series with Single NIC Deployment, the Cisco Expressway Core must be configured to point to the Fully Qualified Domain Name (FQDN) of the Cisco Expressway Edge, this FQDN must be resolved to the Public IP of Cisco Expressway Edge, instead of its private IP, this is one of the challenge in this type of deployment, because with Static NAT Mode, the Cisco Expressway Edge expects and requests that the inbound signaling and media packets (either from internet or inside zone) to be sent to its public IP rather than its private IP. Since the Firewall edge is doing Layer 3 Static NAT from internet zone to DMZ zone for Cisco Expressway Edge server, therefore it must allow traffic from Cisco Expressway Core (inside zone) to the Public IP of Cisco Expressway Edge (DMZ Zone), this is well known as NAT Reflection.

A static one-to-one NAT must be configured, which performs the NAT of the public IP address 41.1.1.60 to the LAN IP address 10.1.6.60 of the Cisco Expressway-Edge. Below a Destination NAT Rule that translate the Public IP 41.1.1.60 to the Private IP 10.1.6.60.

Meddane_1-1730411000212.png

 

Meddane_2-1730411000214.png

The packets coming fom Ciso Expressway-C traversing Cisco Secure Firewall destined to Ciso Expressway-E’s public IP address 41.1.1.60 will have the following transformation using the NAT Reflection Rule :

Destination IP address 41.1.1.60 is replaced with Destination IP address 10.1.6.60 (Expressway-E’s private IP address). This is also a Destination NAT (DNAT).

The Source IP address 10.1.5.60 (Cisco Expressway-C) remains the same.

When Cisco ExpressWay-C packets arrive to the Cisco Expressway-E, they will have the following source & destination IP address: Source IP: 10.1.5.60, Destination IP: 10.1.6.60.

NAT reflection on Cisco Secure Firewall is configured with Manual NAT Rule.

The Manual NAT Rule configured below has the following:

  • The originale source IP: 10.1.5.60 (Expressway-C)
  • The originale destination IP: 41.1.1.60 (Expressway-E)
  • The tanslated source IP: None
  • The translated destination IP: 10.1.6.60

Meddane_3-1730411000218.png

Below the corresponding Manual NAT command pushed to Cisco Secure Firewall :

Meddane_4-1730411000219.png

Verify on the Cisco Expressway-Core, the traversal connection is active.

Meddane_5-1730411000221.png

Verify on the Cisco Expressway-Edge, the traversal connection is active.

Meddane_6-1730411000223.png

The connection table of the firewall is displaying an entry of the traversal connection between Cisco Expressway-C and Cisco Expressway-Edge with the destination port 7001, this connection is initiated by Cisco Expressway-C with a destination port 7001 in order to provide Firewall Traversal for SIP signaling intiated from untrusted zone to trusted zone.

Meddane_7-1730411000225.png

 

 

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: