In Cisco Expressway Series with Single NIC Deployment, the Cisco Expressway Core must be configured to point to the Fully Qualified Domain Name (FQDN) of the Cisco Expressway Edge, this FQDN must be resolved to the Public IP of Cisco Expressway Edge, instead of its private IP, this is one of the challenge in this type of deployment, because with Static NAT Mode, the Cisco Expressway Edge expects and requests that the inbound signaling and media packets (either from internet or inside zone) to be sent to its public IP rather than its private IP. Since the Firewall edge is doing Layer 3 Static NAT from internet zone to DMZ zone for Cisco Expressway Edge server, therefore it must allow traffic from Cisco Expressway Core (inside zone) to the Public IP of Cisco Expressway Edge (DMZ Zone), this is well known as NAT Reflection.
For Cisco Secure Firewall we can do that with Manual NAT as shown by the code below:
object network private-exp-C
host <IP expressway-C>
!
object network private-exp-E
host <Private IP expressway-E>
!
object network public-exp-E
host <Public IP expressway-E>
!
nat (inside,DMZ) source static private-exp-C private-exp-C destination static public-exp-E private-exp-E
For Palo Alto, NAT Reflection can be configured with U-turn NAT.
For Fortigate firewall to configure NAT Reflection in Cisco Expressway Series Single NIC Deployment. A single Virtual IP object must be configured for Destination NAT to translate the public IP of Cisco Expressway Edge to its private IP with the incoming interface set to any.
Then finally configure two Security Policy Rules, one for external MRA Clients to reach the Cisco Expressway Edge and the second Security Rule to allow the Cisco Expressway Core to create Traversal Connection from Inside to DMZ so that Firewall Traversal will allow external MRA Clients to traverse the firewall from untrusted zone and register to on-premise Cisco Unified CM.
Both Security Rules will use the same Virtual IP VIP as the Destination Address.
