cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Firewall Traversal for MRA on Cisco Expressway Demystified

234
Views
5
Helpful
0
Comments
meddane
Frequent Contributor

Firewall Traversal With Cisco Expressway Packet Flow. Firewall ASA-C, add an entry from Inside to DMZ , the source IP is 10.1.5.20 (Cisco Expressway-C) and the source port is 25006. The destination IP is 172.16.1.21 (Cisco Expressway-E) and the destination port is 7001, this means that if an inbound connection with source IP : port=172.16.1.21 : 7001 and destination : port = 10.1.5.20 : 25006 is received from DMZ to Inside (from lower security level to higher security level), the firewall, this connection is allowed. The Cisco Expressway-E receives the SIP invite and generate a new SIP invite with the source IP : port=172.16.1.21 : 7001 and destination : port = 10.1.5.20 : 25006, it sends the SIP invite to ASA-C, the ASA-C checks its connection table if there is an entry that matches this connection, and of course the magic happens, this connection is already there, for the ASA-C’s perspective, this is a legitimate return traffic for a pseudo connection initiated from inside, even if the SIP invite is initiated from the Cisco Jabber, in other words from the outside, the Cisco Expressway-E modifies the L3/L4 headers to match the firewall traversal connection, in other words the entry of the connection table of the ASA. This is the idea behind the firewall traversal concept.

 

0-3.jpeg

 

Create
Recognize Your Peers
Content for Community-Ad