Expressway E and ASA

Phil Bradley · ‎05-07-2017

I am looking through the documentation and trying to understand the recommended NAT and firewall for my Expressway-E. Here is what I have.

Expressway-E - In a DMZ interface on ASA 192.168.1.2

I have created a static NAT rule from the inside to the DMZ using the same IP's.

I have the Advanced networking option installed but I don't see how to enable the second interface. The GUI only shows Lan1.

Can I NAT the 192.168.1.2 out to the public or do I need to use the second interface for this and create another DMZ? The recommended approach says to use 2 network adapters when using 2 firewalls but I am only behind one ASA.

Jaime Valencia · ‎05-07-2017

Use dual interfaces and save yourself a lot of problems.

System -> Network Interfaces -> IP

There's the option to use dual NIC, just change it to Yes.

With that, you can follow the best design with dual interfaces outlined in the documentation, make sure to choose LAN 2 as your external LAN interface.

HTH

java

if this helps, please rate

Phil Bradley · ‎05-07-2017

Edit: With the dual do I need to put interface 1 on the inside network and only put interface 2 in the DMZ of the ASA?

Do I need to select the option "IPV4 static nat mode" for both interfaces? I have a static nat defined for both on the ASA.

Mohamed Amine Jaafar · ‎05-20-2017

You can choose whatever external interface you want (interface 1 or 2), just put the correct one under "External LAN interface" parameter under System > Network interfaces > IP

Since the NAT is done on the ASA, you need to put the parameter "IPv4 static NAT mode" to "On" and specify the public IP address in "IPv4 static NAT address" field.
Expressway-E needs to be aware of it in order to change the SIP/H323 signaling while traversing the firewall.