I need some assistance in the following:
1. I plan a clustered setup of Expressways (2x expressway-E, 2x expressway-C).
For clustering, on the internal DNS used by Expressway-C, I create A records that reference the Expressway servers as well as the cluster FQDN (as per the clustering deployment guide):
EXPC1.<internaldomain> >> IP address of EXPC1.vfc.com
EXPC2.<internaldomain> >> IP address of EXPC2.vfc.com
EXPE1.<internaldomain> >> IP address of EXPE1.vfc.com
EXPE2.<internaldomain> >> IP address of EXPE2.vfc.com
EXPC-cluster.<internaldomain> >> IP address of EXPC1.vfc.com and EXPC2.vfc.com
EXPE-cluster.<internaldomain> >> IP address of EXPE1.vfc.com and EXPE2.vfc.com
When reading about the advanced network deployments (Cisco Expressway Basic Deployment guide, as of p. 62 ; and the link provided below also) I am getting a bit confused:
Because in our setup the Expressway-E is behind a NAT router and hence static NAT mode is enabled, it is stated that the VCS Expressway (=Expressway-E) requests that inbound signaling and media traffic be sent to its external FQDN rather than its private name.
My question is :
Above statement ("external FQDN") means to me the client traversal destination needs to resolve to the public IP address. Do the A records for the Expressway-E on the *internal* DNS (used by Expressway-C) therefore need to point to the private IP addresses of the Expressway-E servers (like above) or the rather the public ones (which I think is the case)?
2. When reading the Cisco Expressway IP Port Usage Configuration Guide, the section on MRA connections (p 28), as well as table 15 on page 29 both reference communcations from Expressway-C to Expressway-E's private IP. This is confusing to me, because as in my case the Expressway-E is behind a NAT router, should the destination IP address in table 15 not be Expressway-E public IP instead?
3. Can I do clustering of Expressway-E using the 3-port FW DMZ setup with static NAT mode enabled (Expressway-E behind a NAT router)?
Clustering makes this easier in a way: you must use the dual NIC recommended design. This is because clustering can only occur on NIC1 and the clustering NIC cannot be NATed.
The Traversal Client zone on Expressway-C should point at Expressway-E NIC1, which only has a private IP. On internal DNS the A record should resolve to NIC1’s IP address while PTR records both NIC IP addresses and the NATed public IP all resolve back to the A record. Public DNS obviously resolves the the NATed address of NIC2. It’s worth mentioning that PTR resolution must also work; you may need to open a ticket with your ISP to get that created.
Jonathan, looking for your assistance here - sorry I am using this discussion post since its related!
Following dual NIC static NAT deployment, along with a cluster of two peers for expressway-E. Internal IPs will be assigned to LAN1 clustering NIC1s - How about NIC2s? Does this mean it will require two NATed IPs? In other words, for single Expressway-E node =one NATed IP while cluster of two nodes = two NATed IPs. Is this correct?
Yes, in a dual-NIC setup NIC2 of each Expressway-E needs an IPv4 address in a different subnet than NIC1 (also typically a few static routes for RFC1918 address space forcing it out NIC1 to the internal network.)
If you have a DMZ segment that is _not_ NATed, use that. If not, then yes each cluster node will need a static NAT 1:1 to a unique/dedicated public address. You cannot overload/PAT since UDP port information will be buried within the TLS-protected SIP dialog.
This was really helpful - I appreciate your quick response. while this may look basic but I couldn't find a clear answer from cisco documentation including the basic config and clustering docs for both versions 8s and 12.5/6.
Another question, looking for a reference guide on how to design dual NIC deployment using a single FW - 2 DMZ's.
Thank you again for your help.
I think I figured it out - we can implement a single FW with two DMZs where EXP-E NIC#1 resides in the lower DMZ and NIC#2 resides in the upper DMZ then EXP-C cluster resides in the 'inside' mapped to the EXP-E NIC#1.
If you have got a DMZ segment this is _not_ NATed, use that. If not, then yes each cluster node will need a static NAT 1:1 to a completely unique/committed public address guide. You can not overload/PAT considering the fact that UDP port statistics might be buried inside the TLS-covered SIP conversation.