cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
172
Views
0
Helpful
0
Replies

Cisco Expressway Integration with Different Vendor Firewalls

Meddane
VIP
VIP

Cisco Expressway Series Single-NIC Deployment NAT Reflection

  • Cisco Secure Firewall
  • PaloAlto Firewall
  • Fortigate Firewall

Meddane_0-1733750902532.png

Cisco Secure Firewall

A static one-to-one NAT must be configured, which performs the NAT of the public IP address 41.1.1.60 to the LAN IP address 10.1.6.60 of the Cisco Expressway-Edge. Below a Destination NAT Rule that translate the Public IP 41.1.1.60 to the Private IP 10.1.6.60.

Meddane_1-1733750902534.png

Meddane_2-1733750902536.png

The packets coming fom Ciso Expressway-C traversing Cisco Secure Firewall destined to Ciso Expressway-E’s public IP address 41.1.1.60 will have the following transformation using the NAT Reflection Rule :

Destination IP address 41.1.1.60 is replaced with Destination IP address 10.1.6.60 (Expressway-E’s private IP address). This is also a Destination NAT (DNAT).

The Source IP address 10.1.5.60 (Cisco Expressway-C) remains the same.

When Cisco ExpressWay-C packets arrive to the Cisco Expressway-E, they will have the following source & destination IP address: Source IP: 10.1.5.60, Destination IP: 10.1.6.60.

NAT reflection on Cisco Secure Firewall is configured with Manual NAT Rule.

The Manual NAT Rule configured below has the following:

  • The originale source IP: 10.1.5.60 (Expressway-C)
  • The originale destination IP: 41.1.1.60 (Expressway-E)
  • The tanslated source IP: None
  • The translated destination IP: 10.1.6.60

Meddane_3-1733750902538.png

Below the corresponding Manual NAT command pushed to Cisco Secure Firewall :

Meddane_4-1733750902539.png

Verify on the Cisco Expressway-Core, the traversal connection is active.

Meddane_5-1733750902540.png

Verify on the Cisco Expressway-Edge, the traversal connection is active.

Meddane_6-1733750902543.png

The connection table of the firewall is displaying an entry of the traversal connection between Cisco Expressway-C and Cisco Expressway-Edge with the destination port 7001, this connection is initiated by Cisco Expressway-C with a destination port 7001 in order to provide Firewall Traversal for SIP signaling intiated from untrusted zone to trusted zone.

Meddane_7-1733750902544.png

PaloAlto Firewall

A static one-to-one NAT must be configured, which performs the NAT of the public IP address 41.1.1.60 to the LAN IP address 10.1.6.60 of the Cisco Expressway-Edge. Below a Destination NAT Rule that translate the Public IP 41.1.1.60 to the Private IP 10.1.6.60.

Meddane_8-1733750902545.png

Meddane_9-1733750902546.png

Meddane_10-1733750902546.png

The packets coming fom Ciso Expressway-C traversing the PaloAlto Firewall destined to Ciso Expressway-E’s public IP address 41.1.1.60 will have the following transformation using the NAT Reflection Rule :

Destination IP address 41.1.1.60 is replaced with Destination IP address 10.1.6.60 (Expressway-E’s private IP address). This is also a Destination NAT (DNAT).

The Source IP address 10.1.5.60 (Cisco Expressway-C) remains the same.

When Cisco ExpressWay-C packets arrive to the Cisco Expressway-E, they will have the following source & destination IP address: Source IP: 10.1.5.60, Destination IP: 10.1.6.60.

NAT reflection on PaloAlto Firewall is configured with U-turn NAT Rule.

The U-Turn NAT Rule configured below has the following:

  • The originale source IP: 10.1.5.60 (Expressway-C)
  • The originale destination IP: 41.1.1.60 (Expressway-E)
  • The tanslated source IP: None
  • The translated destination IP: 10.1.6.60

Meddane_11-1733750902547.png

Meddane_12-1733750902548.png

Meddane_13-1733750902549.png

Meddane_14-1733750902550.png

After configuring the DNAT Rule for MRA or WebRTC connection coming from internet to Cisco Expressway-Edge and U-turn NAT Rule for traversal connection coming from Cisco Expressway-Core to Cisco Expressway-Edge, we need to configure two security policy rules to allow these connections.

Below a security rule to allow inbound connection from internet to Cisco Expressway-Edge.

Meddane_15-1733750902551.png

Meddane_16-1733750902552.png

Meddane_17-1733750902553.png

Below a Security rule to allow outbound traffic from Cisco Expressway-Core to Cisco Expressway-Edge.

Meddane_18-1733750902554.png

Meddane_19-1733750902555.png

Meddane_20-1733750902555.png

Meddane_21-1733750902557.png

Verify on the Cisco Expressway-Core, the traversal connection is active.

Meddane_22-1733750902558.png

Verify on the Cisco Expressway-Edge, the traversal connection is active.

Meddane_23-1733750902560.png

The connection table of the firewall is displaying an entry of the traversal connection between Cisco Expressway-C and Cisco Expressway-Edge with the destination port 7001, this connection is initiated by Cisco Expressway-C with a destination port 7001 in order to provide Firewall Traversal for SIP signaling intiated from untrusted zone to trusted zone.

Meddane_24-1733750902562.png

Meddane_25-1733750902563.png

Fortigate Firewall

A static one-to-one NAT must be configured, which performs the NAT of the External IP address 41.1.1.60 to the Mapped IP address 10.1.6.60 of the Cisco Expressway-Edge for MRA Jabber Client registration and call setup or WebRTC Connection coming from Internet.

The same rule will be applied for packets coming fom Ciso Expressway-C and traversing the Fortigate Firewall Ciso Expressway-E’s public IP address 41.1.1.60 and will have the following transformation using the NAT Reflection Rule :

Destination IP address 41.1.1.60 is replaced with Destination IP address 10.1.6.60 (Expressway-E’s private IP address). This is also a Destination NAT (DNAT).

The Source IP address 10.1.5.60 (Cisco Expressway-C) remains the same.

When Cisco ExpressWay-C packets arrive to the Cisco Expressway-E, they will have the following source & destination IP address: Source IP: 10.1.5.60, Destination IP: 10.1.6.60.

NAT reflection on Fortigate Firewall is configured with the following NAT Rule.

The NAT Rule configured below has the following:

  • Interface : any
  • Type : Static NAT
  • External IP Address/Range : 41.1.1.60 (Expressway-E)
  • Mapped IP Address/Range : 10.1.6.60

Meddane_26-1733750902567.png

Meddane_27-1733750902570.png

Below a security rule to allow inbound connection from internet to Cisco Expressway-Edge.

Meddane_28-1733750902577.png

Below a Security rule to allow outbound traffic from Cisco Expressway-Core to Cisco Expressway-Edge.

Meddane_29-1733750902582.png

Verify on the Cisco Expressway-Core, the traversal connection is active.

Meddane_30-1733750902585.png

Verify on the Cisco Expressway-Edge, the traversal connection is active.

Meddane_31-1733750902588.png

 

0 Replies 0