12-09-2024 05:38 AM
Cisco Expressway Series Single-NIC Deployment NAT Reflection
Cisco Secure Firewall
A static one-to-one NAT must be configured, which performs the NAT of the public IP address 41.1.1.60 to the LAN IP address 10.1.6.60 of the Cisco Expressway-Edge. Below a Destination NAT Rule that translate the Public IP 41.1.1.60 to the Private IP 10.1.6.60.
The packets coming fom Ciso Expressway-C traversing Cisco Secure Firewall destined to Ciso Expressway-E’s public IP address 41.1.1.60 will have the following transformation using the NAT Reflection Rule :
Destination IP address 41.1.1.60 is replaced with Destination IP address 10.1.6.60 (Expressway-E’s private IP address). This is also a Destination NAT (DNAT).
The Source IP address 10.1.5.60 (Cisco Expressway-C) remains the same.
When Cisco ExpressWay-C packets arrive to the Cisco Expressway-E, they will have the following source & destination IP address: Source IP: 10.1.5.60, Destination IP: 10.1.6.60.
NAT reflection on Cisco Secure Firewall is configured with Manual NAT Rule.
The Manual NAT Rule configured below has the following:
Below the corresponding Manual NAT command pushed to Cisco Secure Firewall :
Verify on the Cisco Expressway-Core, the traversal connection is active.
Verify on the Cisco Expressway-Edge, the traversal connection is active.
The connection table of the firewall is displaying an entry of the traversal connection between Cisco Expressway-C and Cisco Expressway-Edge with the destination port 7001, this connection is initiated by Cisco Expressway-C with a destination port 7001 in order to provide Firewall Traversal for SIP signaling intiated from untrusted zone to trusted zone.
PaloAlto Firewall
A static one-to-one NAT must be configured, which performs the NAT of the public IP address 41.1.1.60 to the LAN IP address 10.1.6.60 of the Cisco Expressway-Edge. Below a Destination NAT Rule that translate the Public IP 41.1.1.60 to the Private IP 10.1.6.60.
The packets coming fom Ciso Expressway-C traversing the PaloAlto Firewall destined to Ciso Expressway-E’s public IP address 41.1.1.60 will have the following transformation using the NAT Reflection Rule :
Destination IP address 41.1.1.60 is replaced with Destination IP address 10.1.6.60 (Expressway-E’s private IP address). This is also a Destination NAT (DNAT).
The Source IP address 10.1.5.60 (Cisco Expressway-C) remains the same.
When Cisco ExpressWay-C packets arrive to the Cisco Expressway-E, they will have the following source & destination IP address: Source IP: 10.1.5.60, Destination IP: 10.1.6.60.
NAT reflection on PaloAlto Firewall is configured with U-turn NAT Rule.
The U-Turn NAT Rule configured below has the following:
After configuring the DNAT Rule for MRA or WebRTC connection coming from internet to Cisco Expressway-Edge and U-turn NAT Rule for traversal connection coming from Cisco Expressway-Core to Cisco Expressway-Edge, we need to configure two security policy rules to allow these connections.
Below a security rule to allow inbound connection from internet to Cisco Expressway-Edge.
Below a Security rule to allow outbound traffic from Cisco Expressway-Core to Cisco Expressway-Edge.
Verify on the Cisco Expressway-Core, the traversal connection is active.
Verify on the Cisco Expressway-Edge, the traversal connection is active.
The connection table of the firewall is displaying an entry of the traversal connection between Cisco Expressway-C and Cisco Expressway-Edge with the destination port 7001, this connection is initiated by Cisco Expressway-C with a destination port 7001 in order to provide Firewall Traversal for SIP signaling intiated from untrusted zone to trusted zone.
Fortigate Firewall
A static one-to-one NAT must be configured, which performs the NAT of the External IP address 41.1.1.60 to the Mapped IP address 10.1.6.60 of the Cisco Expressway-Edge for MRA Jabber Client registration and call setup or WebRTC Connection coming from Internet.
The same rule will be applied for packets coming fom Ciso Expressway-C and traversing the Fortigate Firewall Ciso Expressway-E’s public IP address 41.1.1.60 and will have the following transformation using the NAT Reflection Rule :
Destination IP address 41.1.1.60 is replaced with Destination IP address 10.1.6.60 (Expressway-E’s private IP address). This is also a Destination NAT (DNAT).
The Source IP address 10.1.5.60 (Cisco Expressway-C) remains the same.
When Cisco ExpressWay-C packets arrive to the Cisco Expressway-E, they will have the following source & destination IP address: Source IP: 10.1.5.60, Destination IP: 10.1.6.60.
NAT reflection on Fortigate Firewall is configured with the following NAT Rule.
The NAT Rule configured below has the following:
Below a security rule to allow inbound connection from internet to Cisco Expressway-Edge.
Below a Security rule to allow outbound traffic from Cisco Expressway-Core to Cisco Expressway-Edge.
Verify on the Cisco Expressway-Core, the traversal connection is active.
Verify on the Cisco Expressway-Edge, the traversal connection is active.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide