Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
725
Views
0
Helpful
2
Replies

Expressway Design w/ no NAT

parkerfoster
Level 1
Level 1

‎01-11-2018 02:35 PM - edited ‎03-19-2019 01:03 PM

I'm looking at building an Expressway 8.10 solution to support the registration of home-worker phones (currently supported via The Office Extend routers that are EOL). Looking at the Cisco design docs they recommend the Exp-E has a 2 armed design, with both interfaces being in private address space and doing static NAT on the "external" interface. This means that the FW does the NAT and you also need to configure static NAT on the Exp-E so that it encapsulates the NAT address into the h.323 or SIP payload.

 

Can't I just do a one-armed design with the Exp-E using a public IP address? That would simplify my build in that no NAT happens, and the Exp-C knows of the Exp-E by it's public non NAT IP address. Traffic from C-to-E would follow default route, from E-to-C it would follow static routes already in my FW's. It would also negate the issue of C-to-E traffic having to do NAT reflection and hairpinning back to the Exp-E.

 

Wondering if it is possible and why this more simple design isn't part of the Cisco design document. Every use case in the document uses static NAT on the Exp-E.?!?!

0 Helpful
2 Replies 2

Chris Deren
Hall of Fame
Hall of Fame

‎01-12-2018 06:11 AM

Sure you could, but that might open you up for all kinds of security flows.  The main reason Cisco recommends 2 interfaces is to separate the Transit DMZ between Exp-C and Exp-E servers from external connection. The NIC 2 does not necessarily need to be NATed, you can put public IP address on the LAN2  (DMZ Services) if you chose so, assuming you put it behind firewall and allow only required ports to/from the internet. Again, the design comes down to what your security team deems secured deployment.

0 Helpful

parkerfoster
Level 1
Level 1
In response to Chris Deren

‎01-12-2018 08:58 AM

Of course inbound/outbound traffic will be specified bot between outside/Exp-E and Exp-E and Exp-C. Seems to me that by itself 1-to-1 NAT provides no security benefit. Also my external FW has no private IP segments, and, we don't want the Exp-E to become a bridge between outside to inside segments. So my choices are one-arm or two-arm design with both interfaces being in public segments. The Exp-C will be behind yet another internal FW so we will have multiple ACL's in place. Thanks for the input.
0 Helpful
Customers Also Viewed These Support Documents