01-11-2018 02:35 PM - edited 03-19-2019 01:03 PM
I'm looking at building an Expressway 8.10 solution to support the registration of home-worker phones (currently supported via The Office Extend routers that are EOL). Looking at the Cisco design docs they recommend the Exp-E has a 2 armed design, with both interfaces being in private address space and doing static NAT on the "external" interface. This means that the FW does the NAT and you also need to configure static NAT on the Exp-E so that it encapsulates the NAT address into the h.323 or SIP payload.
Can't I just do a one-armed design with the Exp-E using a public IP address? That would simplify my build in that no NAT happens, and the Exp-C knows of the Exp-E by it's public non NAT IP address. Traffic from C-to-E would follow default route, from E-to-C it would follow static routes already in my FW's. It would also negate the issue of C-to-E traffic having to do NAT reflection and hairpinning back to the Exp-E.
Wondering if it is possible and why this more simple design isn't part of the Cisco design document. Every use case in the document uses static NAT on the Exp-E.?!?!
01-12-2018 06:11 AM
Sure you could, but that might open you up for all kinds of security flows. The main reason Cisco recommends 2 interfaces is to separate the Transit DMZ between Exp-C and Exp-E servers from external connection. The NIC 2 does not necessarily need to be NATed, you can put public IP address on the LAN2 (DMZ Services) if you chose so, assuming you put it behind firewall and allow only required ports to/from the internet. Again, the design comes down to what your security team deems secured deployment.
01-12-2018 08:58 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide