Thanks Carl,

Looking at the configuration on the ASA SIP ALG is not enabled, under the Policy Map this is only enabled for DNS

policy-map type inspect dns preset_dns_map

I recall turning on SIP ALG as this was causing issues when working from home & joining VC Meetings.

Ah ok.

I had similar issues with one customer whereby the IPS inspection was causing issues

What I ended up doing in the end was a packet capture on the expressways (using the maintenance diagnostics system) and inspecting stuff there.

Check that the IP's in the SDP's are correct and also see where the media is going missing.  IF you see the expressway E sending it inbound but the Expressway C not receiving it, youve found your problem.

Also note that the IP's will be a bit confusing, from memory the Media from C to E will be sent to the external IP of the EXP-E, but the media from EXP-E to C will be send from its internal IP.

Hey.

The Expressway has only one IP address which is private however I have put the public IP under IPv4 static NAT address.

I currently am using the DNS name for the traversal client zone from Exp-c to Exp-E which would be its internal address.

I will try changing this to my public address and see if this works.

Yes this seems to be a issue, you need to put FQDN of Exp E there and need to create A record in internal/enterprise DNS which will point to public IP address of Exp E.

Suresh

Thanks I have changed the A Record to point to the public address which has broken the traversal zone which is what I expected as anything on the private range will not be able to access the expressway on the public using the public address due to the NAT.

Any idea what command I can run on the ASA to allow access internally? essentially hair pinning the NAT?

You just need to make sure that the public address inbound from the outside is natted to the address of the expressway e private address. You are right it's hairpinning it but it should be no different to a regular inbound nat; as long as your expressway c is allowed to access the address your natting to then it should be fine

This might be what you need

http://www.firewall.cx/cisco-technical-knowledgebase/cisco-firewalls/1150-cisco-asa-firewall-nat-reflection-loopback-hairpinning-configuration.html

Now you have to configure NAT reflection in firewall if it's not configured.

NAT reflection configuration on the ASA firewall is described in below document with example.

http://www.cisco.com/c/en/us/support/docs/unified-communications/expressway/118992-configure-nat-00.html

Suresh

Thanks.

All the documents seem to be referring to a 3 legged firewall however I am using two interfaces and given the Expressway-E is on a VM on the same host as the Expressway-C I cannot create another interface.

Do you have any idea how it can be done with two interfaces? Using the Outside port maybe?

Hi Dean,

What do you mean by interface ? is it network interface on server (vmnic port), if yes then yes you should use different interfaces for Exp C & E and IP addresses also should be in different subnets for Exp C & E and you have already enabled Static Nat for public IP address on Exp E.

Suresh

Hi,

No firewall between Expressway C & E

Internet - ASA - Expressway-E - Expressway-C - UC Environment