topic Expressway-E and C and NAT in General Topics

Expressway-E and C and NAT

EricPortenier — Wed, 24 May 2017 21:06:47 GMT

I am putting in a Jabber system using Expressway-E and C. My Expressway-E server is NAT'd through the PA-3020 and I have a security rule set up to allow the required ports in on the Public address. If I make a call IN from an external Jabber client it goes through fine. If I try to make a call OUT from a phone to a jabber client, the call does not go through.

My setup is similar to this:

192.168.1.10 (internal address of EXP-E)

210.1.2.1 (external IP of EXP-E)

192.168.1.10 is NAT'd through to 210.1.2.1

u_turn rule

trust-> untrust Dest Address=210.1.2.1 Source Translation= Dynamic/210.1.2.1 destination translation =192.168.1.10

MIp_rule

trust->untrust source address=192.168.1.10 source translation static/210.1.2.1 bi-di.

Security rule set up to allow incoming SIP type ports to come across on the 210.1.2.1 external IP.

Expressway E is set up with a single interface. When Expressway-E has NAT turned on, I can make a call from external to internal. WHen Expressway-E has NAT turned off, I CAN get a call to go external, but there is no audio.

Does anyone have any idea what I am doing wrong?

Re: Expressway-E and C and NAT

ansharma — Wed, 24 May 2017 23:26:57 GMT

Hi Eric,

Welcome to the community!

Kinda hard to guess what's going on with the traffic. Can you check the session on the CLI when testing? - show session all filter source x.x.x.x

Also, pcaps would be insightful in this scenario (https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Run-a-Packet-Capture/ta-p/62390).

Regards,

Anurag

Re: Expressway-E and C and NAT

EricPortenier — Thu, 01 Jun 2017 14:46:41 GMT

What we found out was that Expressway needs to be configured in a dual nic configuration - one internal NIC and one External NIC. Trying to get it working on a single NIC with NAT through a PA will apparently not work. I also had to create a non-routable (internally) vLAN and use it on a DMZ port on the Palo ALto. I then took the Expressway interface configured for External access and put it on the DMZ vLAN. That Expressway NIC was configured with internal NAT, a security rule and direct NAT rule were created on the Palo Alto, and all worked afterward. I guess the real hold up was that a DMZ needed to be created on the PA (we didn't really have one prior to this) and the Expressway needed to be set to use dual interfaces. Once everything was configured and secured properly, we were able to register external SIP phones and make and receive calls.

Re: Expressway-E and C and NAT

adam.b — Mon, 06 Apr 2020 01:48:53 GMT

This is an old post, but I'm doing the same thing with Jabber and a single Palo Alto firewall. Dual NIC Expressway configuration. Are you by chance still doing all this and be willing to send over your NAT and security rules that are set up? Static NAT on the external Expressway-E interface out to a public address is no problem. I get all that. I'm still trying to get my head around what needs to happen between the Expressway-C and Expressway-E internal and external interfaces.

Re: Expressway-E and C and NAT

lsimanek — Fri, 25 Sep 2020 16:36:55 GMT

I am in the same boat - wanted to verify my configuration -

I created a NAT

Source Zone - untrust > Destination Zone - untrust > Destination address - Public expressway E > Destination Translation - address - DMZ-express E

Security policy

Source zone - untrust > Destination zone - DMZ > Destination address - Public expressway E > service - ports for expressway

Does that sound right?

Re: Expressway-E and C and NAT

SutareMayur — Mon, 28 Sep 2020 06:46:20 GMT

@lsimanek,

If you're facing kind of issues with the below configuration, try with Static Bidirectional NAT configuration.