Expressway-E and C and NAT

Reply
Highlighted
L1 Bithead

Expressway-E and C and NAT

I am putting in a Jabber system using Expressway-E and C. My Expressway-E server is NAT'd through the PA-3020 and I have a security rule set up to allow the required ports in on the Public address. If I make a call IN from an external Jabber client it goes through fine. If I try to make a call OUT from a phone to a jabber client, the call does not go through. 

 

My setup is similar to this: 

 

192.168.1.10 (internal address of EXP-E)

210.1.2.1 (external IP of EXP-E)

 

192.168.1.10 is NAT'd through to 210.1.2.1

 

u_turn rule 

trust-> untrust Dest Address=210.1.2.1  Source Translation= Dynamic/210.1.2.1 destination translation =192.168.1.10

 

MIp_rule

trust->untrust source address=192.168.1.10  source translation static/210.1.2.1 bi-di.

 

 

Security rule set up to allow incoming SIP type ports to come across on the 210.1.2.1 external IP. 

 

 

Expressway E is set up with a single interface. When Expressway-E has NAT turned on, I can make a call from external to internal. WHen Expressway-E has NAT turned off, I CAN get a call to go external, but there is no audio. 

 

Does anyone have any idea what I am doing wrong? 

 

Highlighted
L4 Transporter

Hi Eric,

 

Welcome to the community!

 

Kinda hard to guess what's going on with the traffic. Can you check the session on the CLI when testing? - show session all filter source x.x.x.x 

Also, pcaps would be insightful in this scenario (https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Run-a-Packet-Capture/ta-p/62390).

 

Regards,

Anurag

================================================================
ACE 7.0, 8.0, PCNSE 7
Highlighted
L1 Bithead

What we found out was that Expressway needs to be configured in a dual nic configuration - one internal NIC and one External NIC. Trying to get it working on a single NIC with NAT through a PA will apparently not work. I also had to create a non-routable (internally) vLAN and use it on a DMZ port on the Palo ALto. I then took the Expressway interface configured for External access and put it on the DMZ vLAN. That Expressway NIC was configured with internal NAT, a security rule and direct NAT rule were created on the Palo Alto, and all worked afterward. I guess the real hold up was that a DMZ needed to be created on the PA (we didn't really have one prior to this) and the Expressway needed to be set to use dual interfaces. Once everything was configured and secured properly, we were able to register external SIP phones and make and receive calls. 

 

 

Highlighted
L0 Member

This is an old post, but I'm doing the same thing with Jabber and a single Palo Alto firewall. Dual NIC Expressway configuration. Are you by chance still doing all this and be willing to send over your NAT and security rules that are set up? Static NAT on the external Expressway-E interface out to a public address is no problem. I get all that. I'm still trying to get my head around what needs to happen between the Expressway-C and Expressway-E internal and external interfaces.

Highlighted
L0 Member

I am in the same boat - wanted to verify my configuration -

 

I created a NAT

Source Zone - untrust > Destination Zone - untrust > Destination address - Public expressway E > Destination Translation - address - DMZ-express E

 

Security policy

 

Source zone - untrust > Destination zone - DMZ > Destination address - Public expressway E > service - ports for expressway

 

Does that sound right?

 

 

Highlighted
L6 Presenter

@lsimanek,

 

If you're facing kind of issues with the below configuration, try with Static Bidirectional NAT  configuration.

 



Mayur
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!