I am putting in a Jabber system using Expressway-E and C. My Expressway-E server is NAT'd through the PA-3020 and I have a security rule set up to allow the required ports in on the Public address. If I make a call IN from an external Jabber client it goes through fine. If I try to make a call OUT from a phone to a jabber client, the call does not go through.
My setup is similar to this:
192.168.1.10 (internal address of EXP-E)
188.8.131.52 (external IP of EXP-E)
192.168.1.10 is NAT'd through to 184.108.40.206
trust-> untrust Dest Address=220.127.116.11 Source Translation= Dynamic/18.104.22.168 destination translation =192.168.1.10
trust->untrust source address=192.168.1.10 source translation static/22.214.171.124 bi-di.
Security rule set up to allow incoming SIP type ports to come across on the 126.96.36.199 external IP.
Expressway E is set up with a single interface. When Expressway-E has NAT turned on, I can make a call from external to internal. WHen Expressway-E has NAT turned off, I CAN get a call to go external, but there is no audio.
Does anyone have any idea what I am doing wrong?
Welcome to the community!
Kinda hard to guess what's going on with the traffic. Can you check the session on the CLI when testing? - show session all filter source x.x.x.x
Also, pcaps would be insightful in this scenario (https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Run-a-Packet-Capture/ta-p/62390).
What we found out was that Expressway needs to be configured in a dual nic configuration - one internal NIC and one External NIC. Trying to get it working on a single NIC with NAT through a PA will apparently not work. I also had to create a non-routable (internally) vLAN and use it on a DMZ port on the Palo ALto. I then took the Expressway interface configured for External access and put it on the DMZ vLAN. That Expressway NIC was configured with internal NAT, a security rule and direct NAT rule were created on the Palo Alto, and all worked afterward. I guess the real hold up was that a DMZ needed to be created on the PA (we didn't really have one prior to this) and the Expressway needed to be set to use dual interfaces. Once everything was configured and secured properly, we were able to register external SIP phones and make and receive calls.
This is an old post, but I'm doing the same thing with Jabber and a single Palo Alto firewall. Dual NIC Expressway configuration. Are you by chance still doing all this and be willing to send over your NAT and security rules that are set up? Static NAT on the external Expressway-E interface out to a public address is no problem. I get all that. I'm still trying to get my head around what needs to happen between the Expressway-C and Expressway-E internal and external interfaces.
I am in the same boat - wanted to verify my configuration -
I created a NAT
Source Zone - untrust > Destination Zone - untrust > Destination address - Public expressway E > Destination Translation - address - DMZ-express E
Source zone - untrust > Destination zone - DMZ > Destination address - Public expressway E > service - ports for expressway
Does that sound right?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!