PaloAlto Firewall and Cisco Expressway integration with NAT Reflection

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

PaloAlto Firewall and Cisco Expressway integration with NAT Reflection

L2 Linker

 

rmeddane_0-1729974486754.png

 

 

In Cisco Expressway Series with Single NIC Deployment, the Cisco Expressway Core must be configured to point to the Fully Qualified Domain Name (FQDN) of the Cisco Expressway Edge, this FQDN must be resolved to the Public IP of Cisco Expressway Edge, instead of its private IP, this is one of the challenge in this type of deployment, because with Static NAT Mode, the Cisco Expressway Edge expects and requests that the inbound signaling and media packets (either from internet or inside zone) to be sent to its public IP rather than its private IP. Since the Firewall edge is doing Layer 3 Static NAT from internet zone to DMZ zone for Cisco Expressway Edge server, therefore it must allow traffic from Cisco Expressway Core (inside zone) to the Public IP of Cisco Expressway Edge (DMZ Zone), this is well known as NAT Reflection.

 

A static one-to-one NAT must be configured, which performs the NAT of the public IP address 41.1.1.60 to the LAN IP address 10.1.6.60 of the Cisco Expressway-Edge. Below a Destination NAT Rule that translate the Public IP 41.1.1.60 to the Private IP 10.1.6.60.

 

rmeddane_1-1729974486755.png

 

rmeddane_2-1729974486757.png

 

rmeddane_3-1729974486758.png

 

The packets coming fom Ciso Expressway-C traversing the PaloAlto Firewall destined to Ciso Expressway-E’s public IP address 41.1.1.60 will have the following transformation using the NAT Reflection Rule :

 

Destination IP address 41.1.1.60 is replaced with Destination IP address 10.1.6.60 (Expressway-E’s private IP address). This is also a Destination NAT (DNAT).

 

The Source IP address 10.1.5.60 (Cisco Expressway-C) remains the same.

 

When Cisco ExpressWay-C packets arrive to the Cisco Expressway-E, they will have the following source & destination IP address: Source IP: 10.1.5.60, Destination IP: 10.1.6.60.

 

NAT reflection on PaloAlto Firewall is configured with U-turn NAT Rule.

 

The U-Turn NAT Rule configured below has the following:

 

  • The originale source IP: 10.1.5.60 (Expressway-C)
  • The originale destination IP: 41.1.1.60 (Expressway-E)
  • The tanslated source IP: None
  • The translated destination IP: 10.1.6.60

 

rmeddane_4-1729974486759.png

 

rmeddane_5-1729974486761.png

 

rmeddane_6-1729974486762.png

 

rmeddane_7-1729974486763.png

 

After configuring the DNAT Rule for MRA connection coming from internet to Cisco Expressway-Edge and U-turn NAT Rule for traversal connection coming from Cisco Expressway-Core to Cisco Expressway-Edge, we need to configure two security policy rules to allow these connections.

 

Below a security rule to allow inbound connection from internet to Cisco Expressway-Edge.

 

rmeddane_8-1729974486764.png

 

rmeddane_9-1729974486765.png

 

rmeddane_10-1729974486767.png

 

Below a Security rule to allow outbound traffic from Cisco Expressway-Core to Cisco Expressway-Edge.

 

rmeddane_11-1729974486768.png

 

rmeddane_12-1729974486769.png

 

rmeddane_13-1729974486771.png

 

rmeddane_14-1729974486773.png

 

Verify on the Cisco Expressway-Core, the traversal connection is active.

 

rmeddane_15-1729974486774.png

 

Verify on the Cisco Expressway-Edge, the traversal connection is active.

 

rmeddane_16-1729974486778.png

 

The connection table of the firewall is displaying an entry of the traversal connection between Cisco Expressway-C and Cisco Expressway-Edge with the destination port 7001, this connection is initiated by Cisco Expressway-C with a destination port 7001 in order to provide Firewall Traversal for SIP signaling intiated from untrusted zone to trusted zone.

 

rmeddane_17-1729974486780.png

 

rmeddane_18-1729974486783.png

 

0 REPLIES 0
  • 420 Views
  • 0 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!