In Cisco Expressway Series with Single NIC Deployment, the Cisco Expressway Core must be configured to point to the Fully Qualified Domain Name (FQDN) of the Cisco Expressway Edge, this FQDN must be resolved to the Public IP of Cisco Expressway Edge, instead of its private IP, this is one of the challenge in this type of deployment, because with Static NAT Mode, the Cisco Expressway Edge expects and requests that the inbound signaling and media packets (either from internet or inside zone) to be sent to its public IP rather than its private IP. Since the Firewall edge is doing Layer 3 Static NAT from internet zone to DMZ zone for Cisco Expressway Edge server, therefore it must allow traffic from Cisco Expressway Core (inside zone) to the Public IP of Cisco Expressway Edge (DMZ Zone), this is well known as NAT Reflection.
A static one-to-one NAT must be configured, which performs the NAT of the public IP address 41.1.1.60 to the LAN IP address 10.1.6.60 of the Cisco Expressway-Edge. Below a Destination NAT Rule that translate the Public IP 41.1.1.60 to the Private IP 10.1.6.60.
The packets coming fom Ciso Expressway-C traversing the PaloAlto Firewall destined to Ciso Expressway-E’s public IP address 41.1.1.60 will have the following transformation using the NAT Reflection Rule :
Destination IP address 41.1.1.60 is replaced with Destination IP address 10.1.6.60 (Expressway-E’s private IP address). This is also a Destination NAT (DNAT).
The Source IP address 10.1.5.60 (Cisco Expressway-C) remains the same.
When Cisco ExpressWay-C packets arrive to the Cisco Expressway-E, they will have the following source & destination IP address: Source IP: 10.1.5.60, Destination IP: 10.1.6.60.
NAT reflection on PaloAlto Firewall is configured with U-turn NAT Rule.
The U-Turn NAT Rule configured below has the following:
After configuring the DNAT Rule for MRA connection coming from internet to Cisco Expressway-Edge and U-turn NAT Rule for traversal connection coming from Cisco Expressway-Core to Cisco Expressway-Edge, we need to configure two security policy rules to allow these connections.
Below a security rule to allow inbound connection from internet to Cisco Expressway-Edge.
Below a Security rule to allow outbound traffic from Cisco Expressway-Core to Cisco Expressway-Edge.
Verify on the Cisco Expressway-Core, the traversal connection is active.
Verify on the Cisco Expressway-Edge, the traversal connection is active.
The connection table of the firewall is displaying an entry of the traversal connection between Cisco Expressway-C and Cisco Expressway-Edge with the destination port 7001, this connection is initiated by Cisco Expressway-C with a destination port 7001 in order to provide Firewall Traversal for SIP signaling intiated from untrusted zone to trusted zone.
