by jonathan

ExpressWay DMZ and NAT Design Considerations

There are a number of excellent documents on the subject of ExpressWay traversal DMZ design and handling NAT.  I must however commend Cisco on the updates on this topic in the X8.7 documentation release.

Please see the below:

http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-7/Cisco-Expressway-Basic-Configuration-Deployment-Guide-X8-7.pdf

 

Cisco discusses various DMZ deployment models:

  1. Dual-NIC Static NAT (Recommended)
  2. Single NIC Static NAT
  3. 3-Port Firewal Static NAT

 

There are other methods that include variations without NAT where a Public IP is placed on the Edge.  Personally, “It works” is not a good enough reason to deploy as such.  Avoid as far as possible.

 

Most specifically, I must highlight the following from the document:

  • Preferred Architecture dictates a dual-NIC Static NAT design
  • Dual-NIC design requires static routing on the Edge
  • Static NAT is definitely preferred to a Public IP on a ExpressWay-E box
  • Disable SIP ALG on your firewall – pretty standard stuff
  • Single NIC designs result in problematic implementation considerations that can relate to:
    • NAT Reflection – resultant asymmetric routing, security concerns and firewall support issues
    • Hair-pinned media
    • Excessive bandwidth consumption (3 times in fact!)
    • Public IP exposure in SIP signalling to B2BUA

Please see pp. 50-51 for excellent visual representations of the traffic flows for the the various implementations!

 

Some Useful Links:

 

Advertisement

3 thoughts on “ExpressWay DMZ and NAT Design Considerations

  1. Hi,

    Could you please share your experience with us about expressway c and e cenario with dual nic. So believe that advanced network license was necessary?

    Like

    Reply

    1. Yes, as per my experience, this was necessary for the deployments that I completed with this. I don’t expect that this has changed. If you’d like to make verify this, I’d suggest a TAC, or contact your local Cisco Account Manager or SE.

      Like

      Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.