There are a number of excellent documents on the subject of ExpressWay traversal DMZ design and handling NAT. I must however commend Cisco on the updates on this topic in the X8.7 documentation release.
Please see the below:
Cisco discusses various DMZ deployment models:
- Dual-NIC Static NAT (Recommended)
- Single NIC Static NAT
- 3-Port Firewal Static NAT
There are other methods that include variations without NAT where a Public IP is placed on the Edge. Personally, “It works” is not a good enough reason to deploy as such. Avoid as far as possible.
Most specifically, I must highlight the following from the document:
- Preferred Architecture dictates a dual-NIC Static NAT design
- Dual-NIC design requires static routing on the Edge
- Static NAT is definitely preferred to a Public IP on a ExpressWay-E box
- Disable SIP ALG on your firewall – pretty standard stuff
- Single NIC designs result in problematic implementation considerations that can relate to:
- NAT Reflection – resultant asymmetric routing, security concerns and firewall support issues
- Hair-pinned media
- Excessive bandwidth consumption (3 times in fact!)
- Public IP exposure in SIP signalling to B2BUA
Please see pp. 50-51 for excellent visual representations of the traffic flows for the the various implementations!
Some Useful Links: