The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document describes how to implement the Network Address Translation (NAT) configuration required in the Cisco Adaptive Security Appliance (ASA) for the Expressway-E Dual Network Interfaces implementation.
Tip: This deployment is the recommended option for Expressway-E implementation, rather than the Single-NIC implementation with NAT reflection.
Cisco recommends that you have knowledge of these topics:
Cisco ASA basic configuration and NAT configuration
Cisco Expressway-E and Expressway-C basic configuration
The information in this document is based on these software and hardware versions:
Cisco ASA 5500 and 5500-X Series appliances that run software Version 8.0 and later.
Cisco Expressway version X8.0 and later.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Note: Through the entire document, the expressway devices are referred to as Expressway-E and Expressway-C. However, the same configuration applies for the Video Communication Server (VCS) Expressway and VCS Control devices.
By design, Cisco Expressway-E can be placed either in a Demilitarized Zone (DMZ) or with an Internet-facing interface, while it is able to communicate with Cisco Expressway-C in a private network. When Cisco Expressway-E is placed in a DMZ, these are the additional benefits:
Tip: In order to obtain more details about the TelePresence implementation, refer to Cisco Expressway-E and Expressway-C - Basic Configuration Deployment Guide and Placing a Cisco VCS Expressway in a DMZ rather than in the public internet.
This image shows an example deployment for an Expressway-E with dual network interfaces and static NAT. Expressway-C acts as the traversal client. There are two firewalls (FW A and FWB). Typically, in this DMZ configuration, FW A cannot route traffic to FW B, and devices such as the Expressway-E are required to validate and forward traffic from FW A’s subnet to FW B’s subnet (and vice versa).
This deployment consists of these components.
DMZ subnet 1 – 10.0.10.0/24
DMZ subnet 2 – 10.0.20.0/24
LAN subnet – 10.0.30.0/24
Specifics of this implementation:
If Expressway-E is configured to use both LAN interfaces, LAN1 and LAN2 interfaces must be located in non-overlapped subnets to ensure that traffic is sent out to the correct interface.
When clustering Expressway devices with the Advanced Networking option configured, each cluster peer needs to be configured with its own LAN1 interface address. In addition, clustering must be configured on an interface that does not have Static NAT mode enabled. Therefore, it is recommended that you use LAN2 as the external interface, on which you can apply and configure static NAT where applicable.
The External LAN interface configuration settings on the IP configuration page control which network interface uses Transversal Using Relays around NAT (TURN). In a dual network interface Expressway-E configuration, this is normally set to the Expressway-E external LAN interface.
Expressway-E must be configured with a default gateway address of 10.0.10.1 for this scenario. This means that all traffic sent out via LAN2 is, by default, sent to the IP address 10.0.10.1.
If FW B translates traffic sent from 10.0.30.0/24 subnet to the Expressway-E LAN1 interface (for example, Expressway-C traversal client traffic or TMS Server management traffic), this traffic appears as it comes from the FWB external interface (10.0.20.1) as it reaches Expressway-E LAN1. Expressway-E is then able to reply to this traffic via its LAN1 interface since the apparent source of that traffic is located on the same subnet.
If NAT is enabled on FW B, traffic sent from the Expressway-C to Expressway-E LAN1 shows as it comes from 10.0.30.2. If Expressway does not have a static route added for 10.0.30.0/24 subnet, it sends the replies for this traffic to its default gateway (10.0.10.1) out from LAN2, as it is not aware that the 10.0.30.0/24 subnet is located behind the internal firewall (FW B). Therefore, a static route needs to be added, run the xCommand RouteAdd CLI command through an SSH session to Expressway.
In this particular example, Expressway-E must know that it can reach the 10.0.30.0/24 subnet behind FW B, which is reachable via the LAN1 interface. To accomplish this, run the command:
xCommand RouteAdd Address: 10.0.30.0 PrefixLength: 24 Gateway: 10.0.20.1 Interface: LAN1
Note: Static route configuration can be applied through the Expressway-E GUI as well as section System/Network > Interfaces/Static Routes.
In this example, the Interface parameter can also be set to Auto as the gateway address (10.0.20.1) is only reachable via LAN1.
If NAT is not enabled on FW B and Expressway-E needs to communicate with devices in subnets (other than 10.0.30.0/24) which are also located behind FW B, static routes must be added for these devices/subnets.
Note: This includes SSH and HTTPS connections from network management workstations or for network services like NTP, DNS, LDAP/AD, or Syslog.
The xCommand RouteAdd command and syntax are described in full detail in VCS Administrator Guide.
This section describes how to configure the static NAT required for the Expressway-E dual network interface implementation on the ASA. Some additional ASA Modular Policy Framework (MPF) configuration recommendations are included for handling SIP/H323 traffic.
In this example, the IP address assignment is the next one.
Expressway-C IP address: 10.0.30.2/24
Expressway-C default-gateway: 10.0.30.1 (FW-B)
Expressway-E IP addresses:
On LAN2: 10.0.10.2/24
On LAN1: 10.0.20.2/24
Expressway-E default-gateway: 10.0.10.1 (FW-A)
TMS IP address: 10.0.30.3/24
As explained in the Background Information section of this document, the FW-A has a static NAT translation to allow Expressway-E to be reachable from the internet with public IP address 64.100.0.10. This last one is NATed to Expressway-E LAN2 IP address 10.0.10.2/24. That said, this is the required FW-A static NAT configuration.
For ASA Versions 8.3 and later:
! To use PAT with specific ports range: object network obj-10.0.10.2
host 10.0.10.2
object service obj-udp_3478-3483 service udp source range 3478 3483 object service obj-udp_24000-29999 service udp source range 24000 29999 object service obj-udp_36002-59999 service udp source range 36002 59999 object service obj-tcp_5222 service tcp source eq 5222 object service obj-tcp_8443 service tcp source eq 8443 object service obj-tcp_5061 service tcp source eq 5061 object service obj-udp_5061 service udp source eq 5061 nat (inside,outside) source static obj-10.0.10.2 interface service obj-udp_3478-3483 obj-udp_3478-3483 nat (inside,outside) source static obj-10.0.10.2 interface service obj-udp_24000-29999 obj-udp_24000-29999 nat (inside,outside) source static obj-10.0.10.2 interface service obj-udp_36002-59999 obj-udp_36002-59999 nat (inside,outside) source static obj-10.0.10.2 interface service obj-tcp_5222 obj-tcp_5222 nat (inside,outside) source static obj-10.0.10.2 interface service obj-tcp_8443 obj-tcp_8443 nat (inside,outside) source static obj-10.0.10.2 interface service obj-tcp_5061 obj-tcp_5061 nat (inside,outside) source static obj-10.0.10.2 interface service obj-udp_5061 obj-udp_5061 OR ! To use with static one-to-one NAT: object network obj-10.0.10.2 nat (inside,outside) static interface
Caution: When you apply the static PAT commands you receive this error message on the ASA command-line interface, "ERROR: NAT unable to reserve ports". After this, proceed to clear the xlate entries on the ASA, for this, run the command clearxlatelocal x.x.x.x,fromwhere x.x.x.x corresponds to the ASA outside IP address. This command clears all the translations associated with this IP address, run it with caution in production environments.
For ASA Versions 8.2 and earlier:
! Static PAT for a Range of Ports is Not Possible - A configuration line is required per port. This example shows only when Static one-to-one NAT is used. static (inside,outside) interface 10.0.10.2 netmask 255.255.255.255
According to the Unified Communication: Expressway (DMZ) to public internet documentation, the list of TCP and UDP ports that the Expressway-E requires to allow in FW-A, are as shown in the image:
This is the ACL configuration required as inbound in the FW-A outside interface.
For ASA Versions 8.3 and later:
access-list outside-in extended permit tcp any host 10.0.10.2 eq 5222 access-list outside-in extended permit tcp any host 10.0.10.2 eq 8443 access-list outside-in extended permit udp any host 10.0.10.2 gt 3477 access-list outside-in extended permit udp any host 10.0.10.2 lt 3484 access-list outside-in extended permit udp any host 10.0.10.2 gt 23999 access-list outside-in extended permit udp any host 10.0.10.2 lt 30000 access-list outside-in extended permit udp any host 10.0.10.2 gt 36001 access-list outside-in extended permit udp any host 10.0.10.2 lt 60000 access-list outside-in extended permit udp any host 10.0.10.2 eq 5061 access-list outside-in extended permit tcp any host 10.0.10.2 eq 5061 access-group outside-in in interface outside
For ASA Versions 8.2 and earlier:
access-list outside-in extended permit tcp any host 64.100.0.10 eq 5222 access-list outside-in extended permit tcp any host 64.100.0.10 eq 8443 access-list outside-in extended permit udp any host 64.100.0.10 gt 3477 access-list outside-in extended permit udp any host 64.100.0.10 lt 3484 access-list outside-in extended permit udp any host 64.100.0.10 gt 23999 access-list outside-in extended permit udp any host 64.100.0.10 lt 30000 access-list outside-in extended permit udp any host 64.100.0.10 gt 36001 access-list outside-in extended permit udp any host 64.100.0.10 lt 60000 access-list outside-in extended permit udp any host 64.100.0.10 eq 5061 access-list outside-in extended permit tcp any host 64.100.0.10 eq 5061 access-group outside-in in interface outside
As explained in the Background Information section of this document, FW B may require a dynamic NAT or PAT configuration to allow the internal subnet 10.0.30.0/24 to be translated to the IP address 10.0.20.1 when it goes to the outside interface of the FW B.
For ASA Versions 8.3 and later:
object network obj-10.0.30.0 subnet 10.0.30.0 255.255.255.0 nat (inside,outside) dynamic interface
For ASA Versions 8.2 and earlier:
nat (inside) 1 10.0.30.0 255.255.255.0 global (outside) 1 interface
Tip: Be sure that all of the required TCP and UDP ports allow the Expressway-C to work properly and are open in the FW B, just as specified in this Cisco document: Cisco Expressway IP Port Usage for Firewall Traversal
Use this section in order to confirm that your configuration works properly.
Packet Tracer can be used on the ASA to confirm that the Expressway-E static NAT translation works as required.
FW-A#packet-tracer input outside tcp 4.2.2.2 1234 64.100.0.10 5222 Phase: 1 Type: UN-NAT Subtype: static Result: ALLOW Config: object network obj-10.0.10.2 nat (inside,outside) static interface Additional Information: NAT divert to egress interface inside Untranslate 64.100.0.10/5222 to 10.0.10.2/5222 Phase: 2 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group outside-in in interface outside access-list outside-in extended permit tcp any host 10.0.10.2 eq 5222 Additional Information: Phase: 3 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 4 Type: NAT Subtype: rpf-check Result: ALLOW Config: object network obj-10.0.10.2 nat (inside,outside) static interface Additional Information: Phase: 5 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 6 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 13, packet dispatched to next module Result: input-interface: outside input-status: up input-line-status: up output-interface: inside output-status: up output-line-status: up Action: allow
FW-A# packet-tracer input outside tcp 4.2.2.2 1234 64.100.0.10 8443 Phase: 1 Type: UN-NAT Subtype: static Result: ALLOW Config: object network obj-10.0.10.2 nat (inside,outside) static interface Additional Information: NAT divert to egress interface inside Untranslate 64.100.0.10/8443 to 10.0.10.2/8443 Phase: 2 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group outside-in in interface outside access-list outside-in extended permit tcp any host 10.0.10.2 eq 8443 Additional Information: Phase: 3 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 4 Type: NAT Subtype: rpf-check Result: ALLOW Config: object network obj-10.0.10.2 nat (inside,outside) static interface Additional Information: Phase: 5 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 6 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 14, packet dispatched to next module Result: input-interface: outside input-status: up input-line-status: up output-interface: inside output-status: up output-line-status: up Action: allow
FW-1# packet-tracer input outside tcp 4.2.2.2 1234 64.100.0.10 5061 Phase: 1 Type: UN-NAT Subtype: static Result: ALLOW Config: object network obj-10.0.10.2 nat (inside,outside) static interface Additional Information: NAT divert to egress interface inside Untranslate 64.100.0.10/5061 to 10.0.10.2/5061 Phase: 2 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group outside-in in interface outside access-list outside-in extended permit tcp any host 10.0.10.2 eq 5061 Additional Information: Phase: 3 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 4 Type: NAT Subtype: rpf-check Result: ALLOW Config: object network obj-10.0.10.2 nat (inside,outside) static interface Additional Information: Phase: 5 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 6 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 15, packet dispatched to next module Result: input-interface: outside input-status: up input-line-status: up output-interface: inside output-status: up output-line-status: up Action: allow
ASA1# packet-tracer input outside udp 4.2.2.2 1234 64.100.0.10 24000 Phase: 1 Type: UN-NAT Subtype: static Result: ALLOW Config: object network obj-10.0.10.2 nat (inside,outside) static interface Additional Information: NAT divert to egress interface inside Untranslate 64.100.0.10/24000 to 10.0.10.2/24000 Phase: 2 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group outside-in in interface outside access-list outside-in extended permit udp any host 10.0.10.2 gt 3477 Additional Information: Phase: 3 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 4 Type: NAT Subtype: rpf-check Result: ALLOW Config: object network obj-10.0.10.2 nat (inside,outside) static interface Additional Information: Phase: 5 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 6 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 16, packet dispatched to next module Result: input-interface: outside input-status: up input-line-status: up output-interface: inside output-status: up output-line-status: up Action: allow
ASA1# packet-tracer input outside udp 4.2.2.2 1234 64.100.0.10 36002 Phase: 1 Type: UN-NAT Subtype: static Result: ALLOW Config: object network obj-10.0.10.2 nat (inside,outside) static interface Additional Information: NAT divert to egress interface inside Untranslate 64.100.0.10/36002 to 10.0.10.2/36002 Phase: 2 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group outside-in in interface outside access-list outside-in extended permit udp any host 10.0.10.2 gt 3477 Additional Information: Phase: 3 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 4 Type: NAT Subtype: rpf-check Result: ALLOW Config: object network obj-10.0.10.2 nat (inside,outside) static interface Additional Information: Phase: 5 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 6 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 17, packet dispatched to next module Result: input-interface: outside input-status: up input-line-status: up output-interface: inside output-status: up output-line-status: up Action: allow
Packet captures can be taken at both ASA ingress and egress interfaces.
FW-A# sh cap capture capout interface outside match ip host 64.100.0.100 host 64.100.0.10 capture capin interface inside match ip host 64.100.0.100 host 10.0.10.2
Packet captures for 64.100.0.10 at TCP/5222:
FW-A# sh cap capout 2 packets captured 1: 21:39:33.646954 64.100.0.100.21144 > 64.100.0.10.5222: S 4178032747:4178032747(0) win 4128 <mss 1460> 2: 21:39:35.577652 64.100.0.100.21144 > 64.100.0.10.5222: S 4178032747:4178032747(0) win 4128 <mss 1460> 2 packets shown FW-A# sh cap capin 2 packets captured 1: 21:39:33.647290 64.100.0.100.21144 > 10.0.10.2.5222: S 646610520:646610520(0) win 4128 <mss 1380> 2: 21:39:35.577683 64.100.0.100.21144 > 10.0.10.2.5222: S 646610520:646610520(0) win 4128 <mss 1380> 2 packets shown
Packet captures for 64.100.0.10 at TCP/5061:
FW-A# sh cap capout 2 packets captured 1: 21:42:14.920576 64.100.0.100.50820 > 64.100.0.10.5061: S 2023539318:2023539318(0) win 4128 <mss 1460> 2: 21:42:16.992380 64.100.0.100.50820 > 64.100.0.10.5061: S 2023539318:2023539318(0) win 4128 <mss 1460> 2 packets shown
FW-A# sh cap capin 2 packets captured 1: 21:42:14.920866 64.100.0.100.50820 > 10.0.10.2.5061: S 2082904361:2082904361(0) win 4128 <mss 1380> 2: 21:42:16.992410 64.100.0.100.50820 > 10.0.10.2.5061: S 2082904361:2082904361(0) win 4128 <mss 1380> 2 packets shown
Packet drops by an ASA are captured by the ASA ASP capture. The option all,captures all the possible reasons why the ASA dropped a packet. This can be narrowed down if there is any suspected reason. For a list of reasons an ASA uses to classify these drops, run the command show asp drop.
capture asp type asp-drop all
show cap asp
OR
show cap asp | i 64.100.0.10
show cap asp | i 10.0.10.2
Tip: The ASA ASP capture is used in this scenario to confirm whether the ASA drops packets due to a missed ACL or NAT configuration, which would require to open a specific TCP or UDP port for the Expressway-E.
Tip: The default buffer size for every ASA capture is 512 KB. If too many packets are dropped by the ASA, the buffer is filled quickly. The buffer size can be increased with the buffer option.
Ensure that SIP/H.323 inspection is completely disabled on the firewalls involved.
It is highly recommended to disable SIP and H.323 inspection on firewalls that handle network traffic to or from an Expressway-E. When enabled, SIP/H.323 inspection is frequently found to negatively affect the Expressway built-in firewall/NAT traversal functionality.
This is an example of how to disable SIP and H.323 inspections on the ASA:
policy-map global_policy class inspection_default no inspect h323 h225 no inspect h323 ras no inspect sip
An alternative solution to implement the Expressway-E with dual network interfaces/dual NIC is to implement the Expressway-E but with a single NIC and NAT reflection configuration on the firewalls. The next link shows further details about this implementation Configure NAT Reflection on the ASA for VCS Expressway TelePresence Devices.
Tip: The recommended implementation for the VCS Expressway is the dual network interfaces/dual NIC VCS Expressway implementation described in this document.