This topic describes how Cisco Expressway and Cisco Unified Border Element can provide NAT and security solutions
Cisco Unified Border Element acts as an application proxy:
- In flow-through mode, signaling and media traffic are split into two call legs.
- Internal devices (IP phones, Cisco Unified Communications Manager) do not need IP connectivity to the outside.
- Only Cisco Unified Border Element needs to have a public IP address.
When Cisco Unified Communications Manager servers and IP phones need to connect to the Internet, Cisco Unified Border Element can be used as an application proxy. When used in this way, Cisco Unified Border Element splits off-net calls inside and outside into two separate call legs.
The Cisco Unified Border Element can function in two modes:
- Flow-around: In this mode, only signaling is intercepted by Cisco Unified Border Element. Media exchange occurs directly between endpoints (and flows around Cisco Unified Border Element). Only signaling devices (Cisco Unified Communications Manager) are hidden from the outside.
- Flow-through: In this mode, both signaling and media streams are intercepted by Cisco Unified Border Element (by flowing through Cisco Unified Border Element). Both Cisco Unified Communications Manager and IP phones are hidden from the outside.
In flow-through mode, only Cisco Unified Border Element needs to have a public IP address, so NAT and security issues for internal devices (Cisco Unified Communications Manager servers and IP phones) are solved. Because Cisco Unified Border Element is exposed to the outside, it should be hardened against attacks.
Cisco Unified Border Element in Flow-Through Mode
The figure illustrates how the use of a Cisco Unified Border Element protects inside devices such as Cisco Unified Communications Manager and IP phones by acting as a signaling and media proxy.
In the example, Cisco Unified Communications Manager has a private IP address of 10.1.1.1, and the IP phone has a private IP address of 10.2.1.5. A Cisco Unified Border Element connects the Cisco Unified Communications Manager cluster to the outside world, in this case, to an ITSP. The Cisco Unified Border Element is configured in flow-through mode and uses an internal private IP address of 10.3.1.1 and an external public IP address of A.
When Cisco Unified Communications Manager wants to signal calls to the ITSP, it does not send the packets to the IP address of the ITSP (IP address B). Instead, it sends them to the internal IP address of the Cisco Unified Border Element (10.3.1.1) via a SIP trunk configuration. Cisco Unified Border Element then establishes a second call leg to the ITSP, using its public IP address A as the source and IP address B (the ITSP) as the destination. Once the call is set up, the Cisco Unified Border Element terminates RTP toward the ITSP, using its public IP address, and sends the received RTP packets to the internal IP phone, using its internal IP address.
This solution allows Cisco Unified Communications Manager and IP phones to communicate only with the internal, private IP address of the Cisco Unified Border Element. The only IP address that is visible to the ITSP is the public IP address of Cisco Unified Border Element.
Cisco Expressway as a NAT and Security Solution
Cisco Expressway is another solution to NAT and security issues in Cisco Unified Communications Manager deployments.
Cisco Expressway provides edge services:
- Firewall traversal
- Solves NAT issues
- Remote access
- Secure, remote access without the need for a VPN
- Controlled traffic patterns through firewalls based on two components:
- Cisco Expressway E (facing the outside)
- Cisco Expressway C (facing the inside)
Cisco Expressway provides edge services in a Cisco Unified Communications Manager deployment. These services include firewall traversal and remote access.
Firewall traversal solves NAT issues that usually prevent a remote endpoint from directly exchanging media with another endpoint when PAT is used between the two endpoints.
Remote access provides secure access to remote endpoints without the need for a VPN. Similar to the Cisco Phone Proxy feature (a feature involving the Cisco ASA adaptive security appliance), Expressway can act as a proxy and connect to the remote endpoint via secure protocols, such as TLS and SRTP) while the connection between Cisco Expressway and Cisco Unified Communications Manager does not have to be encrypted.
A Cisco Expressway solution consists of two Cisco Expressway devices:
- Cisco Expressway E: This server faces the untrusted outside network. It is located on a network segment that is close to the untrusted network. In most cases, this network segment is a DMZ, so there is one firewall (or a firewall ruleset) between Cisco Expressway E and the untrusted network.
- Cisco Expressway C: This server faces the inside network. It is located on an intermediate or internal network, typically a server network.
The set of two separate servers allows well-defined traffic patterns and tight access control (determines which device is allowed to send which type of traffic to which other device).
Cisco Expressway Deployment Example
The figure illustrates a typical Cisco Expressway deployment.
- Cisco Expressway C
- Faces the inside network
- Reachable from inside
- Connects to Cisco Expressway E
- Cisco Expressway E
- Faces the outside network
- Reachable from outside
- Connects to Cisco Expressway C
- Provides secure communication to remote endpoints that are reachable over untrusted networks (such as the Internet)
- Provides media termination services, if needed
- Solves NAT issues of remote endpoints
- Eliminates the need for VPN tunnels
The figure illustrates how Cisco Expressway E and Cisco Expressway C work together when providing remote access services to endpoints that are located in an untrusted network such as the Internet.
The remote endpoint connects to Cisco Expressway E, Cisco Expressway E connects to Cisco Expressway C, and Cisco Expressway C connects to Cisco Unified Communications Manager. An outside firewall is deployed between the Internet and Cisco Expressway E, and an internal firewall is deployed between Cisco Expressway E and Cisco Expressway C.
Cisco Expressway E provides secure communication to the remote endpoint and provides media termination services, if needed.