Firewall Traversal With Cisco Expressway Packet Flow. Firewall ASA-C, add an entry from Inside to DMZ , the source IP is 10.1.5.20 (Cisco Expressway-C) and the source port is 25006. The destination IP is 172.16.1.21 (Cisco Expressway-E) and the destination port is 7001, this means that if an inbound connection with source IP : port=172.16.1.21 : 7001 and destination : port = 10.1.5.20 : 25006 is received from DMZ to Inside (from lower security level to higher security level), the firewall, this connection is allowed.

The Cisco Expressway-E receives the SIP invite and generate a new SIP invite with the source IP : port=172.16.1.21 : 7001 and destination : port = 10.1.5.20 : 25006, it sends the SIP invite to ASA-C, the ASA-C checks its connection table if there is an entry that matches this connection, and of course the magic happens, this connection is already there, for the ASA-C’s perspective, this is a legitimate return traffic for a pseudo connection initiated from inside, even if the SIP invite is initiated from the Cisco Jabber, in other words from the outside, the Cisco Expressway-E modifies the L3/L4 headers to match the firewall traversal connection, in other words the entry of the connection table of the ASA.

This is the idea behind the firewall traversal concept.