This is a working configuration for a customer that required both Expressway-C & Expressway-E (single NIC) to be on the same internal VLAN. In order for this configuration to work, communication from Expressway-C to Expressway-E must communicate with the public IP address of the Expressway-E. Also, communication from Expressway-E to Expressway-C must be sourced from the Expressway-E public IP address, which is configured as a static NAT on the ASA.
The ASA configuration does require 2 public IP addresses, one for the Expressway-C & one for the Expressway-E. The public IP addresses will be used for NAT Reflection and also external access to the Expressway-E.
MRA, B2B, and XMPP Federation worked as expected, I was actually quite surprised that I did not run into any oddities. Obviously, this is not the preferred nor supported architecture for deploying Expressway , but it is nice to have something in your back pocket besides your magic wand.
Note: This does create additional network overhead as communication from Expressway-C to Expressway-E and Expressway-E to Expressway-C MUST traverse the ASA. If all traffic does not traverse the ASA, asymmetric routing and other communication issues will occur resulting in a non-working solution.
Oh yeah, drink the Kool-Aid…
ASA Configuration
Configure ASA to allow traffic to hairpin the same interface
same-security-traffic permit intra-interface
Configure network objects for Expressway-C & Expressway-E
object network EXPC1-IN
host 172.16.0.18
object network EXPC1-OUT
host 1.1.1.51
object network EXPE1-IN
host 172.16.0.19
object network EXPE1-OUT
host 1.1.1.50
Configure service group for ports allowed into Expressway-E (Modify ports as needed)
object-group service EXPE1
service-object tcp destination eq 8443
service-object tcp destination eq 5222
service-object tcp destination eq 5269
service-object tcp destination range sip 5061
service-object udp destination eq sip
service-object udp destination range 36000 59999
service-object tcp destination eq h323
service-object tcp destination eq 2776
service-object tcp destination range 15000 19999
service-object udp destination eq 3478
service-object udp destination range 24000 29999
service-object tcp destination eq https
Configure access-list to open ports into Expressway-E
access-list outside_access_in extended permit object-group EXPE1 any object EXPE1-IN
Configure NAT Reflection for Expressway-C & Expressway-E
nat (INSIDE,INSIDE) source static EXPC1-IN EXPC1-OUT destination static EXPE1-OUT EXPE1-IN
nat (INSIDE,INSIDE) source static EXPE1-IN EXPE1-OUT destination static EXPC1-OUT EXPC1-IN
Configure static NAT for Expressway-E (Static NAT for Expressway-E only)
object network EXPE1-IN
nat (INSIDE,OUTSIDE) static 1.1.1.50