topic Firewalls in DMZ in Network Security

Firewalls in DMZ

benolyndav — Fri, 21 Feb 2020 16:19:48 GMT

I have a 2 asa Firewall DMZ to set up, my question is i plan to put a switch between them is there any special config I need in order to route traffic through internal Firewall to external Firewall to Internet.??

Thanks

Re: Firewalls in DMZ

Alex Pfeil — Fri, 05 Oct 2018 23:52:18 GMT

Is there a benefit to having 2 separate firewalls?

you can have an inside interface, DMZ interface, and outside interface with one firewall.

To answer your question, the two DMZ interfaces would have to be in same VLAN on same subnet and have routes to respective public and private networks.

please mark helpful posts.

Re: Firewalls in DMZ

Francesco Molino — Sat, 06 Oct 2018 03:03:27 GMT

Hi

What do you want to achieve? Do you have a quick drawing?

You need to certainly take about access policies, routing. That's pretty much it. I believe all your public are only on your internet firewalls and Nat is done there, right?

Re: Firewalls in DMZ

benolyndav — Sat, 06 Oct 2018 07:19:36 GMT

I'm not sure om how to route traffic from Inside firewall to Internet Firewall to Internet, what gateway would i use for internal firewall internet route.???

Re: Firewalls in DMZ

Francesco Molino — Sun, 07 Oct 2018 00:06:58 GMT

Can you share a drawing of what you implementing and then maybe we can help better.

Re: Firewalls in DMZ

Alex Pfeil — Sun, 07 Oct 2018 01:04:48 GMT

If you are insisting on using two firewalls, static routing on a firewall would be pretty easy.

Internet firewall
Route outside 0.0.0.0 0.0.0.0 gatewayIP
Route inside allInternalSubnets insideFirewallOutsideIp
Example
Route inside 172.16.0.0 255.255.0.0 172.16.254.1

Inside firewall example
Route outside 0.0.0.0 0.0.0.0 172.16.254.2

This is just an example. One consideration would be that having two firewalls in one DMZ subnet can be an issue because there are two possible gateways. Are you going to have a router in the DMZ? The issue with two gateways is that a server will only have one default gateway configured. You can resolve this with static routes on the servers.

Please rate helpful posts.

Re: Firewalls in DMZ

benolyndav — Sun, 07 Oct 2018 01:27:15 GMT

If you could advise on how to set up default routes as per my original post.

Thanks

Re: Firewalls in DMZ

Francesco Molino — Sun, 07 Oct 2018 01:48:59 GMT

On firewall internet:

You need to add a route inside to all your subnets behind this firewall and with your internal firewall as next hop.
You need to bridge the Nat is anything inside natted on your outside interface.

On your internal firewall:

You need to add a route outside 0.0.0.0 0.0.0.0 172.20.57.2
You need to make sure you're not doing any nat because your internet firewall will do.
This firewall knows all subnets connected to him but you need to add acl on your outside to let packets in when something comes from the internet firewall if needed like nat an internal service for example

With this basic config you should be able to access Internet from everywhere.

Re: Firewalls in DMZ

benolyndav — Sun, 07 Oct 2018 07:18:18 GMT

When i try adding Route outside 0.0.0.0 0.0.0.0 172.20.57.2 on internal Firewall, I get a error saying connected route.??????

Thanks

Re: Firewalls in DMZ

Alex Pfeil — Sun, 07 Oct 2018 10:20:10 GMT

If 172.20.57.2 is an interface on the ASA, you want to change that to the next hop interface. Do you already have a default route set?

Please mark helpful posts.

Re: Firewalls in DMZ

benolyndav — Sun, 07 Oct 2018 12:20:29 GMT

No Default route on internal Firewall, I dont understand why the Firewall wont allow me to add the default route, error connecte route. ????????

Re: Firewalls in DMZ

Alex Pfeil — Sun, 07 Oct 2018 20:08:59 GMT

172.20.57.x needs to be next hop and not the ASA.
For example, if the Asa is 172.20.57.2 and the next hop router is 172.20.57.1.

Route outside 0.0.0.0 0.0.0.0 172.20.57.1

Please mark helpful posts.

Re: Firewalls in DMZ

Francesco Molino — Sun, 07 Oct 2018 20:14:42 GMT

Ok based on what was written on your doc I thought 57.2 was the inside interface of your internet firewall, that's why I said on your internal firewall you would need a default route pointing towards your internet firewall for internet access. If that's not the IP, then you can adjust it or share a visible/readable design with all IPs and I can help you with the right/correct routes you need to configure and where you need to configure them.

Re: Firewalls in DMZ

benolyndav — Sun, 07 Oct 2018 20:16:18 GMT

I might be missing something here but the two asa's are connected through a switch, internal Firewall ip address is .1 the internet facing firewall is .2 so as you can see thes two in same subnet so the next hop for the internak firewall would be .2 surely.???

Thanks

Re: Firewalls in DMZ

Francesco Molino — Sun, 07 Oct 2018 20:19:43 GMT

.2 would be next-hop for internal firewall and you should have there a route like (let's assume on your internal fw with .1 the name is outside): route outside 0.0.0.0 0.0.0.0 172.20.57.2

Then on your internet firewall, to reach your internal subnets (let's say the supernet is 10.0.0.0/8 and name of interface is inside), you should have: route inside 10.0.0.0 255.0.0.0 172.20.57.1

Re: Firewalls in DMZ

benolyndav — Sun, 07 Oct 2018 20:30:19 GMT

Thanks for the help ive attached a drawing its a bit basic, apologies for that, im just confused that when I try adding default route on internal firewall and use .2 as gateway i get the error connected route and the Firewall docent insert the route.

Thanks

Re: Firewalls in DMZ

Francesco Molino — Sun, 07 Oct 2018 20:36:56 GMT

The error you're getting is on internal or internet firewall? Can you share the command you're typing?

Re: Firewalls in DMZ

benolyndav — Sun, 07 Oct 2018 20:39:39 GMT

route outside 0.0.0.0 0.0.0.0 172.20.57.2

Re: Firewalls in DMZ

benolyndav — Sun, 07 Oct 2018 20:40:21 GMT

and the error is on internal FW, thats where im trying to add the route

Re: Firewalls in DMZ

Francesco Molino — Sun, 07 Oct 2018 20:42:31 GMT

Can you share output of "show int ip bri" and "show route" from both firewalls please?