topic How to implement Dual firewall. in Network Security

How to implement Dual firewall.

kkwaskcisco — Tue, 12 Mar 2019 05:19:28 GMT

Hello;

I want to implement dual firewalls in my network, one facing to internet and another one facing to LAN, currently I have a Firewall B facing to internet and LAN and have a IPsec VPN for site to site. If I need to place a new Firewall A in front of Firewall B and facing to internet, where should I teminate my site to site VPN? And how to direct the traffic from interent to Firewall A, then Firewall B, using double NATTING? or all any any from Outside interface of Firewall A to the Outside interface of Firewall B? I am using ASA 5512X.

LAN ---> Firewall B ---------> Firewall A --------> Internet

DMZ

How to direct the traffic from internet back to LAN?

Thanks!

Hi, What is the reason of

Jouni Forss — Mon, 12 Jan 2015 12:04:52 GMT

Hi,

What is the reason of inserting another firewall in front of the currently used firewall?

With regards to the VPN I would rather use the VPN on the firewall on the edge of the network or have a separate VPN gateway device on the edge of the network.

I am not sure that I understand the problem with forwarding the traffic? You should simply have the proper routes configured on the firewalls and other connected devices to forward the traffic correctly.

I also don't really understand what you mean by the double NAT in this case?

I think we need some clarifications on why you are changing the setup like this and what you want to achieve.

- Jouni

Hi Jouni Thanks for your

kkwaskcisco — Sat, 17 Jan 2015 02:28:28 GMT

Hi Jouni

Thanks for your response. The reason of placing a 2nd firewall facing to internet is for security reason, try to enhance the security in network.

I was thinking to put the route also but not sure if this is the correct path to do. I was thinking, the connection like this way.

1. connect the WAN interface of Firewall B to LAN interface of Firewall A with a network cable. (I think this is correct connection)

2. Assign a LAN ip for Firewall B WAN interface, like 192.168.0.1

3. Assign a LAN ip for LAN interface of Firewall A, like 192.168.0.254

4. Assign the public ISP IP for WAN interface on Firewall A for internet connection.

5. On Firewall B, using a static route to route all inbound traffic from any any through 192.168.0.254 because 192.168.0.254 will be the gateway.

route outside 0 0 192.168.0.254

6. On Firewall A, routing all traffic to internet through ISP gateway.

But, what will be the command looks like for inbound traffic from Firewall A to Firewall B, then to ensure that it can go to the LAN side on Firewall B?