Re: dual firewall configuration

urbain58.gu@gmail.com · ‎02-13-2022

Hello

I have an assignment due in a few hours, and I have to design a network structure with a DMZ and dual firewalls.

*Internet facing firewall:

vlan1(Inside/LAN): 192.168.1.1
vlan2(outside): 209.165.200.226
vlan3(DMZ): 192.168.168.0.1
route outside 0.0.0.0 0.0.0.0 209.165.200.227(not set yet)

As for the second firewall I have all the IP written down but not configured.

Couldn't go forward with Dynamic Host Configuration Protocol and NAT and inside routing without thinking about the second firewall attached to the local network and assigning the security levels and access controls.

meanwhile some IP addresses are messed up.

Any help on the configuration of these firewalls would be appreciated.

Some of the IP address are not valid

Francesco Molino · ‎02-13-2022

Hi

I’m sorry i don’t have packet tracer to look at your design, and not sure what features are supported in packet tracer.
The IPs you gave are for 1 firewall only?

Can’t you do HA active/standby or active/active on your FW which i assume it’s an asa.

thanks

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

urbain58.gu@gmail.com · ‎02-13-2022

I only shared the IP on front-end FW I can attach a screenshot of the design. I'm still new at using Cisco PT, I'm clueless on what that is. Sorry!

Basically I wanted to know how to NAT and set routes in and out the whole thing.

Thank you though!

Francesco Molino · ‎02-13-2022

The route outside is ok. For the next hop ip you put i don’t see it written on your design but it looks ok.
for dmz, it is a l2 only so no routing needed as the fw is acting as default gateway.
on the backend FW, it’s inside has an ip 192.168.20.1 so you’ll need to put a route on your front fw like:

route inside 192.168.20.0 255.255.255.0 192.168.1.2

I assume the inside subnet of your back-end fw is a /24.

Then in terms of nat it will be:

object-group network LAN
network-object 192.168.1.0 255.255.255.0
network-object 192.168.20.0 255.255.255.0

object network DMZ

subnet 192.168.0.0 255.255.255.0

nat (inside,outside) after-auto source dynamic LAN interface

nat (dmz,outside) after-auto source dynamic DMZ interface

This is the nat config and objects on your front end fw.

Thanks

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

urbain58.gu@gmail.com · ‎02-13-2022

Basically

I set this route inside 192.168.20.0 255.255.255.0 192.168.1.2 on the frontend FW?
I didn't set the subnet on but it has to be /24 i think
Also there won't be NATting on the backend FW as it would confuse the frontend, right?
In terms of ACLs is there anything i'd do?

Georg Pauwen · ‎02-14-2022

Hello,

what are the passwords for the firewall ?

urbain58.gu@gmail.com · ‎02-14-2022

there is only one for the front-end FW it's qweasdtg

The lab i shared had many glitches on the IP addresses in the local network.

sorry!

Georg Pauwen · ‎02-14-2022

Hello,

I have made some changes to the file, NAT is added, and the basic routing is in place.

urbain58.gu@gmail.com · ‎02-14-2022

What version of Cisco PT is it? I was using 8.4. I couldn't open it.

Also thank you so much!!

Georg Pauwen · ‎02-14-2022

Hello,

I am using version 8.1, it should be compatible with yours (if yours is higher).

Anyway, the access list for ICMP should look like this:

access-list ICMP extended permit icmp any any echo
access-list ICMP extended permit icmp any any echo-reply

urbain58.gu@gmail.com · ‎02-14-2022

Hello again.

I tried to ping in the DMZ and back, but i can't figure how to configure the access-lists for icmp and tcp on both firewalls.

Any thoughts on that?

Thank you!