Solved: 2 layers of firewall Implementation Design

Maro.Cisco · ‎06-30-2013

Dears i'll be going for this design below :-

Internet-----Firewall1-----Firewall2----Core switches----Distrubtion switchs----End users

Firewall1: outer interface to internet , Internal interface to firewall2 , DMZ interface to DNS , EMail server , Bluecoat (Guest users) , Websense (Wired users internet access)
Firewall2 : Outer interface to firewall1 , DMZ interface to Server Farm , internal interface for core switchs.

Now inorder for both users Wired/Wireless to have their internet traffic directed to bluecoat and then from bluecoat to internet, routing should be enabled between 2 firewalls so is it ok ? or shall i configure all users to have a default gateway to firewall1 and then have firewall1 configured to route traffic to both websense and bluecoat ???? also while traffic is coming back from firewall1 heading to firewall2 i should open some ports on Firewall2 because by default it wont be allowing any traffic since it will be going from low level interface to higher level???.

Andrew Phirsov · ‎06-30-2013

 routing should be enabled between 2 firewalls so is it ok ?

Surely it's ok and it should be done. You may use dynamic routing or just static routes. Final goal is to provide full IP reachability between your clients and WebFiltering services.

or shall i configure all users to have a default gateway to firewall1

You can't configure firewall 1 inside IP as default gateway for your clients, cause default gateway IP hould be in the same LAN segmetn (broadcast domain).

also while traffic is coming back from firewall1 heading to firewall2 i  should open some ports on Firewall2 because by default it wont be  allowing any traffic since it will be going from low level interface to  higher level???.

If we're talking about general webtraffic, then you don't have to configure any ACL's on the outside interface of the FW2, cause web traffic will be inspected by default (at least as TCP). That means, when client connects to, say, cisco.com, returning traffic will be allowed by default, cause there'll be an entry in the state table.

View solution in original post

Andrew Phirsov · ‎06-30-2013

 routing should be enabled between 2 firewalls so is it ok ?

Surely it's ok and it should be done. You may use dynamic routing or just static routes. Final goal is to provide full IP reachability between your clients and WebFiltering services.

or shall i configure all users to have a default gateway to firewall1

You can't configure firewall 1 inside IP as default gateway for your clients, cause default gateway IP hould be in the same LAN segmetn (broadcast domain).

also while traffic is coming back from firewall1 heading to firewall2 i  should open some ports on Firewall2 because by default it wont be  allowing any traffic since it will be going from low level interface to  higher level???.

If we're talking about general webtraffic, then you don't have to configure any ACL's on the outside interface of the FW2, cause web traffic will be inspected by default (at least as TCP). That means, when client connects to, say, cisco.com, returning traffic will be allowed by default, cause there'll be an entry in the state table.

Maro.Cisco · ‎06-30-2013

super answer thanks , so shall i go on with this design is it secure enough or there is something that i could add ?