Re: Best Practice Two Tier Firewall Architecture

k.clifford · ‎06-29-2016

First time posting so bear with me.

I am looking for a best practice design reference for a customer that wants a two tier firewall structure.

--Does anyone have a reference link/document/book?

--Should the customer use different vendors at each tier, I know that is blasphemy but I'm asking anyway since they wanted to Palo Alto on the 1st tier and ASA's on 2nd tier. Current design in front of the client has the ASA in Transparent mode to conserve IP space is what I am being told.

--Is double-natting a best practice? Assuming we recommend ASA in routed mode over transparent mode.

I will be asking these same questions at Cisco Live in a few weeks but would like to get back to my customer sooner that that.

Any help is certainly appreciated.

Thanks in advance.

-Ken

rajevemu · ‎06-29-2016

Hi Ken,

I am also posting first time.

Architecture will be vary depends upon client requirement.

If customer have internal servers and internal team wants to use, those servers will be in behind lan firewall. Create NAT to hide the real server ip from internal user communication.
All DMZ servers will be on Internet firewall.
Use P2P IPSEC/GRE tunnels between Client to customers/vendor communication on Internet firewall for more secure.
Create contexts for multiple clients.
Place the proxy server between lan and internet firewall for internet access.

Always routed mode firewall is good for troubleshooting point of view. I hope this may be useful.

Thanks,

Rajesh Vemuri.

rajevemu · ‎06-30-2016

This link may useful.

http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/SAFE_RG/SAFE_rg.pdf