cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

331
Views
10
Helpful
3
Replies
Highlighted
Beginner

DMZ Design wit two Firewalls

 

Hi

What is the best practice  i.e what rules do we apply to external facing FW ? also should I have a switch for each interface.? also do DMZ servers need public IP or is Private IP ok and use Nat.??

Thanks 

3 REPLIES 3
Highlighted
VIP Advisor

Hi,
The outside and inside interfaces should be connected to seperate switches. Ideally you'd have 2 of everything, so you'd have 2 x ASA which would be configured either Active/Standby or Active/Active. In this scenario you'd connect each ASA interfaces' into different switches (2 on the outside and 2 on the inside network) to provide full resilency.

As far as firewall rules are concerned, block all inbound expect only what you need to permit. Ideally you'll have a public IP address range on the outside interface network, this would then be natted to the private IP addresses on the hosts in the inside network.

HTH
Highlighted

Hi

Thanks for your quick response could you take a look at the attachment and possibly add in location for Guest DHCP scope to be placed and also any Vlan ideas for added Security and also does this design work technically and how secure is it, ??

 

Thanks

Highlighted
VIP Advisor

dedicated switch for DMZ is definitely recommended.

 

approach security of your DMZ as a non-trusted zone. so only allow from the DMZ to a trusted zone (internal) what you explicitly define.

Please remember to rate useful posts, by clicking on the stars below.

Content for Community-Ad