Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
526
Views
0
Helpful
7
Replies

Dmz with dual firewall Implementation

Go to solution
Rowlands Sharles
Level 1
Level 1

‎02-03-2025 07:51 PM - edited ‎02-03-2025 07:53 PM

dmz dual firewall.PNGHi Support,

I want to implement the DMZ with dual firewalls (FW1 & FW2). FW1 is connected to Internet and FW2 is connected to LAN. Between the both firewall we have the dmz subnet 10.10.10.0/24

Web Proxy (10.10.10.3), FTP(10.10.10.4) ans mail server (10.10.10.5) are placed in the dmz.

My concern is about defaul gateway of all servers placed in the dmz

what will be the default gateway of all servers in dmz? Fw1 (10.10.10.2) or FW2 (10.10.10.1) and why?

Thanks in advance

0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
M02@rt37
VIP
VIP

‎02-03-2025 09:25 PM - edited ‎02-03-2025 09:29 PM

Hello @Rowlands Sharles 

Best practice is to use Fw2 as default Gw. This keeps the internal network more secure because traffic from DMZ servers does not have a direct return path to the Internet via FW1.

Also, it allows better control over DMZ-to-LAN communication since FW2 can enforce strict access policies.

FW2 can forward only necessary traffic to FW1 for Internet access while ensuring internal resources are not directly exposed.

--edited

If DMZ servers use FW1 (10.10.10.2) as the default gateway, all their traffic would first be sent to the Internet firewall. This setup introduces several risks, including potential data leaks if misconfigurations allow internal data to be routed externally. Additionally, FW1 would need to handle both inbound and outbound DMZ traffic, making it harder to enforce strict access control between the DMZ and the internal network.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

View solution in original post

0 Helpful

Go to solution
M02@rt37
VIP
VIP
In response to Rowlands Sharles

‎02-03-2025 09:50 PM - edited ‎02-03-2025 09:51 PM

You're so welcome @Rowlands Sharles 

If Fw2 is the default gateway for DMZ servers, then it already knows how to reach both the LAN (192.168.1.0/24) and the DMZ (10.10.10.0/24), as these networks are directly connected. This means you do not need a route on Fw2 for LAN traffic. The DMZ servers will naturally send return traffic to FW2, which will then deliver it to the LAN.

What FW2 does need is a route for Internet-bound traffic. Since FW1 is responsible for external connectivity, FW2 should have a default route pointing to FW1.

This ensures that any traffic from the DMZ or LAN that is destined for the Internet is forwarded to FW1.

On FW1, because it is directly connected to the DMZ, it already knows about the 10.10.10.0/24 network. However, for FW1 to properly return traffic to the internal LAN, it must have a route directing LAN-bound traffic to FW2.

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

View solution in original post

0 Helpful

Go to solution
M02@rt37
VIP
VIP
In response to Rowlands Sharles

‎02-03-2025 10:14 PM - edited ‎02-03-2025 10:15 PM

Right! Firewall1 does not need a route to the internal LAN because it should not be directly communicating with internal resources. In a properly designed dual-firewall DMZ setup, all communication between the LAN and DMZ is handled by FW2, which is responsible for filtering and controlling access.

Since FW2 is the default gateway for both the LAN and DMZ servers, it already knows how to forward internal LAN traffic to the DMZ and vice versa. When DMZ servers need to communicate with the LAN, they send their traffic to FW2, which delivers it to the correct destination. When the LAN initiates communication with the DMZ, FW2 routes the packets directly to the DMZ servers. There is no need for FW1 to be involved in this process.

The only situation where FW1 might need a route to the LAN is if it were required for administrative or monitoring purposes, such as remote management of FW1 from inside the LAN. However, best practice is to keep FW1 isolated from internal resources to maintain strong segmentation between the Internet and the internal network. Instead, management access to FW1 should be restricted to an out-of-band management network or a VPN terminating on FW2.

For Internet-bound traffic, FW2 only needs a default route pointing to Fw1. This ensures that any traffic from the LAN or DMZ that needs to reach the Internet is forwarded to FW1, which then applies security policies before sending it externally. FW1, in turn, does not need to know about the internal LAN, as it only processes outbound traffic from FW2 and inbound traffic destined for the DMZ.

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
M02@rt37
VIP
VIP

‎02-03-2025 09:25 PM - edited ‎02-03-2025 09:29 PM

Hello @Rowlands Sharles 

Best practice is to use Fw2 as default Gw. This keeps the internal network more secure because traffic from DMZ servers does not have a direct return path to the Internet via FW1.

Also, it allows better control over DMZ-to-LAN communication since FW2 can enforce strict access policies.

FW2 can forward only necessary traffic to FW1 for Internet access while ensuring internal resources are not directly exposed.

--edited

If DMZ servers use FW1 (10.10.10.2) as the default gateway, all their traffic would first be sent to the Internet firewall. This setup introduces several risks, including potential data leaks if misconfigurations allow internal data to be routed externally. Additionally, FW1 would need to handle both inbound and outbound DMZ traffic, making it harder to enforce strict access control between the DMZ and the internal network.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful

Go to solution
Rowlands Sharles
Level 1
Level 1
In response to M02@rt37

‎02-03-2025 09:33 PM - edited ‎02-03-2025 09:56 PM

Many thanks M02

will used FW2 as Default gateway

0 Helpful

Go to solution
M02@rt37
VIP
VIP
In response to Rowlands Sharles

‎02-03-2025 09:50 PM - edited ‎02-03-2025 09:51 PM

You're so welcome @Rowlands Sharles 

If Fw2 is the default gateway for DMZ servers, then it already knows how to reach both the LAN (192.168.1.0/24) and the DMZ (10.10.10.0/24), as these networks are directly connected. This means you do not need a route on Fw2 for LAN traffic. The DMZ servers will naturally send return traffic to FW2, which will then deliver it to the LAN.

What FW2 does need is a route for Internet-bound traffic. Since FW1 is responsible for external connectivity, FW2 should have a default route pointing to FW1.

This ensures that any traffic from the DMZ or LAN that is destined for the Internet is forwarded to FW1.

On FW1, because it is directly connected to the DMZ, it already knows about the 10.10.10.0/24 network. However, for FW1 to properly return traffic to the internal LAN, it must have a route directing LAN-bound traffic to FW2.

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful

Go to solution
Rowlands Sharles
Level 1
Level 1
In response to M02@rt37

‎02-03-2025 09:57 PM

Thanks M02

0 Helpful

Go to solution
Rowlands Sharles
Level 1
Level 1
In response to M02@rt37

‎02-03-2025 10:09 PM

Please last question

what about routing beetwen both firewalls,

do we need a route in FW1 to internal LAN using fw2 ip? (route inside 192.168.1.0 255.255.255.0 10.10.10.1) ?

I thinks FW1 do not need reaching internal lan

 

0 Helpful

Go to solution
M02@rt37
VIP
VIP
In response to Rowlands Sharles

‎02-03-2025 10:14 PM - edited ‎02-03-2025 10:15 PM

Right! Firewall1 does not need a route to the internal LAN because it should not be directly communicating with internal resources. In a properly designed dual-firewall DMZ setup, all communication between the LAN and DMZ is handled by FW2, which is responsible for filtering and controlling access.

Since FW2 is the default gateway for both the LAN and DMZ servers, it already knows how to forward internal LAN traffic to the DMZ and vice versa. When DMZ servers need to communicate with the LAN, they send their traffic to FW2, which delivers it to the correct destination. When the LAN initiates communication with the DMZ, FW2 routes the packets directly to the DMZ servers. There is no need for FW1 to be involved in this process.

The only situation where FW1 might need a route to the LAN is if it were required for administrative or monitoring purposes, such as remote management of FW1 from inside the LAN. However, best practice is to keep FW1 isolated from internal resources to maintain strong segmentation between the Internet and the internal network. Instead, management access to FW1 should be restricted to an out-of-band management network or a VPN terminating on FW2.

For Internet-bound traffic, FW2 only needs a default route pointing to Fw1. This ensures that any traffic from the LAN or DMZ that needs to reach the Internet is forwarded to FW1, which then applies security policies before sending it externally. FW1, in turn, does not need to know about the internal LAN, as it only processes outbound traffic from FW2 and inbound traffic destined for the DMZ.

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful

Go to solution
Rowlands Sharles
Level 1
Level 1
In response to M02@rt37

‎02-03-2025 10:24 PM

Many Thanks M02@rt37

It's clear now for me

Regards

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card