03-16-2014 01:38 AM - edited 03-11-2019 08:57 PM
We plan a two tier firewall with the physical topology like this:
WWW --------------- FW1-----------FW2-----------------INTERNAL
We will have multiple DMZ zones off FW2 and our VPN termination point off FW1. FW2 will be responsible for the NAT'ing in the design.
My plan will to have Internal IP addresses (RFC1918) between FW1 and FW2 so that FW2 cannot be accessed publically.
If we have multiple DMZ interfaces off FW2, do I need to logically separate them in the 'Intermediate' zone (between FW1 and FW2) ?
So for example, FW2 will have two subinterfaces, Gi0/0.100 = DMZ1, Gi 0/0.200 = DMZ2. Should this be carried over a logical path between FW1 and FW2, or should it just use the single interface on FW1 and FW2?
Hope this is clear.
03-16-2014 07:21 AM
Using the single interface between FW1 and FW2 will be fine.
You just need to ensure your routing steers the traffic correctly, nat statements are aligned and access-lists allow the necessary flows.
The one tricky bit would be the NAT. If the only place the public IPs connect to is FW1 yet the NAT from DMZ server real address to public IP is in FW2, you will need some static routing along with your access-list entries to make sure the requests for your DMZ servers' public addresses are passed through FW1 to the inside interface and on to FW2's outside interface.
03-16-2014 10:01 AM
-
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide