Firewall Interface design

switched switch · ‎03-16-2014

We plan a two tier firewall with the physical topology like this:

WWW --------------- FW1-----------FW2-----------------INTERNAL

We will have multiple DMZ zones off FW2 and our VPN termination point off FW1. FW2 will be responsible for the NAT'ing in the design.

My plan will to have Internal IP addresses (RFC1918) between FW1 and FW2 so that FW2 cannot be accessed publically.

If we have multiple DMZ interfaces off FW2, do I need to logically separate them in the 'Intermediate' zone (between FW1 and FW2) ?

So for example, FW2 will have two subinterfaces, Gi0/0.100 = DMZ1, Gi 0/0.200 = DMZ2. Should this be carried over a logical path between FW1 and FW2, or should it just use the single interface on FW1 and FW2?

Hope this is clear.

Marvin Rhoads · ‎03-16-2014

Using the single interface between FW1 and FW2 will be fine.

You just need to ensure your routing steers the traffic correctly, nat statements are aligned and access-lists allow the necessary flows.

The one tricky bit would be the NAT. If the only place the public IPs connect to is FW1 yet the NAT from DMZ server real address to public IP is in FW2, you will need some static routing along with your access-list entries to make sure the requests for your DMZ servers' public addresses are passed through FW1 to the inside interface and on to FW2's outside interface.

Jon Marshall · ‎03-16-2014

-