Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1580
Views
40
Helpful
19
Replies

Firewalls in DMZ

benolyndav
Level 4
Level 4

‎10-05-2018 03:04 PM - edited ‎02-21-2020 08:19 AM

Hi

I have a 2 asa Firewall DMZ to set up, my question is i plan to put a switch between them is there any special config I need in order to route traffic through internal Firewall to external Firewall to Internet.??

 

 

Thanks

Labels:
0 Helpful
19 Replies 19

Alex Pfeil
Level 7
Level 7

‎10-05-2018 04:52 PM

Is there a benefit to having 2 separate firewalls?

 

you can have an inside interface, DMZ interface, and outside interface with one firewall.

 

To answer your question, the two DMZ interfaces would have to be in same VLAN on same subnet and have routes to respective public and private networks.

 

please mark helpful posts.

Francesco Molino
VIP Alumni
VIP Alumni

‎10-05-2018 08:03 PM

Hi

What do you want to achieve? Do you have a quick drawing?

You need to certainly take about access policies, routing. That's pretty much it. I believe all your public are only on your internet firewalls and Nat is done there, right?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

benolyndav
Level 4
Level 4
In response to Francesco Molino

‎10-06-2018 12:19 AM

Hi

I'm not sure om how to route traffic from Inside firewall to Internet Firewall to Internet, what gateway would i use for internal firewall internet route.???

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to benolyndav

‎10-06-2018 05:06 PM

Can you share a drawing of what you implementing and then maybe we can help better.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

benolyndav
Level 4
Level 4
In response to Francesco Molino

‎10-06-2018 06:27 PM

Hi

If you could advise on how to set up default routes as per my original post.

 

Thanks

Preview file
106 KB
0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to benolyndav

‎10-06-2018 06:48 PM

On firewall internet:

You need to add a route inside to all your subnets behind this firewall and with your internal firewall as next hop.
You need to bridge the Nat is anything inside natted on your outside interface.

On your internal firewall:

You need to add a route outside 0.0.0.0 0.0.0.0 172.20.57.2
You need to make sure you're not doing any nat because your internet firewall will do.
This firewall knows all subnets connected to him but you need to add acl on your outside to let packets in when something comes from the internet firewall if needed like nat an internal service for example

With this basic config you should be able to access Internet from everywhere.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

benolyndav
Level 4
Level 4
In response to Francesco Molino

‎10-07-2018 12:18 AM

Hi

When i try adding  Route outside 0.0.0.0 0.0.0.0 172.20.57.2 on internal Firewall, I get a error saying connected route.??????

 

Thanks

 

 

0 Helpful

Alex Pfeil
Level 7
Level 7
In response to benolyndav

‎10-07-2018 03:20 AM

If 172.20.57.2 is an interface on the ASA, you want to change that to the next hop interface. Do you already have a default route set?

 

Please mark helpful posts.

benolyndav
Level 4
Level 4
In response to Alex Pfeil

‎10-07-2018 05:20 AM

Hi

No Default route on internal Firewall, I dont understand why the Firewall wont allow me to add the default route, error connecte route. ????????

0 Helpful

Alex Pfeil
Level 7
Level 7
In response to benolyndav

‎10-07-2018 01:08 PM

172.20.57.x needs to be next hop and not the ASA.
For example, if the Asa is 172.20.57.2 and the next hop router is 172.20.57.1.

Route outside 0.0.0.0 0.0.0.0 172.20.57.1

Please mark helpful posts.

benolyndav
Level 4
Level 4
In response to Alex Pfeil

‎10-07-2018 01:16 PM

I might be missing something here but the two asa's are connected through a switch, internal Firewall ip address is .1 the internet facing firewall is .2 so as you can see thes two in same subnet so the next hop for the internak firewall would be .2 surely.???

 

Thanks

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to benolyndav

‎10-07-2018 01:19 PM

.2 would be next-hop for internal firewall and you should have there a route like (let's assume on your internal fw with .1 the name is outside): route outside 0.0.0.0 0.0.0.0 172.20.57.2

Then on your internet firewall, to reach your internal subnets (let's say the supernet is 10.0.0.0/8 and name of interface is inside), you should have: route inside 10.0.0.0 255.0.0.0 172.20.57.1

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to benolyndav

‎10-07-2018 01:14 PM

Ok based on what was written on your doc I thought 57.2 was the inside interface of your internet firewall, that's why I said on your internal firewall you would need a default route pointing towards your internet firewall for internet access. If that's not the IP, then you can adjust it or share a visible/readable design with all IPs and I can help you with the right/correct routes you need to configure and where you need to configure them.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

benolyndav
Level 4
Level 4
In response to Francesco Molino

‎10-07-2018 01:30 PM

Hi

Thanks for the help ive attached a drawing its a bit basic, apologies for that, im just confused that when I try adding default route on internal firewall and use .2 as gateway i get the error connected route and the Firewall docent insert the route.

 

 

Thanks

Preview file
8 KB
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card