cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2848
Views
40
Helpful
19
Replies

Firewalls in DMZ

benolyndav
Level 4
Level 4

Hi

I have a 2 asa Firewall DMZ to set up, my question is i plan to put a switch between them is there any special config I need in order to route traffic through internal Firewall to external Firewall to Internet.??

 

 

Thanks

19 Replies 19

Alex Pfeil
Level 7
Level 7

Is there a benefit to having 2 separate firewalls?

 

you can have an inside interface, DMZ interface, and outside interface with one firewall.

 

To answer your question, the two DMZ interfaces would have to be in same VLAN on same subnet and have routes to respective public and private networks.

 

please mark helpful posts.

Francesco Molino
VIP Alumni
VIP Alumni
Hi

What do you want to achieve? Do you have a quick drawing?

You need to certainly take about access policies, routing. That's pretty much it. I believe all your public are only on your internet firewalls and Nat is done there, right?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hi

I'm not sure om how to route traffic from Inside firewall to Internet Firewall to Internet, what gateway would i use for internal firewall internet route.???

Can you share a drawing of what you implementing and then maybe we can help better.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hi

If you could advise on how to set up default routes as per my original post.

 

Thanks

On firewall internet:

You need to add a route inside to all your subnets behind this firewall and with your internal firewall as next hop.
You need to bridge the Nat is anything inside natted on your outside interface.

On your internal firewall:

You need to add a route outside 0.0.0.0 0.0.0.0 172.20.57.2
You need to make sure you're not doing any nat because your internet firewall will do.
This firewall knows all subnets connected to him but you need to add acl on your outside to let packets in when something comes from the internet firewall if needed like nat an internal service for example

With this basic config you should be able to access Internet from everywhere.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hi

When i try adding  Route outside 0.0.0.0 0.0.0.0 172.20.57.2 on internal Firewall, I get a error saying connected route.??????

 

Thanks

 

 

If 172.20.57.2 is an interface on the ASA, you want to change that to the next hop interface. Do you already have a default route set?

 

Please mark helpful posts.

Hi

No Default route on internal Firewall, I dont understand why the Firewall wont allow me to add the default route, error connecte route. ????????

172.20.57.x needs to be next hop and not the ASA.
For example, if the Asa is 172.20.57.2 and the next hop router is 172.20.57.1.

Route outside 0.0.0.0 0.0.0.0 172.20.57.1

Please mark helpful posts.

I might be missing something here but the two asa's are connected through a switch, internal Firewall ip address is .1 the internet facing firewall is .2 so as you can see thes two in same subnet so the next hop for the internak firewall would be .2 surely.???

 

Thanks

.2 would be next-hop for internal firewall and you should have there a route like (let's assume on your internal fw with .1 the name is outside): route outside 0.0.0.0 0.0.0.0 172.20.57.2

Then on your internet firewall, to reach your internal subnets (let's say the supernet is 10.0.0.0/8 and name of interface is inside), you should have: route inside 10.0.0.0 255.0.0.0 172.20.57.1

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Ok based on what was written on your doc I thought 57.2 was the inside interface of your internet firewall, that's why I said on your internal firewall you would need a default route pointing towards your internet firewall for internet access. If that's not the IP, then you can adjust it or share a visible/readable design with all IPs and I can help you with the right/correct routes you need to configure and where you need to configure them.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hi

Thanks for the help ive attached a drawing its a bit basic, apologies for that, im just confused that when I try adding default route on internal firewall and use .2 as gateway i get the error connected route and the Firewall docent insert the route.

 

 

Thanks

Review Cisco Networking for a $25 gift card