Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2750
Views
10
Helpful
4
Replies

Security design: DMZ ports on internal switch ,do you think good or bad?

NguyenNgocBa
Level 1
Level 1

‎08-08-2019 02:43 AM

 

My company is rebuilding the DMZ model, my subnet will be primarily due to the core level DHCP switch and the firewall asa I use primarily to give the internet subnet, nat and the route for the VPN network to see each other, but there is one thing As the network model went into operation so very limited in refreshing, I tried to do a job of creating a VLAN layer in the core switch and using an access-list to prevent access to my subnet. (I think it's DMZ) and create a route-map line for the core switch pointing to firepower so that zone dmz can use the internet, I see it working, but I'm not sure that's the right thing because of the rules on the firewall, so that the network of several local subnets cannot communicate with the DMZ, if you want to make the subnet communicate, you must perform permi t in the access-list on the core switch and that makes me not really interested when the firewall doesn't do what I want. do you have any solution so that I can do the DMZ zone better.

 

 

 

123.PNG

Labels:
0 Helpful
4 Replies 4

Rob Ingram
VIP
VIP

‎08-08-2019 04:04 PM

Hi,
Normally you would use a separate physical switch for the DMZ, connected to separate interface on the firewall. You would control traffic to/from the DMZ on the firewall, not on an ACL on the switch.

HTH

NguyenNgocBa
Level 1
Level 1
In response to Rob Ingram

‎08-08-2019 05:53 PM - edited ‎08-08-2019 06:09 PM

Normally I will do the same but the system has only one blade server, I build the VMware system on it and it is connected to the core switch by a physical path (6-way trunk), including the FMC's I'm also in it and all layer 2 switches (end users) focus on two core 3850 switches (Stackwise), I can't physically separate the DMZ line except to do a VLan and separate it from the system (Because my server only communicates with a 10Gb fiber port and my firewall uses only 1Gb fiber, I must concentrate them on the core switch). internally, I tried to add a physical route and pushed my route-map for my core and 5525x firewall switch to the Vlan that I created with the intention of being the DMZ zone, It works when I try to create blocking rules but there is one thing: there are rules for an internal subnet that can communicate with the DMZ, it doesn't seem to work, I'm still wondering what I'm doing. What is wrong?




0 Helpful

Rob Ingram
VIP
VIP
In response to NguyenNgocBa

‎08-09-2019 07:07 AM

Ok, how about removing the SVI on VLAN99 and ensure the default gateway for the DMZ server is the FTD firewall. Without the SVI the Core switch would not have a route in it's routing table for 20.20.99.0/24 and traffic will be routed to the firewall via the INSIDE interface, the firewall would then route the traffic out the DMZ interface to the DMZ server.

NguyenNgocBa
Level 1
Level 1
In response to Rob Ingram

‎08-09-2019 09:30 PM - edited ‎08-09-2019 09:34 PM

Thank you.

The problem is that I cannot remove svi on VLAN99, I created the route-map and the correct traceroute to the inside-2 (dmz) port as intended, but only failed where the internal network could not be communicated. with zone dmz.

0 Helpful
Customers Also Viewed These Support Documents