Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
594
Views
0
Helpful
1
Replies

multilayered and multivendor firewall questions

dan_track
Level 1
Level 1

‎04-22-2010 02:03 PM - edited ‎03-06-2019 10:45 AM

Hi,

I've just been tasked with getting a solution together for securing our internal connectivity. Basically I have an internet link and what I need to do is install two firewalls there from different vendors, so one will be an asa and the other will be another company let's say for argument sake it's checkpoint. I have a few questions surrounding this.

Internet

   |

external switch2

   |

Checkpoint

   |

external switch1

   |

asa

   |

Inside/dmz's

1. Will one firewall sit in front of another. i.e. the asa is on the inner side and will have a default route to the checkpoint firewall, or am I wrong?

2. Will I have to have different external switches connected to each respective firewall? is this more secure?

3. Will both firewalls have to have external ip's?

4. Where will I be natting in order for internal/dmz traffic to go out to the internet, the asa or the checkpoint?

5. Where should I be terminating VPN's from the asa or the checkpoint?

5. How have other people done this kind of work?

Thanks in advance for any help

Dan

Labels:
0 Helpful
1 Reply 1

Jon Marshall
Hall of Fame
Hall of Fame

‎04-22-2010 02:23 PM 

dan_track wrote:

Internet
   |
external switch2
   |
Checkpoint
   |
external switch1
   |
asa
   |
Inside/dmz's
1. Will one firewall sit in front of another. i.e. the asa is on the inner side and will have a default route to the checkpoint firewall, or am I wrong?
2. Will I have to have different external switches connected to each respective firewall? is this more secure?
3. Will both firewalls have to have external ip's?
4. Where will I be natting in order for internal/dmz traffic to go out to the internet, the asa or the checkpoint?
5. Where should I be terminating VPN's from the asa or the checkpoint?
5. How have other people done this kind of work?

1) Yes and yes, the default route on the asa would point to the checkpoint

2) no you don't have to but yes it is more secure.

3) no, only the checkpoint

4) checkpoint

5) checkpoint

6) You can do it a number of ways.

One approach is to have each 2 vlans per DMZ in effect. A server in this DMZ would be connected to both DMZs. The checkpoint would connect to the outside vlan for this DMZ and the asa would connect to the inside vlans. The vlans would have different IP subnets. So from the internet a server is connected to on it's external interface via the checkpoint and from inside it is connected to on it's interface interface via the ASA. If you do this sort of setup then it is important each server does not route traffic.

Alternatively you can have some DMZs only connected to the checkpoint and some only connected to the asa but then you need a "transit" vlan that connects both the ASA and the checkpoint.

The topology you design depends on the services you are hosting. A good site to start with is www.sans.org where they have designs for these sort of things.

Jon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card