03-08-2016 03:06 PM - edited 03-19-2019 10:50 AM
Hello all,
While reviewing so Expressway docs I started to question the way I have been connecting my C&E servers to a network. All of the documents that I have found reference a configuration with two firewalls. This would obviously be best practice however I am wondering what the recommended configuration would be if only one firewall is available. I prefer to use the dual nic option on the E and with that assumption I figure there are 2 options.
Option 1
Expressway E LAN2 in the DMZ
Expressway E LAN1 on the internal LAN
Expressway C on the internal LAN
Option 2
Expressway E LAN2 on the external internet
Expressway E LAN1 oin the DMZ
Expressway C on the internal LAN
I can see pros and cons to both configurations and would like to here thoughts from the community.
Thank you all
03-08-2016 11:04 PM
Hi Jacob,
Please check the following post related to similar query
https://supportforums.cisco.com/discussion/12538411/expressway-e-single-nic-or-dual-nic
Manish
03-09-2016 08:52 PM
That looks like a good thread however it looks like there solution is to spin up a second DMZ network of the firewall. If a customer simply has a single DMZ network giving them the internet, One DMZ, and there LAN as there networks what would be the recommended configuration?
03-10-2016 01:51 AM
The recommended configuration is two firewalls, where the Exp-E LAN1 interface is also in a DMZ and a firewall exists between this and the LAN1 interface of the Exp-C node. This is recommended as it is more secure, you have a TLS zone between them anyway but not having a FW doing port filtering is more of a risk than having one so it is recommended.
It will work with no FW between Exp-E LAN1 and Exp-C LAN1 but its obviously less secure.
What type of firewall do they have?
Some allow you to create virtual systems within a single physical firewall unit so you can have more than one DMZ and using Vlans, separate the traffic. Palo Alto is a good example of where you can achieve multiple DMZ's within a single firewall, they use the concept of a Vsys (i.e. a virtual firewall).
Thanks
03-10-2016 05:33 AM
I definitely agree that 2 DMZ's is the best practice configuration and also agree that 2 DMZ's can be accomplished with a dingle firewall however as a consultant there are times when I don't have access to a customers network and they are not willing to add an entire network simply for the deployment of expressway. So with this limitation and from what other are saying I am guessing my option 1 configuration would be preferred.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: