cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
583
Views
0
Helpful
4
Replies
Highlighted
Beginner

Expressway C&E recommended network configuration

Hello all, 

While reviewing so Expressway docs I started to question the way I have been connecting my C&E servers to a network. All of the documents that I have found reference a configuration with two firewalls. This would obviously be best practice however I am wondering what the recommended configuration would be if only one firewall is available. I prefer to use the dual nic option on the E and with that assumption I figure there are 2 options.

Option 1

Expressway E LAN2 in the DMZ

Expressway E LAN1 on the internal LAN

Expressway C on the internal LAN

Option 2

Expressway E LAN2 on the external internet

Expressway E LAN1 oin the DMZ

Expressway C on the internal LAN

I can see pros and cons to both configurations and would like to here thoughts from the community.

Thank you all 

4 REPLIES 4
Highlighted
Cisco Employee

Hi Jacob,

Hi Jacob,

Please check the following post related to similar query

https://supportforums.cisco.com/discussion/12538411/expressway-e-single-nic-or-dual-nic

Manish

Highlighted
Beginner

That looks like a good thread

That looks like a good thread however it looks like there solution is to spin up a second DMZ network of the firewall. If a customer simply has a single DMZ network giving them the internet, One DMZ, and there LAN as there networks what would be the recommended configuration?

Highlighted
Rising star

The recommended configuration

The recommended configuration is two firewalls, where the Exp-E LAN1 interface is also in a DMZ and a firewall exists between this and the LAN1 interface of the Exp-C node. This is recommended as it is more secure, you have a TLS zone between them anyway but not having a FW doing port filtering is more of a risk than having one so it is recommended.

It will work with no FW between Exp-E LAN1 and Exp-C LAN1 but its obviously less secure.

What type of firewall do they have?

Some allow you to create virtual systems within a single physical firewall unit so you can have more than one DMZ and using Vlans, separate the traffic. Palo Alto is a good example of where you can achieve multiple DMZ's within a single firewall, they use the concept of a Vsys (i.e. a virtual firewall).

Thanks

Highlighted
Beginner

I definitely agree that 2 DMZ

I definitely agree that 2 DMZ's is the best practice configuration and also agree that 2 DMZ's can be accomplished with a dingle firewall however as a consultant there are times when I don't have access to a customers network and they are not willing to add an entire network simply for the deployment of expressway. So with this limitation and from what other are saying I am guessing my option 1 configuration would be preferred. 

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here