DMZ - Question



I have to setup a DMZ on our network. Our current layout is Internet Router <--> Firewall <--> WAN/LAN Router <--> Servers

The idea is to setup a back-to-back DMZ or Dual Firewall DMZ. So the topology would be like this..
Internet Router --> FW-1 <--> DMZ <--> FW-2 <--> WAN/LAN router.

On the DMZ we will have a Web Server that needs access back to the Mainframe on the LAN, and a Mail server that need access to another mail server on the LAN.

One of my questions is the DMZ is in a /24 subnet and the LAN is on a /16 subnet. Is the only way for the web server in the DMZ to communicate with the inside LAN by NATting in the FW-2. Isn't this creating a double subnet from the outside??

I am working with 2 pix firewalls, and I am hoping to change FW-2 to a different brand that has stateful inspection.


Please Advice,

Thanks,

Pablo



Relevant Pages

  • RE: Possible method to prevent spread of CodeRed and other simila r wo rms
    ... Restricting tcp/port80 initiated outbound connections from the DMZ is an ... I'll assume you've group your web server objects ... residing in the DMZ (ex. ... The primary reason that I can think of for a web server to initiate Internet ...
    (Incidents)
  • Re: DMZ and file sharing
    ... Never ever use DMZ, a) its an open unlocked door with a big sign saying your ... save/retreive files to/from a restricted area on the LAN. ... and only server. ... You need to consider the safety of the LAN when the web server gets ...
    (microsoft.public.windows.server.sbs)
  • Re: Adding a web server to my network
    ... I have a LAN behind a hardware firewall connecting to the web by DSL. ... I would like to keep my LAN safe from hackers, and my web server safe ... region is called the DMZ, which is where you put your web ...
    (comp.os.linux.misc)
  • RE: DMZ - Question
    ... FW-2 to a different brand that has stateful inspection. ... DMZ to communicate with the inside LAN by NATting in the ... On the DMZ we will have a Web Server that needs access back ...
    (Security-Basics)
  • Re: DMZ Arguments....
    ... A DMZ is used with a firewall, ... link to the rest of the network. ... A common approach for an attacker is to break into a host that's vulnerable ... the case of a web server, unauthenticated and untrusted users might be ...
    (Security-Basics)