Re: DMZ - Question
- From: p1g <killfactory@xxxxxxxxx>
- Date: Sat, 27 Oct 2007 10:34:13 -0400
Can't a pix be licensed and support multiple DMZs?
I understand what you are trying to do with 2 FWs, but Dan is right. IMO.
Take a look at the new ASAs. I'll bet you will be more likely to be
approved for redundant Cisco ASAs with all the new security features
built in, before 1 PIX + maint. and 1 VendorX + main. + training +
added complexity.
An ASA is PIX under the hood.
Everyone needs are different though. Good luck.
- Show quoted text -
On 26 Oct 2007 15:41:02 -0000, hol64@xxxxxxxxxxx <hol64@xxxxxxxxxxx> wrote:
I have to setup a DMZ on our network. Our current layout is Internet Router <--> Firewall <--> WAN/LAN Router <--> Servers
The idea is to setup a back-to-back DMZ or Dual Firewall DMZ. So the topology would be like this..
Internet Router --> FW-1 <--> DMZ <--> FW-2 <--> WAN/LAN router.
On the DMZ we will have a Web Server that needs access back to the Mainframe on the LAN, and a Mail server that need access to another mail server on the LAN.
One of my questions is the DMZ is in a /24 subnet and the LAN is on a /16 subnet. Is the only way for the web server in the DMZ to communicate with the inside LAN by NATting in the FW-2. Isn't this creating a double subnet from the outside??
I am working with 2 pix firewalls, and I am hoping to change FW-2 to a different brand that has stateful inspection.
Please Advice,
Thanks,
Pablo
--
-p1g
SnortCP
,,__
o" )~ oink oink
' ' ' '
If you spend more on coffee than on IT security, you will be hacked.
What's more, you deserve to be hacked.
-- former White House cybersecurity czar Richard Clarke
On 26 Oct 2007 15:41:02 -0000, hol64@xxxxxxxxxxx <hol64@xxxxxxxxxxx> wrote:
I have to setup a DMZ on our network. Our current layout is Internet Router <--> Firewall <--> WAN/LAN Router <--> Servers
The idea is to setup a back-to-back DMZ or Dual Firewall DMZ. So the topology would be like this..
Internet Router --> FW-1 <--> DMZ <--> FW-2 <--> WAN/LAN router.
On the DMZ we will have a Web Server that needs access back to the Mainframe on the LAN, and a Mail server that need access to another mail server on the LAN.
One of my questions is the DMZ is in a /24 subnet and the LAN is on a /16 subnet. Is the only way for the web server in the DMZ to communicate with the inside LAN by NATting in the FW-2. Isn't this creating a double subnet from the outside??
I am working with 2 pix firewalls, and I am hoping to change FW-2 to a different brand that has stateful inspection.
Please Advice,
Thanks,
Pablo
--
-p1g
SnortCP
,,__
o" )~ oink oink
' ' ' '
If you spend more on coffee than on IT security, you will be hacked.
What's more, you deserve to be hacked.
-- former White House cybersecurity czar Richard Clarke
- References:
- DMZ - Question
- From: hol64
- DMZ - Question
- Prev by Date: Re: Laptop - Full Disk Encryption? (Booting defeats FDE)
- Next by Date: Re: Vulnerability testing in analog modem
- Previous by thread: RE: DMZ - Question
- Next by thread: Re: Re: DMZ - Question
- Index(es):
Relevant Pages
|
