Re: 2 firewalls 1 Internet connection

From: Volker Birk (bumens_at_dingens.org)
Date: 08/29/05 

Date: 29 Aug 2005 19:45:17 +0200

Brian <Brian@amphenolpcd.com> wrote:
> I want to use 2 different hardware firewalls over the same Internet
> connection. Specifically, I want to run a PIX 506 (that has a VPN
> tunnel with our Mexico operation) and I want to run a Watchguard
> Firebox X50 (that runs a tunnel with our China operation) over our new
> Sprint 3 meg connection. Currently, each firewall lives on it's own
> separate connection.
> Potential issues I see involve redirected services, like inbound
> Terminal Services access, and SMTP. for example, if our router is
> 175.175.175.1, and the PIX is .2, and the Firebox is .3, will both
> firewalls try to answer if our internal Exchange server is .4?

You should consider a zone concept first. Perhaps it's too less information,
what you wrote, to help you more concrete.

If you're unfamiliar with zone concepts, just use the classical
three zone concept as a starting point.

This means, there is an "outside" zone, an so called DMZ (demiliarized
zone) and an "internal" zone. Usually, the internal zone gets no public
IP adresses, and access to the DMZ is filtered to what you want to
provide.

Between outside and DMZ, and between DMZ and internal there should be
firewalls - filtering boxes.

Then you can decide, to what network you want to have your VPN endpoints.

Perhaps it can be a good idea to have one single firewall as the one
between internal and DMZ, which acts also as VPN endpoint for both
countries, if both should be in the virtual internal zone (which I
don't know, because you did not write details ;-)

Yours,
VB. 

-- 
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
                                    Harald Schmidt zum "Weltjugendtag"

Relevant Pages

  • Re: Firewall Info/Recommendations?
    ... > firewall with 3 interfaces or "DMZ capability" listed. ... > acceptable DMZ architecture for a small network to have two firewalls ... > internal network to the internet... ... will do exactly what we currently want for maybe less than the cost of a ...
    (comp.security.firewalls)
  • Re: Firewall Info/Recommendations?
    ... > firewall with 3 interfaces or "DMZ capability" listed. ... > acceptable DMZ architecture for a small network to have two firewalls ... > internal network to the internet... ... will do exactly what we currently want for maybe less than the cost of a ...
    (comp.security.firewalls)
  • Re: Network security - DMZs, Bastion Hosts etc...
    ... Why not replicate the databases and put the replicated ... database in a DMZ? ... Firewalls can do wonderful and intelligen port blocking, ... > We currently have a number of DMZs on an internet facing LAN. ...
    (comp.security.misc)
  • Re: DMZ Arguments....
    ... building a DMZ because you want to have one is a loss of money and other ... If these servers are in your internal net and have some ... In this case you build an area between two firewalls to monitor traffic ...
    (Security-Basics)
  • Re: Split DNS
    ... The zone on the external DMZ network ... >internet. ... The other zone will be in the internal network ... probably best to do this either using different DNS software ...
    (microsoft.public.windows.server.dns)