Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 9 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 8566 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Dual Firewall Setup [ FW > DMZ > FW > LAN ]

Samuel Ip

Hello All,

 

 

 I am currently building dual firewall network. Seeking for some advise. Am not sure if im doing it wrong. Below is my current network topology.

 

1.1.x.x       192.168.1.1                        192.168.1.10

Internet > EXT Firewall > DMZ Switch > DMZ Servers  

                                            |

                                  192.168.1.2 ( WAN interface ) 

                                   INT Firewall                    

                                  10.0.0.1      ( LAN interface )

                                           |

                                  LAN Switch > DB Server ( 10.0.0.10) (192.168.1.20 DMZ IP )

 

For example, For DMZ server to access the DB from DMZ, it has to be NATted from 192.168.1.20 to 10.0.0.10 to access DB server. Am i doing it right? Or is there any better and proper way to do so? 



This thread was automatically locked due to age.
Parents
  • 0

    Hello Samuel Ip,

    from my point of view your configuration is correct. In practice I see more and more three armed configurations though. In my opinion if some attacker wants to attack YOUR organization at all costs he won't probably go through your firewall. He will try to get a backdoor through social engineering or try to install some device inside your network ...

    As stated by some users here it might be a good idea to have different devices here. If money matters you could also use a Layer 3 Switch with ACLs.

    However isn't this plain routing instead of NAT?

    >For example, For DMZ server to access the DB from DMZ, it has to be NATted from 192.168.1.20 to 10.0.0.10 to access DB server. Am i doing it right? Or is there any better and proper way >to do so? 

    Regards,

    Bernd

     
  • 0 in reply to BeEf

    Hello Bernd,

     

    >For example, For DMZ server to access the DB from DMZ, it has to be NATted from 192.168.1.20 to 10.0.0.10 to access DB server. Am i doing it right? Or is there any better and proper way >to do so? 

     

    Explanation to your question.

     

    I assume plain routing is DMZ server call DB server directly with 10.0.0.10 ip. DMZ subnet has access directly to 10.0.0.x subnet assume firewall is set to any any any.

    NATted means DMZ server calls DB server with 192.168.1.20, not directly with 10.0.0.10 as 192.168.1.x has no direct route to 10.0.0.x.

     

    Or am i wrong?

Reply
  • 0 in reply to BeEf

    Hello Bernd,

     

    >For example, For DMZ server to access the DB from DMZ, it has to be NATted from 192.168.1.20 to 10.0.0.10 to access DB server. Am i doing it right? Or is there any better and proper way >to do so? 

     

    Explanation to your question.

     

    I assume plain routing is DMZ server call DB server directly with 10.0.0.10 ip. DMZ subnet has access directly to 10.0.0.x subnet assume firewall is set to any any any.

    NATted means DMZ server calls DB server with 192.168.1.20, not directly with 10.0.0.10 as 192.168.1.x has no direct route to 10.0.0.x.

     

    Or am i wrong?

Children
No Data
Unfiltered HTML