07-10-2008 02:09 AM - edited 03-11-2019 06:11 AM
folks
i have a external router facing the internet
an ASA inside that
another firewall behind that and then my lan
i'll have my DMZs, www/smtp etc on my inner firewall along with a reverse proxy and a proxy for outbound http
my question
where should i nat outbound traffic
my instinct is on the firewall managing the dmz's as this box is better for logging etc
anyone any guidance/advice
thanks to anyone taking the time to reply
Solved! Go to Solution.
07-10-2008 07:59 AM
I would only nat in the firewall connected to the internet router. Natting on multiple firewalls will cause you problems in the future. If you are inspecting traffic you may have to disable or enable inspection of certain traffic types on each firewall. I you require active ftp you may need to enable inspection of ftp traffic on the firewall clossest to the source of the ftp client. I typically would not ever recommend using two or more firewalls inline.
07-10-2008 02:16 AM
Michael,
In my opinion it all depends on how many public IP addresses you have, and what you plan to face the internet (services, VPN etc)
Me personally, I would connect the firewall to the external router, have the ASA on a DMZ for VPN's etc.
Then the only place you have to NAT is on your outside firewall interface? for your internal & DMZ traffic. If you have a class c or even a /240 or below I would configure the DMZ with the ASA in - with a subset of the public range - then the only traffic needed to be NATT'd is internal only?
HTH.
07-10-2008 02:22 AM
andrew
many thanks for your reply - greatly appreciated
i have the asa (5540) on the outside with a pretty simple rule base but the internal firewall is a bigger box which will host approx 8 - 10 dmz'z including an SSL VPN
my thoughts are that the bigger internal box provides better logging but then i'd lose visibilty of traffic on the outer firewall
thanks again
07-10-2008 02:37 AM
Hi,
If you are planning to do the NAT on the internal ASA FW box then you need to have two public IP pools :
- one between ASA1 outside and Inernet router
- other between ASA2 outside and ASA1 inside
<
Generally what we do is configure the ASA1 box in this scenario in Transparent mode (L2), which does the filtering for the permitted traffic at the 1st level of perimeter.
And the NAT, VPN and DMZ are configured on the ASA2 box. This config only requires one public IP pool.
07-10-2008 03:07 AM
OK - that makes sense,
In this situation, as stated before, have the Big firewall facing the internet and the ASA in a DMZ. This allows you to control the flow of traffic with a higher degree. You could if you wanted to also use the Big firewall in a dule layer topology with the ASA for l2l & remote SSL VPN's.
As the big firewall has all the logging power - you can log Everything. For the ASA you have have a physical interface or VLAN interface for the outside of the ASA. And a physical or VLAN interface for the inside - you can control what comes into the ASA, and of course what comes out of it onto the internal network.
Or you can keep your setup as you suggest - you should not have to loose the logs from the ASA, just configure the large firewall to allow the syslogs thru to your internal syslog server?
HTH.
07-10-2008 07:59 AM
I would only nat in the firewall connected to the internet router. Natting on multiple firewalls will cause you problems in the future. If you are inspecting traffic you may have to disable or enable inspection of certain traffic types on each firewall. I you require active ftp you may need to enable inspection of ftp traffic on the firewall clossest to the source of the ftp client. I typically would not ever recommend using two or more firewalls inline.
07-10-2008 12:19 PM
patrick and all those who read and replied
many thanks for your views
i've a few more thoughts and things to go over so again, many thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide