DMZ Topology change

Unanswered Question
Aug 25th, 2009

I've inherited a DMZ network that doesn't follow good security principles. Some hosts in the DMZ are dual-homed and the 2nd network connection is directly on the internal network:

Internal --- ASA ----- Internal Network

| |


(The DMZ is directly connected to the ASA as well but I can't draw it clearly)

What I'd like to do is reconfigure it so I have a dual-firewall setup:


I'm having a difficult time conceptualizing a plan of attack for this work. Can anyone give me their overview on how they'd tackle this task?

Thanks in advance,


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Tue, 08/25/2009 - 13:34


Are you proposing to buy another firewall ?

Do you have a proxy server in the DMZ for internal clients to access the Internet ?


gregbeifuss Wed, 08/26/2009 - 03:04

I have a 2nd ASA already on hand that I'd like to use.

Internet surfing for our internal clients is handled by a different ISP link/firewall pair. The setup I'm looking to change is only the DMZ for hosted services. Internet requests for our websites/mail need to come in, and the DMZ hosts need to communicate with the back-end internal servers.

Jon Marshall Wed, 08/26/2009 - 06:48


Okay, then it is relatively easy to do as you do not need a direct path between your internal and external ASAs.

Basically what happens is that each server is on 2 vlans.

There is a vlan that is connected to the external ASA and it is on this vlan that requests from the Internet arrive at the servers.

Then there is a vlan that is connected to the internal ASA and it is on this vlan that the servers make connections to your back-end servers inside your network.

You can use multiple vlans ie. you dont have to have just one external vlan and one internal vlan - its up to you.

Key thing is to make sure you disable IP routing on the servers.



This Discussion