01-08-2010 08:33 AM - edited 03-04-2019 07:09 AM
Hi All,
I have a challenge recently to come out with a network design.
From the upstream, each customer will need a need to be in a VLAN so that the upstream provider can rate limit the customer per vlan. My network will consist of a DMZ zone (1 firewalls and 1 switch) and a Private zone (1 firewall 1 switch). The DMZ zone will use the IP addresses that the upstream has provided and the Private zone will use internal IP addresses. The servers DMZ zone will need to talk to the Private zone servers and vice verse.
Any suggestion on the detail on how to proceed with this setup? Below is the simple network diagram on the setup
Upstream router
|
|
|
DMZ firewall
|
|
DMZ switch ---- Customer A (VLAN 1)
| ---- Customer B (VLAN 2)
|
Private firewall
|
|
Private switch --- Customer A(VLAN 110)
--- Customer B (VLAN 120)
Solved! Go to Solution.
01-09-2010 12:46 AM
as i told you you can configure the firewall in multiple contexts
i mean the DMZ firewall
internally you can have two subinterface or two differnt interface each in differnt VLAN
externally to the upstream router you will have a trunk link in other words interface with two sub interfaces
with multiple context you will have like two virtual firewalls each vlan/customer will use a context with differnt I subnet also differnt firewall policies
in this case there will be two inside IP address of the DMZ firewall each one will be the next hop of one customer for the default route
for communication with internal network use as you mentioned a route point to the private firewall
good luck
if helpful Rate
01-08-2010 11:12 AM
The only question that comes to mind is why are two firewalls necessary for this setup? Are you limited by the number of interfaces on any firewall?
Thanks.
01-08-2010 11:36 PM
Hi Rais,
There is a need for two layers of firewall in the environment.
01-08-2010 03:49 PM
i think there is no enough information,
anyway the connection from the DMZ firewall to the upstream router will be over one link or multiple links
one for each vlan ? if one link how the up stream router will distinguishe between the two vlans for rate limiting ? is it by source address ?
if you have two interfaces between the upstream router and dmz firewall
and also i will assum no communications required between customer A and B, in this case you may need to consider using your firewalls to run in multiple contexts if its cisco firewalls
good luck
if helpful Rate
01-08-2010 11:45 PM
Hi Marwanshawi,
The DMZ firewall to the upstream router will be over 1 link, but it will be on a trunk so multiple VLANs will ride on it.
The challenge is that my upstream need to identify each customer via 1 VLAN so that they are able to rate limit the traffic, and on my end I need to allow each customer with servers on the DMZ zone and Private zone to communicate between each other.
I was thinking to have the DMZ firewall running on transparent mode and allow the DMZ switch to have router on a stick configuration with my upstream router, The servers on the DMZ zone will have 2 gateway, one to the upstream router for default route and one to the SVI of the DMZ switch for it to communicate with the Internal zone. And between the DMZ switch, Internal Firewall and Internal Switch, it will be pure layer 3.
But this design does not looks very elegant.
01-09-2010 12:46 AM
as i told you you can configure the firewall in multiple contexts
i mean the DMZ firewall
internally you can have two subinterface or two differnt interface each in differnt VLAN
externally to the upstream router you will have a trunk link in other words interface with two sub interfaces
with multiple context you will have like two virtual firewalls each vlan/customer will use a context with differnt I subnet also differnt firewall policies
in this case there will be two inside IP address of the DMZ firewall each one will be the next hop of one customer for the default route
for communication with internal network use as you mentioned a route point to the private firewall
good luck
if helpful Rate
01-09-2010 03:16 AM
Hi Marwanshawi,
This is very informative. By chance would you know if it support HA setup and how many VLAN can I put on a single trunk interface?
And also, there is another type of cisco product, zone based firewall, are they alike?
01-09-2010 03:26 AM
HA with multiple context they call it active/active mode you can search it in cisco.com
zone based firewall is a firewall feature runs above cisco ios router not ( firewall aplaince like ASA)
it is useful but if you have ASAs i would recommend you to use it as its specialized and more reliable in term of throughput and CUP while you doing traffic inspection and NATing as well
ASA active active HA:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080834058.shtml
zone based firewall:
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml
good luck
if helpful Rate
01-09-2010 03:33 AM
Hi Marwanshawi,
I did some reading up and found that the security context is at most 50 for Cisco ASA 5550. This means that at most I can have only 50 customers?
01-09-2010 03:43 AM
you may consider cisco Cat6500 with firewall module FWSM will gives you 100 virtual interfaces and 100 context per module !!
with FWSM the VPN not supported but you can have VPN module in the 6500 if required also you may have mix in the DMZ you use 6500 with FWSM and in the private you use ASA i think you need to read about each product and compare the features with your requirements as long as you know what you need !!
good luck
01-09-2010 06:25 AM
Hi,
Its one of the appropriate and simplest option to have the Firewall operate as transpparent and have each customer in the DMZ directly connected to the router as its gateway through the firewaal.
Between Both ASAs, you can have IPsec tunnel to have the users connected to 1st firewall have access to the DMZ network on the other side and vice versa.
HTH
Mohamed
01-09-2010 07:50 AM
when you run the ASA in transparent mode you need to consider the following limitations:
- The ASA can terminate the IPSec tunnels for management purposes only. That means you cannot establish an IPSec tunnel to pass traffic through the Cisco ASA.
- WebVPN and IPSec remote-access VPNs are not supported. You can configure only one site-to-site IPSec tunnel, which needs to be set up in answer mode to respond to a tunnel request
- Because routing protocols are not supported in transparent mode, reverse route injection (RRI) is also not supported
Thank you
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: