firewall design help

Unanswered Question
Jun 16th, 2010

guys we have a scenario where we have to put 10 servers now the exsisiting environment has a WAN router (private WAN which connected to core network) through MPLS cloud from service provider. It has a 3750 switch as well connected to the WAN router. Now the new scenario is that we have to put 10 new servers in which we will have one webserver (public will connect through Internet). The other servers are billing and other servers. From core pppl will be connecting to the billing server and other servers but not the webserver.

The solution is that we have to get Internet connection 10M for the webserver and its a requirement that no one from out side shd connect to the webserver....there are many host already connected to the 3750 switch which has to be connecting to the newly build servers (some of the server not all ) the client has requirement that 4 servers shd be part of one DMZ and webserver shd be in alone DMZ and other servers has to be in different DMZ.........guys what would be the best approach to do this....where the firewall will sit and what is teh way to do it...i m v new to this a nice help and professional advice would be really appreciated....secondly the client has ask that they want some solid security ading a intrusion detection what shd be my choice as i have never used one before....all i am saying is that how the network shd be physically connected etc

Thanks a million

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
JORGE RODRIGUEZ Wed, 06/16/2010 - 11:52

Hi there,  to get you started  it will be nice if you could attach a basic  digram  topology of your current network that includes  where  current servers are, your internet perimeter etc..    and  new diagram depicting  your new requirements, where will the 10MB internet be provisioned etc..  puting a visual pic will help us to grasp your new requirements and provide some recomendations... also include what firewalls you have asa? pix?  codes?

From your description  sounds like your new requirements is to deploy new 10 Servers where the existing server farms is in the 3760?  and one of the 10 servers (webserver) will be for public use and not to be access by internal users?   Im not to clear on this one since your next parograph  indicates the new solution 10MB will not permit outside users to connect to Webserver..

I think a current net diagram and new solution diagram will definately help, could you post that?

Regards

The_guroo_2 Thu, 06/17/2010 - 01:52

Thanks for your kind reply.....now i will explain it again.....as i am at customer site which is v remote and i dont have any visio other wise i would have draw a nice diagram....i will explain it again

current scenario

a 2821 router conecting to 3750 swicth and host are conecting to that swicth.2821 is conected to wan (private wan which conects back to the core network)

new scenario

the wan will remain the same but now we have to get a internet conection and add 7 servers to the environemnt in which one will be the webserver so that ppl from internet can access it but the servers shd not talk to each other so all servers have to be in different DMZ it has to be in different DMZ all the host are suppoose to talk to the servers but not webserver.no w my question is that what should b ethe scenario to put firewallshd be attach the servers to the exsisitng swicth or we get another swicth to add the servers and trunk it to the firewall.....in terms of firewall what firewall shd we get.....in terms of DMZ i try to search on cisco site but it doesnt tell about how many DMZ you can have in one firewall .....

Panos Kampanakis Thu, 06/17/2010 - 12:38

It is not a matter of DMZs, it is a matter of interfaces. And that depends on your license.

As for what firewall to chose I would suggest you to look the 5500 series here http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_data_sheet0900aecd802930c5.html and chose the enough that can suffice for your traffic profiles.

do "sh ver" on your firewall and check the maximum number of interfaces allowed.

I hope it helps.

PK

Actions

This Discussion