Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

2 layers of firewall Implementation Design

Dears i'll be going for this design below :-

Internet-----Firewall1-----Firewall2----Core switches----Distrubtion switchs----End users

Firewall1: outer interface to internet , Internal interface to firewall2 , DMZ interface to DNS , EMail server , Bluecoat (Guest users) , Websense (Wired users internet access)
Firewall2 : Outer interface to firewall1 , DMZ interface to Server Farm , internal interface for core switchs.

Now inorder for both users Wired/Wireless to have their internet traffic directed to bluecoat and then from bluecoat to internet, routing should be enabled between 2 firewalls so is it ok ? or shall i configure all users to have a default gateway to firewall1 and then have firewall1 configured to route traffic to both websense and bluecoat ???? also while traffic is coming back from firewall1 heading to firewall2 i should open some ports on Firewall2 because by default it wont be allowing any traffic since it will be going from low level interface to higher level???.

1 ACCEPTED SOLUTION

Accepted Solutions

2 layers of firewall Implementation Design

 routing should be enabled between 2 firewalls so is it ok ?

Surely it's ok and it should be done. You may use dynamic routing or just static routes. Final goal is to provide full IP reachability between your clients and WebFiltering services.

or shall i configure all users to have a default gateway to firewall1

You can't configure firewall 1 inside IP as default gateway for your clients, cause default gateway IP hould be in the same LAN segmetn (broadcast domain).

also while traffic is coming back from firewall1 heading to firewall2 i  should open some ports on Firewall2 because by default it wont be  allowing any traffic since it will be going from low level interface to  higher level???.

If we're talking about general webtraffic, then you don't have to configure any ACL's on the outside interface of the FW2, cause web traffic will be inspected by default (at least as TCP). That means, when client connects to, say, cisco.com, returning traffic will be allowed by default, cause there'll be an entry in the state table.

2 REPLIES

2 layers of firewall Implementation Design

 routing should be enabled between 2 firewalls so is it ok ?

Surely it's ok and it should be done. You may use dynamic routing or just static routes. Final goal is to provide full IP reachability between your clients and WebFiltering services.

or shall i configure all users to have a default gateway to firewall1

You can't configure firewall 1 inside IP as default gateway for your clients, cause default gateway IP hould be in the same LAN segmetn (broadcast domain).

also while traffic is coming back from firewall1 heading to firewall2 i  should open some ports on Firewall2 because by default it wont be  allowing any traffic since it will be going from low level interface to  higher level???.

If we're talking about general webtraffic, then you don't have to configure any ACL's on the outside interface of the FW2, cause web traffic will be inspected by default (at least as TCP). That means, when client connects to, say, cisco.com, returning traffic will be allowed by default, cause there'll be an entry in the state table.

New Member

2 layers of firewall Implementation Design

super answer thanks , so shall i go on with this design is it secure enough or there is something that i could add ?

146
Views
0
Helpful
2
Replies
CreatePlease to create content