I have seen two ways to deploy DMZ's. One has an interface off the ASA become a DMZ and then you configure all the associated rules, NAT etc for traffic flow, inside to DMZ and DMZ to inside.
I have also see ASA's deployed with a simple Inside and Outside port arrangement with a DMZ layer present just inside the ASA inside interface and then another firewall (ASA or FWSM) upstream from that. Is one better than the other, or, more recommendable than the other?
The DMZ services in this case can be considered to be, email server, web portal, in-line IDS.
No, this isn't what I am referring to. I simply asking if having a dmz vlan and an inside vlan from the same ASA running through the same phsycial switch (logical separation vs. physical separation) is viewed as a best practice?
It used to be viewed as a not optimal solution because you are one command in the switch away from having your dmz lan linked directly to your inside secure network, completely bypassing the firewall.
I've never seen anything suggesting one way is better than the other. But if i'm reading correctly, it sounds like in the second scenario, the dmz is 'inline' with all inbound data. personally, i wouldn't want all inbound/outbound traffic passing through a dmz.
I can understand that alright. Sort of why I'm asking. Though, in this layered approach there is typically another layer of firewall that separates the inbound traffic from the DMZ traffic. The DMZ traffic is inline with the inbound data prior to the first front-line firewall in any case...that first firewall serving as a first layer of defense for access-list acceptance and deep inspection.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...