Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

DMZ Topology change

I've inherited a DMZ network that doesn't follow good security principles. Some hosts in the DMZ are dual-homed and the 2nd network connection is directly on the internal network:

Internal --- ASA ----- Internal Network

| |


(The DMZ is directly connected to the ASA as well but I can't draw it clearly)

What I'd like to do is reconfigure it so I have a dual-firewall setup:


I'm having a difficult time conceptualizing a plan of attack for this work. Can anyone give me their overview on how they'd tackle this task?

Thanks in advance,


Hall of Fame Super Blue

Re: DMZ Topology change


Are you proposing to buy another firewall ?

Do you have a proxy server in the DMZ for internal clients to access the Internet ?


New Member

Re: DMZ Topology change

I have a 2nd ASA already on hand that I'd like to use.

Internet surfing for our internal clients is handled by a different ISP link/firewall pair. The setup I'm looking to change is only the DMZ for hosted services. Internet requests for our websites/mail need to come in, and the DMZ hosts need to communicate with the back-end internal servers.

Hall of Fame Super Blue

Re: DMZ Topology change


Okay, then it is relatively easy to do as you do not need a direct path between your internal and external ASAs.

Basically what happens is that each server is on 2 vlans.

There is a vlan that is connected to the external ASA and it is on this vlan that requests from the Internet arrive at the servers.

Then there is a vlan that is connected to the internal ASA and it is on this vlan that the servers make connections to your back-end servers inside your network.

You can use multiple vlans ie. you dont have to have just one external vlan and one internal vlan - its up to you.

Key thing is to make sure you disable IP routing on the servers.


CreatePlease to create content