Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Firewall Interface design


We plan a two tier firewall with the physical topology like this:

WWW --------------- FW1-----------FW2-----------------INTERNAL

We will have multiple DMZ zones off FW2 and our VPN termination point off FW1. FW2 will be responsible for the NAT'ing in the design.

My plan will to have Internal IP addresses (RFC1918) between FW1 and FW2 so that FW2 cannot be accessed publically.


If we have multiple DMZ interfaces off FW2, do I need to logically separate them in the 'Intermediate' zone (between FW1 and FW2) ?

So for example, FW2 will have two subinterfaces, Gi0/0.100 = DMZ1, Gi 0/0.200 = DMZ2. Should this be carried over a logical path between FW1 and FW2, or should it just use the single interface on FW1 and FW2?

Hope this is clear.



Hall of Fame Super Silver

Using the single interface

Using the single interface between FW1 and FW2 will be fine.

You just need to ensure your routing steers the traffic correctly, nat statements are aligned and access-lists allow the necessary flows.

The one tricky bit would be the NAT. If the only place the public IPs connect to is FW1 yet the NAT from DMZ server real address to public IP is in FW2, you will need some static routing along with your access-list entries to make sure the requests for your DMZ servers' public addresses are passed through FW1 to the inside interface and on to FW2's outside interface. 

Hall of Fame Super Blue

You can have a single


CreatePlease to create content