We will have multiple DMZ zones off FW2 and our VPN termination point off FW1. FW2 will be responsible for the NAT'ing in the design.
My plan will to have Internal IP addresses (RFC1918) between FW1 and FW2 so that FW2 cannot be accessed publically.
If we have multiple DMZ interfaces off FW2, do I need to logically separate them in the 'Intermediate' zone (between FW1 and FW2) ?
So for example, FW2 will have two subinterfaces, Gi0/0.100 = DMZ1, Gi 0/0.200 = DMZ2. Should this be carried over a logical path between FW1 and FW2, or should it just use the single interface on FW1 and FW2?
Using the single interface between FW1 and FW2 will be fine.
You just need to ensure your routing steers the traffic correctly, nat statements are aligned and access-lists allow the necessary flows.
The one tricky bit would be the NAT. If the only place the public IPs connect to is FW1 yet the NAT from DMZ server real address to public IP is in FW2, you will need some static routing along with your access-list entries to make sure the requests for your DMZ servers' public addresses are passed through FW1 to the inside interface and on to FW2's outside interface.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...