Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
599
Views
8
Helpful
4
Replies

FWSM placing it behind or in front of the MSFC

MICHAEL CICCONE
Level 1
Level 1

‎01-23-2007 08:45 AM - edited ‎03-11-2019 02:23 AM

Hello,

I'm trying to find out more information on which option is better for me... Should I place the FWSM Blade behind or in front of the MSFC? If I have a typical Data Center with several Web servers which then need to talk to the Application servers which in turn talk to the DB Servers. I was thinking routed single mode for FWSM is the best route but I'm not sure about the palcement of the MSFC.

Thanks

Mike

Labels:
0 Helpful
4 Replies 4

Jon Marshall
Hall of Fame
Hall of Fame

‎01-23-2007 09:58 AM

Hi Mike

It depends on what you want to firewall. We have a similiar setup with application servers and database servers. What are your requirements.

If you want to firewall the web servers from the users, then firewall the communication between the web servers and the application servers and then the communication between the application servers and the database servers then you want the MSFC in front of the FWSM. You would then have separate DMZ's for each sets of servers.

If you have the MSFC behind the firewall then you would route between the server vlans and you probably don't want that.

Are the web servers, application servers, databaser servers on separate vlans ?. This would make it easier to deploy the FWSM in routed mode.

HTH

MICHAEL CICCONE
Level 1
Level 1
In response to Jon Marshall

‎01-23-2007 10:06 AM

HTH,

Yes, the Web servers, application servers, and DB Servers are on separate VLANS. What I'm trying to is only allow access to the web servers. No one should be able to access the back end quipment. DB servers and application servers. Although the Web servers do need to talk to the application servers.

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to MICHAEL CICCONE

‎01-23-2007 10:33 AM

Mike

Do you want to firewall the web servers ? If not they can be on a normal routed vlan. If you do put them in their own DMZ.

The application servers and the database servers could share a DMZ but as you have up to 256 DMZ's it would make sense to have them on separate DMZ's. This would increase your security but you will need to know the ports used for communication.

How do you intend to manage the servers. If you have a separate management NIC and you are firewalling the web servers then you would only need to advertise out a route to the web servers. If you want to manage the apps/db servers through their data NIC's then you will need to advertise the routes for these DMZ's as well.

In single mode you can use RIP or OPSF on the FWSM to advertise out it's subnets. Or you can just put statics on the 6500's pointing to the outside interface of the FWSM. These statics would need redistributing into your routing protocol.

Whichever way you decide to go you definitely want the FWSM behind the MSFC.

HTH

MICHAEL CICCONE
Level 1
Level 1
In response to Jon Marshall

‎01-23-2007 10:40 AM

HTH,

Thanks for the help. I'm sure I'll be posting more questions soon.

Mike (green guy :-)

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card