Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Server setup in DMZ Environment

Hi,

 Iam setting up a DMZ environment to have External customers access my Servers sitting in the DMZ. I have attached the diagram for reference.


Proposed Setup

1) 2x ISP links (redundant) - IPSEC connections from customer terminating on our Internet Facing FWs.
2) There are 2 DMZ FWs separting the Corporate (internal) and External environment.
3) The APP server and Jump server is placed behind the Server switches.


Requirement

1) External customer needs to access Jump server and APP server from over the Internet IPSEC VPN
2) Internal (Corporate) users need to access the Jump server and App server.
3) Any user accessing the Jump server would need to get authenticated with from a Domain controller. Domain controller would be on the Internal corporate segment

Questions

1) With the current design, Internal users have to pass DMZ FW and Internet FW to access server. Is it recommended? Is it ok to connect the servers behind a separate pair of server switches? Or can they connect directly to DMZ switches? What is the best possible solution (standard) that is generally followed in this case?
2) If there are multiple customers with IPSEC VPNs coming in, can VLANs be defined and access given accordingly to the servers?

 

Appreciate your inputs.

 

Cheers

Mikey

6 REPLIES
New Member

Could anyone please reply to

Could anyone please reply to this.

Thanks in advance.

New Member

Hi, Can anyone please reply

Hi,

 

Can anyone please reply to this? Or else please guide me if I need to take this to another forum?

 

Thanks

Mikey

Hi Mikey, I am not sure why

Hi Mikey,

 

I am not sure why you have kept the corporate network under the dmz zone. In general security practice we use to keep the dmz zone/dmz firewall for having the server/hosting environment where external parties requires access to those.... for example web server / application server.....

 

So your design requires some change in order to have a better architecture....

internet

|

router

|

external SW

|

internet facing firewalls

|

DMZ SW and Junp Server / Application Server (DMZ Interface of the Firewall).

 

Internet facing Firewall

|

LAN Interface SW (Inside Interface of the firewall)

|

LAN FW (If you really want to keep it)

|

Corporate Network

 

Regards

Karthik

 

 

New Member

Hi Karthik, Thanks for your

Hi Karthik,

 

Thanks for your reply. My Corporate Zone is not behind the DMZ as such. I have just depicted that the DMZ FW separates my corporate zone from the External network or External DMZ if you would say.

 

So, if the traffic from outside follows this path, then would it make sense to have a separate pair of switches behind the DMZ switches to connect those servers? This is for making it more scalable (in case more servers come in)

 

Internet--> External switch--->External FW--->DMZ Sw--->Jump servers 

 

Thanks

Mikey

Yeah. for outside users to

Yeah. for outside users to access through VPN for the application server access....

internet -->external switch -->internet fw (dmz interface)-->dmz-sw--server LAN (Jump/App Server)

 

If it is for the corporate users:

internet -->external switch -->internet fw (inside interface)-->corp lan network

 

 

you can make inside to dmz or dmz to inside access for corp users access...

 

you can tweak as per your requirement.

 

Regards

Karthik

HI Mikey, So of you keep the

HI Mikey,

 

So of you keep the setup like that... then you can terminate your ipsec VPN on the internet firewall.... providing access to the dmz server i.e. jump server and app server for your external clients...... authentication you can point your DC in aaa configurations for VPN to inside AD/DC server....

 

So your corporate users can access jump server and application server from corporate network....

corp network-->inside interface --> dmz--->app and jump servers

corp network --->inside interface -->outside -->general internet access

external clients -->outside interface-->dmz zone -- app and jump servers

 

so all these would be possible in that way......

 

Regards

Karthik

534
Views
0
Helpful
6
Replies
CreatePlease to create content