Iam setting up a DMZ environment to have External customers access my Servers sitting in the DMZ. I have attached the diagram for reference.
1) 2x ISP links (redundant) - IPSEC connections from customer terminating on our Internet Facing FWs. 2) There are 2 DMZ FWs separting the Corporate (internal) and External environment. 3) The APP server and Jump server is placed behind the Server switches.
1) External customer needs to access Jump server and APP server from over the Internet IPSEC VPN 2) Internal (Corporate) users need to access the Jump server and App server. 3) Any user accessing the Jump server would need to get authenticated with from a Domain controller. Domain controller would be on the Internal corporate segment
1) With the current design, Internal users have to pass DMZ FW and Internet FW to access server. Is it recommended? Is it ok to connect the servers behind a separate pair of server switches? Or can they connect directly to DMZ switches? What is the best possible solution (standard) that is generally followed in this case? 2) If there are multiple customers with IPSEC VPNs coming in, can VLANs be defined and access given accordingly to the servers?
I am not sure why you have kept the corporate network under the dmz zone. In general security practice we use to keep the dmz zone/dmz firewall for having the server/hosting environment where external parties requires access to those.... for example web server / application server.....
So your design requires some change in order to have a better architecture....
internet facing firewalls
DMZ SW and Junp Server / Application Server (DMZ Interface of the Firewall).
Internet facing Firewall
LAN Interface SW (Inside Interface of the firewall)
Thanks for your reply. My Corporate Zone is not behind the DMZ as such. I have just depicted that the DMZ FW separates my corporate zone from the External network or External DMZ if you would say.
So, if the traffic from outside follows this path, then would it make sense to have a separate pair of switches behind the DMZ switches to connect those servers? This is for making it more scalable (in case more servers come in)
So of you keep the setup like that... then you can terminate your ipsec VPN on the internet firewall.... providing access to the dmz server i.e. jump server and app server for your external clients...... authentication you can point your DC in aaa configurations for VPN to inside AD/DC server....
So your corporate users can access jump server and application server from corporate network....
corp network-->inside interface --> dmz--->app and jump servers
corp network --->inside interface -->outside -->general internet access
external clients -->outside interface-->dmz zone -- app and jump servers
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :