I am working on taking our ASA5510 into the 21st century and putting a two tiered DMZ into place. I just wanted some advice on how a tiered DMZ is typically configured and used. To start off we 100% virtualized so this will all be done with sub-interfaces and 802.1q trunks on our inside physical interface.
I have laid it out like this........OUTSIDE <--> DMZ_EXTERNAL <--> DMZ_INTERNAL <--> INSIDE (See attached for further clarification)
I would like to know if servers are generally single homed or multi-homed in this architecture. If they are multi-homed then I understand that I would probably NAT to the DMZ_External and create a static route on the server to get from DMZ_Internal back to the Inside network. For example, Microsoft Lync Edge server needs two NIC's. One connected to the external DMZ and one to the internal DMZ (could also go directly on the inside network as well).
I get a bit confused if I am not attaching two nics to a server to bridge these networks.
Should my inside network be able to "route" to both networks? Meaning treat both DMZ's equally and allow public NAT to both as well as internal routing.
Should Inside only route to the DMZ_Internal and go out to the internet to hit the NATed DMZ_External server interfaces?
Should I be using NAT from Outside to DMZ_Internal or not even allow that scenario and only NAT Outside to DMZ_External
Any assistance would be much appreciated. I have uploaded a picture for clarification. Thank you.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :