Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Tiered DMZ Design Question

I am working on taking our ASA5510 into the 21st century and putting a two tiered DMZ into place.  I just wanted some advice on how a tiered DMZ is typically configured and used. To start off we 100% virtualized so this will all be done with sub-interfaces and 802.1q trunks on our inside physical interface.

I have laid it out like this........OUTSIDE <--> DMZ_EXTERNAL <--> DMZ_INTERNAL <--> INSIDE  (See attached for further clarification)

I would like to know if servers are generally single homed or multi-homed in this architecture.  If they are multi-homed then I understand that I would probably NAT to the DMZ_External and create a static route on the server to get from DMZ_Internal back to the Inside network.  For example, Microsoft Lync Edge server needs two NIC's.  One connected to the external DMZ and one to the internal DMZ (could also go directly on the inside network as well).

I get a bit confused if I am not attaching two nics to a server to bridge these networks. 

  • Should my inside network be able to "route" to both networks?  Meaning treat both DMZ's equally and allow public NAT to both as well as internal routing.
  • Should Inside only route to the DMZ_Internal and go out to the internet to hit the NATed DMZ_External server interfaces? 
  • Should I be using NAT from Outside to DMZ_Internal or not even allow that scenario and only NAT Outside to DMZ_External

Any assistance would be much appreciated.  I have uploaded a picture for clarification.  Thank you.

CreatePlease to create content