Placement of Access Gateway Servers: in DMZ or Behind internal router?

insccisco · ‎03-12-2008

Hey guys,

I have an ISP which ethernets to my 525. From 525 I go to a WAN switch and from there to the internal L3 device. In this L3 is where I have all my internal VLANs.

My question is, where is the proper placement for 2 Access Gateway Servers? In the WAN switch (placing them in same VLAN with outside interface of the 525) or behind the internal router on its VLAN?

What is the most recommended method?

My network devices are just those: 525 pix, 1 2950 wan switch and a L3 internal switch doing all the internal VLANs

thanks in advance

Jon Marshall · ‎03-13-2008

Hi

It really depends on how is using the access gateways and how secure you can make them. If these gateways are accessible over the Internet then i would recommmend hanging them off the pix firewall in a DMZ rather than on your internal network.

Jon

insccisco · ‎03-13-2008

I see, great input. My 525 has enough physical ports so you're so right... I can just use one and DMZ it for the 2 access gateways....

Another question though, will this produce any performance hits to the 525?

Jon Marshall · ‎03-14-2008

A pix 525 is one the high end Pix firewalls. What is the average cpu running at at the moment.

It's difficult to say without knowing your topology but usually the limiting factor is the Internet pipe size not the firewall itself so i would think you will be okay, but obviously you are putting more traffic through your firewall.

Jon