I have been tasked with redesigning our DMZ environment. Presently we have Pix 515e's in f/o bundle, which has inside, outside, and dmz interfaces.
Due to security requirements we now have a need to create a multi-layer firewall architecture (2 ASA's and 2 Nokia's). Given that can anyone please point me to any relevant documents or give me pointers as to best practice design.
Specifically my questions are as follows:
1. where will the DMZ interface be? Off the outside or inside set of firewalls or should it be sandwiched between the 2 sets (outside interface of inside f/w and inside interface of outside f/w)?
2. Which interface should the VPN concentrator be on (the VPN is part of the ASA appliance).
3. Which of the firewall set (Nokia or ASA) should be outside or does it matter?
First off decide whether your going to NAT twice through the firwalls or not. Natting twice works ok but you'll hit a lot of hangups on different protocols especially non mainstream protocols. I usually try to only NAT once to avoid as much headache as double natting can cause.
DMZ's can be designed a number of ways. First off since it sounds like your required to do a double layer of firewalls you can put your DMZ between the to networks, or put the DMZ off a different interface of the first firwall set or the second firewall set.
By haveing the DMZ hanging off the second set of FW's you'll gain the inspection of two different FW's for all traffic going to the DMZ's.
Are you going to be running Checkpoint on the Nokia if so put that on the outside its logging is better than the ASA and rule creation can be much easier when dealing with unknown applications/traffic.
These are just a couple of things for you to think about and we could go on and on and on.
Thank you both for some very helpful information and links. I agree that the key here is to keep it simple.
Regarding the DMZ placement I was thinking of having it off of an interface of the outside set which would allow me to use my first set to control access to the DMZ and the second set to control access from the DMZ to the internal network.
I have to weigh both those options carefully since if I were to have the DMZ off the first set then I will need to have the ASA's in the front as it will allow me to use the built-in IPS capability of the ASA's on the DMZ.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :