Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

DMZ design questions.


I have been tasked with redesigning our DMZ environment. Presently we have Pix 515e's in f/o bundle, which has inside, outside, and dmz interfaces.

Due to security requirements we now have a need to create a multi-layer firewall architecture (2 ASA's and 2 Nokia's). Given that can anyone please point me to any relevant documents or give me pointers as to best practice design.

Specifically my questions are as follows:

1. where will the DMZ interface be? Off the outside or inside set of firewalls or should it be sandwiched between the 2 sets (outside interface of inside f/w and inside interface of outside f/w)?

2. Which interface should the VPN concentrator be on (the VPN is part of the ASA appliance).

3. Which of the firewall set (Nokia or ASA) should be outside or does it matter?

Thank you for your help!




Re: DMZ design questions.


First off decide whether your going to NAT twice through the firwalls or not. Natting twice works ok but you'll hit a lot of hangups on different protocols especially non mainstream protocols. I usually try to only NAT once to avoid as much headache as double natting can cause.

DMZ's can be designed a number of ways. First off since it sounds like your required to do a double layer of firewalls you can put your DMZ between the to networks, or put the DMZ off a different interface of the first firwall set or the second firewall set.

By haveing the DMZ hanging off the second set of FW's you'll gain the inspection of two different FW's for all traffic going to the DMZ's.

Are you going to be running Checkpoint on the Nokia if so put that on the outside its logging is better than the ASA and rule creation can be much easier when dealing with unknown applications/traffic.

These are just a couple of things for you to think about and we could go on and on and on.


New Member

Re: DMZ design questions.

As Patrick said in the preceeding email, we could go on and on...

May I suggest also to take a look to these url's on the design of a security perimeter and best practices blue print.

Just as a reminder: "keep it simple"



New Member

Re: DMZ design questions.


Thank you both for some very helpful information and links. I agree that the key here is to keep it simple.

Regarding the DMZ placement I was thinking of having it off of an interface of the outside set which would allow me to use my first set to control access to the DMZ and the second set to control access from the DMZ to the internal network.

I have to weigh both those options carefully since if I were to have the DMZ off the first set then I will need to have the ASA's in the front as it will allow me to use the built-in IPS capability of the ASA's on the DMZ.

Thanks you


CreatePlease login to create content