Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Firewall, DMZ, and web publishing


We intend to use a PIX firewall 515R and move our web servers in house. The database server will be internal. We also have a mail server in house. Given this, how should I configure my firewall (multiple NIC's?). I have been suggested a switch to configure VLAN's. We also have a Win2k VPN server. Any documentation on the benefits of one configuration versus another? Thanks a lot


New Member

Re: Firewall, DMZ, and web publishing

I would suggest a minimum of 3 NIC's. Inside, Outside and DMZ for the Web servers. You should never have rules that allow outside to inside access. You could even go a step further and have a 4th NIC for the database, but alot of that depends on how you plan to update your database server.


New Member

Re: Firewall, DMZ, and web publishing

You can use both. Vlans on the switch and route between the vlan with what looks like 3 ports on a PIX firewall. That way you create a layer seperated architecture. A special note that it is more secure this way but your FW administration tasks will keep you up late at night.

New Member

Re: Firewall, DMZ, and web publishing

It is considered a bad idea to use a single switch with VLANs for multiple PIX ports. You created a physical link between multiple networks and rely on layer2 security between them. Generally, these servers are configured with an IP address for management purposes which add to the list of vulnerabilities.

My recommendation would be to use 3 seperate switches. The switches on the external and DMZ networks should be configured without any management enabled (telnet, ssh, snmp, etc).

CreatePlease login to create content