A DMZ requires a 3rd ethernet port if you want to do it on the same device. the 501 and 506 have an inside and an outside - that's it. The 515R is the first level to support 3 IFs on the same device. Now I suppose you could use two 501's or two 506's and have one do the internal and one do the DMZ but that would create more headache in creating extra ACLs and such. It is technically possible though. A DMZ by definition is a semi-public network that is seperate from your internal LAN.
I am interested in something similar. I have Microsoft ISA server, and was going to use that as the internal firewall, and have the 501 as the external. The 501 would also have a public webserver attached to it's switch. The only traffic allowed in would be http and smtp, both of which would be directed to the ISA server. The ISA server would not allow anything in except a mail relay to an internal server. That would essentially provide the DMZ capability I would need, would it not? I only have 1 IP, so I need to NAT my DMZ server anyway (which is what I am doing now with ISA). I beleive this would give me better protection.
Also, can yo usee any problems setting up a VPN connection originating at the internet, to an internal VPN server? Could I setup a tunnel between the internal server and the 501? THen I would authenticate at the 501 and have a path to the inside? Am I on the right track here?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...