My boss has given me the task of researching how to set up a DMZ to put our Exchange and Lync edge servers on. I am relatively new to Cisco IOS so I am unsure of how this will all work but we just came up with an idea to make this easier on us all. Currently we have a cisco 1921 as our router. We are looking to add in a 891 as our DMZ router.
Our idea is to have one cable going from our cable modem to our 1921 like it is now. This will be for basic internet traffic and for easy VPN access for our remote users. We will have a second cable going from the modem to our 891 and have the 891 set up to use a different public IP from the 1921. We will then have the edge servers off the 891's switch interface and the fastethernet interface on the 891 will have a cable connecting it to the 1921.
I am wondering if this is a legit setup for a DMZ? It seems a little funky to me since there are the 2 separate internet connections with 2 different public IPs coming in. I am also wondering how we will go about routing SMTP and Lync traffic from the DMZ to the inside. I have a good understanding of how to do these things with one router and no DMZ, but this setup is throwing me off.
Lets use SMTP as an example. Will something like this work?
where 10.10.10.3 is the exchange edge and 192.168.1.186 is the exchange server and gigabitethernet0/0 is the interface on the 1921 that the 891 connects to.
Our original plan for the topology was to have a single internet connection coming in and going to the 891 then on to the 1921. This seems to me like it will complicate things like our OWA or our VPN. I am interested to know if this 2 internet connection setup is stupid and if I have the right idea for how to actually route this traffic.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...