Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Two-Tier Firewall Config

Dear All,

We want to setup a Data Center Network for core banking with all the application and Database servers.For the same we are planning to design a Two-Tier firewall network architecture. First Tier firewall (Cisco PIX in failover mode) will have Web servers in DMZ as front end application server. Second Tier firewall (PIX firewall Failover mode) will have the Application and database servers in DMZ as back end servers.

Flow of data will be such that any user logging from internet will access web servers at the first level, get authenticated and web servers will in turn talk to the internal application servers for any data request.

Pls find attached topology diagram….

Also provide me with the sample PIX config for the above Two-Tier firewall architecture implementaion of application and database servers.

Hi,

IP Scheme is as listed below.

Lan IP = 192.168.1.0/24 - 192.168.24.0/24

Internet Firewall DMZ Network (Tier-1) = 192.168.252.0/28

Internet Firewall Internal Network (Tier-1) = 192.168.252.16/28

Intranet Firewall External Network (Tier-2) = 192.168.252.16/28

Intranet Firewall DMZ Network (Tier-2) = 192.168.252.32.0/28

PiX Firewall Internal Network (Tier-2) = 192.168.252.48.0/28

10 REPLIES

Re: Two-Tier Firewall Config

Hi .. I have a similar set up for one of our customers and so I should be able to help you out here.

I am on a training course but will work on a template config for you .. mm ... lets say give me one day

I will get back to you !!!

Re: Two-Tier Firewall Config

Here you have a config you could use as reference. The Failover part shoudl be very simple and so I have not included on it.

I hope it helps ... please rate it if it does !!

New Member

Re: Two-Tier Firewall Config

Hi,

Thanx for the assistance.

Can i get your contact details for future communication.

Regards

New Member

Re: Two-Tier Firewall Config

Public Firewall:-

1) # allows access from application database servers to Web server

access-list NAT0_inside_out permit ip host Application_server1 host Web_Private_IP

access-list NAT0_inside_out permit ip host Application_server2 host Web_Private_IP

access-list Inside1_access_out permit ip host Application_server1 host Web_Private_IP

access-list Inside1_access_out permit ip host Application_server2 host Web_Private_IP

Not clear about the above rule...

Pls clarify

Private Firewall:-

1) access-group Inside2_access_out in interface Inside2

or it should be...

1a) access-group Inside2_access_out in interface Inside1

2) add static for your application servers if required. Packets should go out by interface DMZprivate

Pls verify above entries from your earlier attachment.

Regards

Re: Two-Tier Firewall Config

OK ..

Public Firewall:-

1) # allows access from application database servers to Web server

access-list NAT0_inside_out permit ip host Application_server1 host Web_Private_IP

access-list NAT0_inside_out permit ip host Application_server2 host Web_Private_IP

access-list Inside1_access_out permit ip host Application_server1 host Web_Private_IP

access-list Inside1_access_out permit ip host Application_server2 host Web_Private_IP

Basically these instructions allows traffic initiated from the application servers to reach your web server. I am assuming you need communication between web server and application servers in both directions right ..?

Private Firewall:-

1) access-group Inside2_access_out in interface Inside2

or it should be...

1a) access-group Inside2_access_out in interface Inside1

It should be Inside2.This rule allows outgoing access from your corporate network which is located behind the interface that I have called Inside2 on the Private PIX. Inside1 is only to link the two PIXes.

2) add static for your application servers if required. Packets should go out by interface DMZprivate

My mistalke the comment should say

1.- add static route for your web server if required. Packets should go out by interface Inside1

I hope it helps ... please rate it if it does !!!

New Member

Re: Two-Tier Firewall Config

Hi,

I would like following entries to be clarified.

Private Firewall:-

nat (Inside1) 0 access-list Outside_access_in outside

do we require keyword outised at the end.

Public Firewall:-

nat (DMZpublic) 0 access-list DMZPublic_access_in outside

do we require keyword outised at the end.

2) access-list NAT0_inside_out permit ip host Application_server1 host Web_Private_IP...this access-list is not bound to any interface using access-group command.

regards

New Member

Re: Two-Tier Firewall Config

Hi,

Any Update...

Regards

New Member

Re: Two-Tier Firewall Config

Hi All,

Pls assist with the configuration validation.

Regards

Re: Two-Tier Firewall Config

Hi .. yes the outside is needed when you access from a lower interface ( outside) to a higher interface (inside / dmz)

2) It is a NAT instruction which is used below.

nat (Inside1) 0 access-list NAT0_inside_out

I hope it helps ..

I suggest you to carry out the task on stages.

1.- Configure internet access to the web servers .. test that.

2.- Make sure Internal users are able to browse the internet.

3.- Start working on communication beetween web servers and application servers. Test that.

I hope it helps ...!!!

New Member

Re: Two-Tier Firewall Config

Thanx..

1211
Views
5
Helpful
10
Replies