I have 2 Cisco PIX515E that I want to use to set up a DMZ. My network consists of a WebServer (which I want in the DMZ), a DataServer (which runs a MS SQL database that the WebServer needs to access) and a DomainController (which the WebServer also needs to access because it belongs to the domain). There are also 3-5 workstations that are on the domain. The primary issue is the security of the DataServer.
As for required ports, the WebServer needs http, https, and ftp open. All three servers need to be accessible via Terminal Services as well (therefore DataServer and DomainController need static IPs). The WebServer will also need the following ports to authenticate to the Domain Controller as per Microsoft KB179442:
UDP: 53, 86, 389
TCP: 53, 88, 135, 389, 445, 636, 3268, 3269
Here is what I was thinking:
x.x.x.x (External IPs)
y.y.y.y (Internal IPs)
Interface outside (from Internet) x.x.x.51 255.255.255.192
Interface inside (to Firewall2) y.y.20.1 255.255.255.0
Interface dmz (to DMZ switch) y.y.30.1 255.255.255.0
Interface outside (from Firewall2) y.y.20.2 255.255.255.0
Interface inside (to inside switch) y.y.10.1 255.255.255.0
ExternalIP: x.x.x.53 / x.x.x.54
InternalIP: y.y.10.3 / y.y.10.4
So how can I set up the firewalls for the DMZ? What other issues should I be considering?