• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1035
  • Last Modified:

Cisco ASA 5510 Dual Setup Front-End and Back-End DMZ?

Hi,

I was going to setup my two ASA 5510's in an active/standby mode, but after reading I figured I'd look more into the setup of using a dual setup as follows. Firwall 1 just after the ISP router to filter traffic. Traffic is either denied or only granted access to the DMZ. Firewall 2 would then would filter traffic to the internal network. Only specific traffic from the DMZ would be allowed to the internal network or it would be dropped. No traffic from firewall 1 would be allowed direct access to the internal network.

Does anyone know of a guide to setup Cisco ASA 5510 firewalls in a front-end and back-end environment? I can't find a resource and think my terminology may be wrong.

0
First Last
Asked:
First Last
  • 2
  • 2
2 Solutions
 
Justin EllenbeckerIT DirectorCommented:
Here are some articles to read over and hopefulyl help make sense of what I say below.

http://www.computing.co.uk/vnunet/news/2126198/bugwatch-dual-firewall-approach
http://fengnet.com/book/FirewallFundamentals/ch09lev1sec3.html
http://www.firewall.cx/firewall_topologies.php

Come from you router into an ASA then go out to a switch from the DMZ port, and from the internal port to another switch or directly to the other ASA external.  The dmz switch is plugged into the other ASA whose DMZ has a different IP in the same range. And finally your inside ASA has an internal address for your network.  WIth thise outbound may be double natted depending on how you setup the ASA for security and all traffic from the DMZ never comes in where you other traffic goes out.
0
 
First LastAuthor Commented:
StrifeJester:

           Do you have anything relating specifically to the Cisco ASA 5510? These llinks are a good overview of the topic, but nothing specific to the ASA 5510 setup and configuration?
0
 
Justin EllenbeckerIT DirectorCommented:
There is no special setup required all you really have to do is make sure the DMZ are on the same network.  No vendor has anything special for a multi legged system.  Basically you setup your first ASA like its the only one then you setup the second one with the internal from the first going to its external.  The DMZs should be the same network. On the interior one you diable NAT and make sure you ahve the proper routes in the internet facing one.  We do it with an Dual ASAs and  Checkpoint.  I will look a little more but again the setup is not going to be anything special there are plenty of guides on cisco's website though if you are looking at even just how to get the first one setup.
0
 
First LastAuthor Commented:
The second link provided was really helpful: http://fengnet.com/book/FirewallFundamentals/ch09lev1sec3.html

Also, StrifeJester's final comment was helpful.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now