Cisco ASA 5510 Dual Setup Front-End and Back-End DMZ?

Hi,

I was going to setup my two ASA 5510's in an active/standby mode, but after reading I figured I'd look more into the setup of using a dual setup as follows. Firwall 1 just after the ISP router to filter traffic. Traffic is either denied or only granted access to the DMZ. Firewall 2 would then would filter traffic to the internal network. Only specific traffic from the DMZ would be allowed to the internal network or it would be dropped. No traffic from firewall 1 would be allowed direct access to the internal network.

Does anyone know of a guide to setup Cisco ASA 5510 firewalls in a front-end and back-end environment? I can't find a resource and think my terminology may be wrong.

LVL 1
First LastAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Justin EllenbeckerIT DirectorCommented:
Here are some articles to read over and hopefulyl help make sense of what I say below.

http://www.computing.co.uk/vnunet/news/2126198/bugwatch-dual-firewall-approach
http://fengnet.com/book/FirewallFundamentals/ch09lev1sec3.html
http://www.firewall.cx/firewall_topologies.php

Come from you router into an ASA then go out to a switch from the DMZ port, and from the internal port to another switch or directly to the other ASA external.  The dmz switch is plugged into the other ASA whose DMZ has a different IP in the same range. And finally your inside ASA has an internal address for your network.  WIth thise outbound may be double natted depending on how you setup the ASA for security and all traffic from the DMZ never comes in where you other traffic goes out.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
First LastAuthor Commented:
StrifeJester:

           Do you have anything relating specifically to the Cisco ASA 5510? These llinks are a good overview of the topic, but nothing specific to the ASA 5510 setup and configuration?
0
Justin EllenbeckerIT DirectorCommented:
There is no special setup required all you really have to do is make sure the DMZ are on the same network.  No vendor has anything special for a multi legged system.  Basically you setup your first ASA like its the only one then you setup the second one with the internal from the first going to its external.  The DMZs should be the same network. On the interior one you diable NAT and make sure you ahve the proper routes in the internet facing one.  We do it with an Dual ASAs and  Checkpoint.  I will look a little more but again the setup is not going to be anything special there are plenty of guides on cisco's website though if you are looking at even just how to get the first one setup.
0
First LastAuthor Commented:
The second link provided was really helpful: http://fengnet.com/book/FirewallFundamentals/ch09lev1sec3.html

Also, StrifeJester's final comment was helpful.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.