Cisco - DMZ

[Jay_2]

I have been asked to setup a new Cisco router / firewall / switch for a baic remote office but with a DMZ

The request is to buildit like this

ISPs Router
|
|
Firewall (5510)
|
|
1941 router
|
|
VLAN 20 Data, VLAN 30 Phones, VLAN 40 Guest Wifi, VLAN 50 DMZ
|
|
2960G Switch

This is fine with me if thats how they want it as ACLs etc make it pretty simple to create a DMZ

But would it not be better to do it this way?

ISP Router
|
|
5510
|
|
DMZ Switch
|
|
1941 Router
|
|
2960G

 

[Fint]

Usually, you want your DMZ to terminate its Layer3 interface at the firewall, especially if you have a nice stateful firewall like an ASA. I'd have the DMZ hanging off an DMZ interface on the firewall, and all of your other VLANs on a different interface; you may not even need the 1941 router, as the ASA will gladly route packets between the VLANs.

 

[Jay_2]

I will take a look. I dont think they actually want a DMZ as such they want to firewall it and port forward as you would normally but they just want to stop that VLAN accessing the other VLANs but allow the other VLANs to access it.

 

[/usr/home]

You should be able to do all of that easily with the ASA without needing the 1941.

 

[Jay_2]

They are in the mind that a firewall is for firewalling, a router is for routing and unless its L3 a switch is for switching

 

[Fint]

"they want to firewall it and port forward as you would normally but they want to stop that VLAN accessing the other VLANs but allow the other VLANs to access" = textbook definition of a DMZ

 

[Jay_2]

not really, a DMZ is not normally firewalled is it?

 

[squishy]

It most certainly is.