DMZ redundancy

EildorEildor Senior MemberMember Posts: 444
How do you achieve DMZ redundancy if you have dual routers to multiple ISPs? Where would you place the DMZ?

I imagine you could stick the DMZ on either of the routers, and configure a L3 link between them and let your routing protocol route between them. Configure the ACL's/policies outbound on those interfaces.

I guess another way would be to place the DMZ in between the two routers.

Obviously you're going to need to configure BGP (I think I've managed to get that bit done).

What's the best way to implement DMZ security anyway? Zone Based Firewall? How complicated would that be for someone who has never configured a firewall before?



  • f0rgiv3nf0rgiv3n Connection Overlord Member Posts: 598 ■■■■□□□□□□
    What I've normally seen is one DMZ and two routers/firewalls. These can be redundant in quite a few different ways: HSRP,GLBP,VRRP or clustering (firewalls typically do this). Off the top of my head I can't think of any other method. You don't want to have two DMZ because that would just be confusing by having two subnets with two routers/firewalls and two different sets of rules. There might be other reasons for having two DMZs but not for the sole purpose of redundancy.

    DMZ security can be implemented a couple ways. One is to use NAT and a private IP range and two is to just use straight up public IP addresses. Personally, I like keeping it all public IPs for simplicity sake. As far as actual firewall rules... You'll either need a router with zone based firewall on it, or an actual firewall (like a Cisco ASA). You have two sets of rules, DMZ <-> Outside, DMZ <-> Inside.

    If it were me, I would get two ASAs configure them in a cluster and create one DMZ. Hopefully this helps! Let me know if you have any other questions!

    Here's what my mind spilled out on paper:
  • EildorEildor Senior Member Member Posts: 444
    Ah man, I seriously need to learn some security!

    I'm under pressure to get this university project finished; so much to do so little time. I still need to configure site-to-site VPNs which seems to be over 9000 commands.

    How about this.... stick a switch on one of the routers and call that the DMZ. Implement zone based policies on the router. Have a L3 link between routers, so if the other ISP goes down traffic can still get to devices within the DMZ.

    Anything wrong with that?
  • EildorEildor Senior Member Member Posts: 444
    Here is what I want to configure:

    1) Inside users should be able to access internet
    2) Outside users should be able to access the DMZ

    I've never done this before so I apologise right now if what I've done is incorrect. I'm looking for some feedback on whether the configuration is valid or not.

    interface FastEthernet0/0
    ! This is the interface connecting to the inside network
    zone-member security TRUSTED

    interface FastEthernet0/1
    ! This is the interface connecting to the internet
    zone-member security INTERNET

    interface FastEthernet1/0
    ! This is the interface connecting to the DMZ
    zone-member security DMZ

    class-map type inspect match-any INTERNET_TO_DMZ
    match protocol http
    match protocol https
    match protocol dns
    class-map type inspect match-any TRUSTED_TO_INTERNET
    match protocol icmp
    match protocol tcp
    match protocol udp
    policy-map type inspect INTERNET_TO_DMZ
    class type inspect INTERNET_TO_DMZ
    class class-default
    policy-map type inspect TRUSTED_TO_INTERNET
    class type inspect TRUSTED_TO_INTERNET
    class class-default
    zone security TRUSTED
    zone security INTERNET
    zone security DMZ
    zone-pair security TRUSTED_TO_INTERNET source TRUSTED destination INTERNET
    service-policy type inspect TRUSTED_TO_INTERNET
    zone-pair security INTERNET_TO_DMZ source INTERNET destination DMZ
    service-policy type inspect INTERNET_TO_DMZ

    Thank you.
  • networker050184networker050184 Went to the dark side.... Mod Posts: 11,962 Mod
    What happens when you test it out? Does it work? If not what isn't working?
    An expert is a man who has made all the mistakes which can be made.
  • xXErebuSxXErebuS Senior Member Member Posts: 230
    I would recommend purchasing a stateful firewall and using an external switch so ISP1 to switch ISP2 to switch switch to firewall and then the DMZs are on the firewall.
  • EildorEildor Senior Member Member Posts: 444
    I'm testing it out as we speak. It seems I can access HTTP, HTTPS and DNS from the internet to the DMZ... so looks like that part is ok.

    Edit: So far so good. But how do verify inside traffic to the DMZ is being dropped? I guess since there is no pair it wont show up when I enter the show policy-map type inspect zone-pair command... but the pings seem to be dropped as desired.
  • xXErebuSxXErebuS Senior Member Member Posts: 230
    If they are members of different zones (which appears they are) then the default action is to block; only members of the same zone; not in any zone; self zone are permitted by default
  • EildorEildor Senior Member Member Posts: 444
    I thought so, but I was wondering whether there were any counters for blocked traffic. Doesn't make a difference either way though, the traffic is being blocked. Cheers.
Sign In or Register to comment.