DMZ Setup with two firewalls - Traffic from DMZ to LAN and LAN to DMZ

I am setting up a network with machines that need to be accessible from the internet. I'm planning on putting these in a DMZ. Some of the machines in the DMZ need access to machines on the private network and machines on the private network need access to machines in the DMZ.

I have read that the most secure implementation is one with two firewalls. The two firewalls that I am planning on using are both CISCO ASA 5500.

Although I am interested in how I can implement this with those specific devices, I am also interested in the theoretical side because I am creating documentation for customers of our company on how to set this up. Instructions specific to the devices I'm using help, but I also want to know how to solve this generically.

I have three specific machines:

  • DMZ_Web
  • DMZ_Service
  • INT_SRV

As their names describe, DMZ_Web and DMZ_Service are in the DMZ and INT_SRV is the internal server.

I also have two firewalls:

  • FW1
  • FW2

In short:

  • Ext Clients need access to DMZ_Web on port 443
  • Ext Clients need access to DMZ_Service on port 3030
  • DMZ_Web needs access to INT_SRV on port 2020
  • In Clients need access to DMZ_Service on port 3030

Networking:

  • FW1 is connected to the internet, the DMZ, and the internal network
  • FW2 is connected to the DMZ network (outside interface), and the internal network (inside interface)
  • Internal Network is 192.168.1.0 255.255.0.0
  • DMZ Network is 192.169.1.0 255.255.0.0
  • DMZ machines have two NICs, one connected to FW1 and one connected to FW2. The NICs connected to FW2 have static IPs in the 192.169.1.0 range. The NICs connected to FW1 have static IPs that are publicly accessible from the internet.

Linked below is a diagram that I hope will answer a lot of questions concerning topology.

I've gathered that I may need to setup some static NAT rules to get traffic from the DMZ machines to the internal network and vice versa, but I'm not sure.

One thing I would like to point out is that the internal network is connected to FW1 & FW2. It is connected to FW1 to allow access to internet. It is connected to FW2 so that it can have access to devices in DMZ.

I'm not sure if this is correct. If it is not correct, what is the correct implementation? Also if it isn't correct, will it work?

I've searched all over but couldn't find a place that implemented my whole solution. Most of the time it was a piece here and there. I haven't been able to get all of the pieces to work together :(

enter image description here


Solution 1:

If you're going to use two firewall layers, then best security practice dictates that you use two different vendors, with the theory being that vulnerability in one will not be in the other (in my experience this is true in practice). If you haven't already purchased the two ASAs and your budget allows, I'd recommend using a different solution for one of the layers.

Technically speaking, what you have is not a DMZ. A true DMZ would be hanging off your external firewall layer and not on the vlan between the two firewall layers. That's possibly semantics and may not be something you can do much about. For connections back from your DMZ to your LAN, you only have to go through one firewall. Most folk segregate such zones with two firewalls with a middle layer in between the two firewalls. Your design merges the DMZ and middle layer and to be honest, the DMZ servers in this configuration are a nice jump point (if hacked) to your lan where I presume more important data etc is held.

Just wondering, does your budget allow L2/L3 switches so your servers aren't directly connected to the firewalls?

For internal access from the LAN to the DMZ servers, I don't believe that you'll need NAT rules because you can just have a route from your LAB to the 192.169 network to go via the internal firewall (assuming it's configured to allow and route those packets).

Why are you using 192.169.. as an internal IP range? Read RFC1918, that's not a private IP range.

How do clients access the Internet?