Re: DMZ Routing Question

["Farrukh Haroon" <farrukhharoon () gmail com>]

Considering the limited throughput on the firewalls as compared to a
SUP720......I would do all the advanced routing/PBR on the switch.

Regards

Farrukh Haroon
CCIE # 20184 (Security)

P.S. The ASA does not support PBR to date.



On Fri, Nov 28, 2008 at 1:07 AM, FW Mailinglist <fwlist2008 () gmail com>wrote:

> All,
> I have searched the archives a bit, but haven't found what I am looking
> for. I am implementing a new DMZ design and wanted to get back what the
> common consensus is on routing. I am deploying a typical sandwich design -
> Outside Firewall -> DMZ Networks <-Inside Firewall.
>
> The switches in the DMZ are Cisco 6509E's with SUP 720's. The inside and
> outside firewalls are both ASA 5550's in Active/passive.
>
> My thought is that I'll create vlans in the DMZ for the web, DB, and mail
> networks and use the Sup720s as the default gateway. I planned on using PBR
> (hardware in the 6K) based on the source and destination networks to direct
> the traffic to appropriate firewalls. My other thought is to haul all of the
> DMZ traffic into the Outiside firewall and allow it to handle the routing...
>
> Any thoughts on a preffered method?
>
> Thanks!
>
> Joe
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () listserv icsalabs com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards