Firewall Wizards mailing list archives
Re: DMZ Routing Question
From: "Farrukh Haroon" <farrukhharoon () gmail com>
Date: Sat, 29 Nov 2008 08:51:27 +0300
Considering the limited throughput on the firewalls as compared to a SUP720......I would do all the advanced routing/PBR on the switch. Regards Farrukh Haroon CCIE # 20184 (Security) P.S. The ASA does not support PBR to date. On Fri, Nov 28, 2008 at 1:07 AM, FW Mailinglist <fwlist2008 () gmail com>wrote:
All, I have searched the archives a bit, but haven't found what I am looking for. I am implementing a new DMZ design and wanted to get back what the common consensus is on routing. I am deploying a typical sandwich design - Outside Firewall -> DMZ Networks <-Inside Firewall. The switches in the DMZ are Cisco 6509E's with SUP 720's. The inside and outside firewalls are both ASA 5550's in Active/passive. My thought is that I'll create vlans in the DMZ for the web, DB, and mail networks and use the Sup720s as the default gateway. I planned on using PBR (hardware in the 6K) based on the source and destination networks to direct the traffic to appropriate firewalls. My other thought is to haul all of the DMZ traffic into the Outiside firewall and allow it to handle the routing... Any thoughts on a preffered method? Thanks! Joe _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: DMZ Routing Question Farrukh Haroon (Dec 01)