Thursday, January 31, 2019

Two separate standalone firewalls in two locations > DMZ?

I have two firewalls (P.Alto) sitting in two different campuses within our infrastructure connected via fiber. They are not synced to each other, just plain standalone FW's. Setup for Redundancy n protection for our internal network. From the Firewall up to the ISP all devices have assigned public I.P's.

The question is can I set up a separate DMZ on the other end FW1? everything is off FW2 DMZ interface >- servers, etc. if unreachable (site or FW) everything off that is blackholed. Oddly the DMZ interface on FW2 has a Public IP.

Is it possible to create an additional DMZ in FW1 to put some services behind that? Even though on FW2 the DMZ interface has a public IP address? Should I assign the FW1 DMZ a private IP or will have to get a new set of routable public IPs from the ISP? issues?

I'm no expert but if FW1 gets a DMZ, they will have to use a new set of routable IP's (NAT)? doubt that the DMZ can use the same subnet off of the IPs from FW2 DMZ

Connected from top to bottom (ISP to Campus)

ISP1 ISP2
ASR1(HSRP) VirtualIP ASR2(HSRP)
Sw1(Pub IP)------------------------------ -----------------------------fiber(Pub)---------------------------- ------------------Sw2(Pub IP)
FW1(in, out) FW2 (in,out,DMZ = PublicIP)
Campus 1 ----------------------------------- ------------------------------fiber(internal------------------------- ----------------------Campus 2



No comments:

Post a Comment