I have two firewalls (P.Alto) sitting in two different campuses within our infrastructure connected via fiber. They are not synced to each other, just plain standalone FW's. Setup for Redundancy n protection for our internal network. From the Firewall up to the ISP all devices have assigned public I.P's.
The question is can I set up a separate DMZ on the other end FW1? everything is off FW2 DMZ interface >- servers, etc. if unreachable (site or FW) everything off that is blackholed. Oddly the DMZ interface on FW2 has a Public IP.
Is it possible to create an additional DMZ in FW1 to put some services behind that? Even though on FW2 the DMZ interface has a public IP address? Should I assign the FW1 DMZ a private IP or will have to get a new set of routable public IPs from the ISP? issues?
I'm no expert but if FW1 gets a DMZ, they will have to use a new set of routable IP's (NAT)? doubt that the DMZ can use the same subnet off of the IPs from FW2 DMZ
Connected from top to bottom (ISP to Campus)
| ISP1 | ISP2 | |
|---|---|---|
| ASR1(HSRP) | VirtualIP | ASR2(HSRP) |
| Sw1(Pub IP)------------------------------ | -----------------------------fiber(Pub)---------------------------- | ------------------Sw2(Pub IP) |
| FW1(in, out) | FW2 (in,out,DMZ = PublicIP) | |
| Campus 1 ----------------------------------- | ------------------------------fiber(internal------------------------- | ----------------------Campus 2 |
No comments:
Post a Comment