DMZ Configuration Help Needed!!!

[JRMS]

I am attempting to configure a DMZ between my two firewalls. Does the ethernet port on my failover need to be a public or private ip address. Do I need to use nat or pat. Please help.

 

[lgarner]

between" and "failover"? These are different issues.

If you have two separate firewalls, like so:
internet->firewallA->dmz->firewallB->LAN

then you just configure firewallA to allow public access to the DMZ. FirewallB would allow no inbound public access, and only what's required for internal web surfing, etc. Maybe if the DMZ servers require internal access, but allow it only from those addresses.

If you have failover firewalls, then they need to match. The DMZ would use a third interface so you'd have private, public, and DMZ interfaces on each. Some might also require a virtual address on each, the Pix (for example) doesn't.

NAT, PAT, or nothing depends on your DMZ configuration. If you use public addresses in the DMZ, then you just have access lists. If they're private, you need NAT.

 

[JRMS]

Thanks for your response. As stated earlier, I am in the process on configuring the DMZ for a WebServer. Can the ip address that I assign to the DMZ interface be generic or should it be a public ip address or internal address?

Thank you in advance for your assistance!

 

[lgarner]

It can be private. You'll then use NAT. Something like this for a single host:

static(dmz,outside) <outside_ip> <inside_ip> netmask 255.255.255.255