From: Edouard Zorrilla (ezorrilla@tsf.com.pe)
Date: Thu Mar 05 2009 - 15:45:25 ARST
Regarding :
"If you're less concerned with the DMZ servers themselves and more with your
inside network then hang it off the ASA. Incoming packets get looked at by
the
ASA. If the DMZ servers are breached they still have to get past the
juniper."
That is why we need both FW's, bugs from Cisco are not the same bugs from
Juniper. We will need to protect our inside farm servers, so for instance in
the DMZ I should only put let say a relay mail server so that mails arrive
to may mail server on my inside.
Regards
----- Original Message -----
From: "Steve Means" <smeans@ccbootcamp.com>
To: "Shahid Ansari" <shahid1357@gmail.com>; "Cisco certification"
<ccielab@groupstudy.com>; "Cisco certification" <security@groupstudy.com>;
"Farrukh Haroon" <farrukhharoon@gmail.com>
Sent: Thursday, March 05, 2009 11:25 AM
Subject: RE: NAT-ASA-Juniper Security
>I guess one question here is why the need for multiple inline firewalls
>from a
> design standpoint?
>
> Assuming there is some reason, why is multiple NAT being considered? Is it
> purposeful? Can one device simply NOT nat and just filter/route?
>
> Yes the ASA can nat if real IP is several hops away. As you hit on, its
> just
> needs to know where to send those packets. Either with a static route or
> an
> IGP.
>
> As for where to put the DMZ in that diagram it really depends on what
> you're
> hoping to accomplish. If you want TWO different vendor devices to take a
> look
> at packets from the outside to the DMZ for security reasons, hang it off
> the
> juniper.
>
> If you're less concerned with the DMZ servers themselves and more with
> your
> inside network then hang it off the ASA. Incoming packets get looked at by
> the
> ASA. If the DMZ servers are breached they still have to get past the
> juniper.
>
> These are just generalities and it would really take a sit down and review
> of
> the traffic to give a solid answer.
>
> Steve Means
> Security Instructor/Consultant
> smeans@ccbootcamp.com
> CCBOOTCAMP - A Cisco Learning Partner
> 877.654.2243 Toll Free
> +1.702.968.5100 Direct Outside the USA
> +1.702.446.0357 Fax
> YES! We take Cisco Learning Credits
> Training And Remote Racks: http://www.ccbootcamp.com
> <http://www.ccbootcamp.com/>
>
> ________________________________
>
> From: nobody@groupstudy.com on behalf of Shahid Ansari
> Sent: Thu 3/5/2009 7:24 AM
> To: Cisco certification; Cisco certification; Farrukh Haroon
> Subject: NAT-ASA-Juniper Security
>
>
>
> Hi Sec.Guys,
>
> I have question regarding NAT . As I am configuring inside NAT on ASA ,did
> NATTing works on ASA if REAL IP is one or Two hop Away from ASA.
> and if it works how ASA know to reach that host ? by static routes.
> If I do double NAT ,I can face problems with Streamline
> applications(Voice)
> ,what about Bypass NAT ?
> Below What is the best place to creat DMZs for external Web servers on ASA
> or On Juniper.
>
> Design 1
> Internet Router-----ASA----Juniper----Internal Servers(Email Server)
> !
> !
> DMZ Web servers,Ex.Email server
>
> Internet router , ASA outside has public Block
>
> OR
>
>
> Design 2
> Internet Router-----ASA----Juniper----Internal Servers(Email Server)
> !
> !
> DMZ Web servers,Ex.Email server
>
> Any help or clue is really appreciable.....
>
> Thanks
> Shahid Ansari
>
>
> Blogs and organic groups at http://www.ccie.net <http://www.ccie.net/>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Mon Apr 06 2009 - 06:44:04 ART