Network design questions

[Xaqte]

I'm in the middle of designing the topology for a new network. I wanted to see what you thought of the design I've chosen to implement. I'll draw up a diagram if this is any way confusing, just ask.

Internet > Firewall1(10.0.0.1) > DMZ/Web Server > Firewall2(192.168.1.0) > Internal network

I was planning on having just having one web server in the dmz with dual nics... one going to Firewall1 and the other to Firewall2.

A few questions regarding my setup:

Is using two different private IPs like this a good idea, or is their a better option?

How would I go about accessing the internal network with SSH from the internet? I've found a few resources mention tunneling and just port forward SSH all the way through, is this the ideal way?

Thanks in advance for any thoughts/experiences!

X

 

[michigan]

Hi Xaqte - Anything you setup in your rules/ACLs can be forwarded straight through. Just remember SSH/port 22 is typically blocked by default. You could even reassign a port # if you wanted -- perhaps someone with more experience can chime in on this one.

Your main config looks and sounds good. My only advice at this stage would be to map/draw out each of your services and how each will be delivered. From my experience, ensure you have all your NATs carefully planned. Which way in = allow / out deny and vis versa. This can be a challenge at times as some firewalls handle various traffic differently. For example if your email server sits behind firewall2 - SMTP may be handled differently at Firewall1 outbound (if EHLO/HELO commands are triggered at the Firewall2)and inbound a service isn't properly setup. Again, carefully drawing these out will really help before you deploy.

Good Luck.