Dual Firewall setup

Hi Forum.

I want to split up VPN and Perimeter into two firewalls. I ended up with two diffrent designs. Do you have any Pros and/or Cons on these designs? With Design2 I was thinking about to split encrypted and unencrypted traffic into two interfaces. Will that work out like this design?


My VPN fw should handle Anyconnect VPN and L2L tunnels.


Thank you.




  • I would use the second design, and in order to make routing less complex, i would use a single DMZ link between VPN ASA and Perimeter ASA. As oppsed to the first design, with the second one, you can better control decrypted traffic with an inbound/global ACL on the Perimeter ASA.

  • If I use the second design with only 1 DMZ interface between the firewalls. How should my routing/nat work in regards of Anyconnect VPN and L2L tunnels ? Should I basicly make static routing from Perimeter ASA to VPN ASA for the specific subnet. I guess I also need same-security-traffic permit {inter-interface | intra-interface}

Sign In or Register to comment.