Hello,

We just received a Cisco router, and I wish to set up a BorderManager
box to
perform firewall and NAT and proxy duties. My workstations will be set
up to
use 192.168.1.0/24 network with the BM box doing NAT.

I would like a DMZ in place for public servers, and I understand that
the
DMZ would typically be between the BorderManager box and the Cisco
router.
However, I have been recommended by our Cisco experts to not use the
Cisco
router to do stateful packet filtering, and instead use a firewall
server
(like BorderManager) to do that. If the Cisco router is not doing
packet
filtering, then all ports on my DMZ are wide open to the Internet, and
that
idea makes me nervous, I would rather be able to firewall off the DMZ
also.
I might also want to reverse proxy some or all of the servers in the
DMZ.

Instead of setting up a second BorderManager box so that there are two
BM
boxes in total, one for external firewall, one for internal firewall,
and
putting the DMZ in between, it would be more cost effective for us to
put a
third NIC in the one BorderManager box and get a block of public IPs
to
assign to that and have that interface be the DMZ. In this scenario I
assume
what I would need is a block of two public IP addresses (one for the
Cisco
Router private interface and one for the BorderManager public
interface),
and another block of several public IP addresses for my DMZ (which may

include static NAT mappings from my private interface).

However I am unsure of how complicated it is to achieve that
configuration
or whether it is even possible or whether it is the recommended way to
do
things. I see there are a couple books at nscsysop.hypermart.net which
might
help but I don't know which one I should buy (I have set up
BorderManager
before several times, but not in this specific type of configuration).
Does
it make more sense to have two BorderManager boxes or can I get away
with
one with three NICs? What is the recommended way to configure this?

Please advise.

Thanks.