I have been talking with craig about this. I have few other
questions. I
am currently running BM as my firewall. It is also is running proxy
and
NAT. We talking about adding a ISA server(not my choice) for our 2nd

firewall. How does this effect my LAN users? Right now they proxy
out to
my BM server. If I make my BM the internal firewall I can no longer
do
proxy correct??



In article , wrote:
> Now will the internal firewall have 2 private nics? 1 subnet to the

DMZ
> and 1 subnet to the LAN?


Yes, but I would call that one public and one private NIC...


>Hub/switch placement: a hub/switch will be
> added and the private of the external and internal firewalls will go


into
> and connect the DMZ.. the 2nd internal private nic will go into my

LAN
> switch? If I want to do reverse proxy to the web servers will that

come
> from the ex - firewall or Internal firewall? I am running NAT.. I

know
> the webserver will be NATed but what about the internal firewall or

is
> that strictly internal?


I'm not sure I follow, but here are some statements that may clarify things.

1. If you are allowing inbound http, it of course must come in through
the
ext. Firewall. Whether that firewall does NAT or reverse proxy is up
to
you, and the firewall capability. You would not be putting a reverse

proxy
on the int. Firewall - because that would defeat the point of a DMZ.
(We
assume any such web server will go into the DMZ, if you have a DMZ to

start
with).

2. You will have router->ext.firewall-hub & DMZ servers->int.
Firewall->switch.

3. You may, or may not, use NAT on the int. Firewall. It is up to
you.
You
can use public IP addresses in the DMZ, or put NAT on the ext.
Firewall,
or
NAT on both. Certain services may not like NAT, but if they are OK
with
NAT, they will probably work OK with 'double NAT' as well. I use
'double
NAT' here myself.