Routing between two DMZ between 2 firewalls

Hi, I have basically 2 separate networks, both with their own routers and firewalls and internet connection. I want to be able to connect to the servers on one network via the other network internally and not via the internet . Can I do it the following way ?



Or should I do it from DMZ 3 of FW1 to the Router of the 2nd network ? of should I use a router between the two firewalls instead of a switch ?

I need some advise urgently
Thanks

Hello djjase
I assume that since there is a switch between the firewalls that those two DMZ legs are on the same IP subnet. That being the case you shouldn't need a router there as the firwalls effectively provide routing capability at each end of this little point-to-point network.
With proper design I can't see why you wouln't be able to administer all your machines internally; I run a complex and in some ways similar network with multiple DMZs and firewalls and it works for us. To achieve it you'll need to first make sure that you have the appropriate routing table entries in place, both on the admin machines, servers and the firewalls themselves. And after that you'll need to apply firewall rules to permit the administrative traffic along those routes. Against this you need to weigh the security considerations; how much of a problem do you have with opening up additional ports in this way? Make the rules host-specific wherever possible so you're only allowing one named machine to reach another named machine via just a couple of specified ports. And consider using something secure like SSH for your admin sessions

Yes that is correct the 2 dmz of the FW's connecting in the middle are on a 172.16.32.x . The office pc's are on 192.168.0.x and the admin servers are on 192.168.1.x.
What would be the best way to allow the office pc's connect to the admin servers ? Do I have to add a route for the 192.168.0.x to the 172.16.32.x and then from the 172.16.32.x to the 192.168.1.x ? on both firewalls ?

Yes you'll need not only routes on the firewalls but also firewall rules to allow the administrative traffic to traverse those routes. All of that is done at the firewalls. In addition you'll need to put a static route on your Office PCs that offers a route to 192.168.1.x via whatever the IP address is of the Eth2 interface of FW1. You'll also need a similar static route on your Admin servers offering a route to 192.168.0.x via the IP address of the Eth1 interface of FW2. If you write all the IP addresses and networks onto your diagram and think of each step the packets have to take to get from source to destination and back again then that will help you visualise what you need

I think you mus begin play with the DNS servers also so the connections will not pass through te interneet. also you must play with the policies installed on the interfasces facing the internet and the other firewall.