Solved: DMZ Network Design – Cisco Community

Dears 

I am setting up a DMZ network and we have purchased a WSA, I would like to understand from design perspective is it OK to connect P1 port of WSA on the internal core switch but logically traffic will pass through internal firewall, and P2 port will be connected on the External Firewall DMZ zone is that a good way of connecting 

OR

I shld connect both P1 and P2 both on the external firewall by DMZ-1 and DMZ-2.

Scenario1 Traffic flow

User initiated a google.com. traffic will hit to Internal Firewall as an Default gateway and then firewall will route the traffic to proxy P1 port ( explicit proxy configured) becz P1 port Default gateway is internal firewall connected via a core switch,  Proxy does web filtering and then sends the traffic out from  P2 port to the external firewall and then external firewall routes to the internet.

Scenario2 Traffic flow

User initiated a google.com. traffic will hit to Internal Firewall as an Default gateway and then firewall will route the traffic to proxy P1 port through External Firewall Internal interface and then External firewall will route to DMZ 1 to the proxy interface, Proxy does web filtering and then sends the traffic out from  P2 port again to the external firewall DMZ-2 and then external firewall routes to the internet.

Also i don’t have external switches (facing to ISP Internet router)  on which i can connect internet link so  in that case if i use my DMZ switches by segregation of Vlan will be a good security or it is preferred to have a isolated external switches.

Thanks