Hi, I am new here. Nice to meet you guys 
Here is my first question:
We are using Fortigate 3800 as firewalls. The DMZ contains external DNS, web and proxy servers. Systems in DMZ use subnet 192.168.1.0, and the internal systems use subnet 10.1.1.0.
My questions: Can we assign two IP addresses to each DMZ server, one IP in 192.168.1.0 subnet and one IP in 10.1.1.0 subnet? Is there any way to prevent security issues from occuring by using this type of configuration?
Thank you much in advance!
The answer is yes and yes; but your questions are too vague for a definitive answer.
First of all, if you are going to ask questions about assigning IP addresses to servers, shouldn't you name the hardware and software you are using?
Second, what does "security issues" mean? This has no meaning because it is just a vague statement without any context.
If you want to discuss security topics, please be very specific. Thanks!
Yes. This is a general security question. Hardware and software are not that important. Any differences between DELL/Linux, IBM/AIX and Sun/Solaris? I don't think so.
What I understand is that DMZ is NOT supposed to access to inside. How can DMZ systems contain internal IPs? This is what "security issues" means.
Thanks.
OK, you ask a general question, you'll get a general answer.
Yes, If you're using a single NIC, you can configure any IP addresses you want on the DMZ servers - but that doesn't mean you'll necessarily be able to pass traffic to/from those IPs. The firewall rules all.
Unless you are planning to subnet a portion of your 10.1.1.x space as a second DMZ, from the firewall's perspective, I don't see any good reason to multihome your DMZ hosts with internal IPs. If you're using separate NICs for the 192.168.1 and 10.1.1 connections to the DMZ hosts, you're bypassing the firewall and inviting doom.
Hosts providing services on a DMZ should only have IPs in the DMZ address space, and have access controlled by the firewall rules. Strictly speaking, you're right that DMZ hosts should not be able to initiate connections to internal IPs, but it is common practice to find sites permitting NTP, syslog, and plenty of other holes punched through firewall to inside systems. There's always a risk assessment done.