SRX

 View Only

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  Running Netscreen and SRX together

    Posted 12-10-2013 13:25
      |   view attached

    I am a new network engineer, and very new to Juniper and firewalls. My company is a small service provider for satellite data transmissions. Basically we provide phone/data service to remote users and have a gateway to the internet. Here is the challenge: We are deviding our network such that managing commercial customers and government-related customers will have increasing separation. We have 2 different customer management systems, and each needs to be able to create limited firewall rules for each customer. Currently we have only Netscreen204s in service, and some of our customers have a VPN to those firewalls so that after rules are applied, then that customer's traffic goes to that VPN destination. What we want to do is add 2 HA SRX240s that would only handle traffic for certain IP ranges, but still be able to have VPN to them. Basically, we would split traffic, with certain IP addresses going to one FW, certain IP addresses going to the other. Both firewalls are currenly in the same VLAN, but only the Netscreens are in production.

     

    Is there any simple way to handle this with policy or simple routing? I'm not real sure.


    #firewall
    #netscreen
    #SRX
    #serviceprovider


  • 2.  RE: Running Netscreen and SRX together

    Posted 12-10-2013 15:54

    Hello,

     

    I would use two reth interfaces per zone, so you will have an active - active, and you will be able to select in multiple ways how would you like to handle the traffic.

     

    I was not quite sure how do you have configure your network now, but as far as I can see you should be able to do what you want.

     

    Regards,

     

    Luis Sandi



  • 3.  RE: Running Netscreen and SRX together

    Posted 12-11-2013 07:29
      |   view attached

    Hi Luis,

     

    I think that my real question is the second part of what you are saying--how to handle the traffic. I have Reth interfaces in two different VLANs, because the way that the traffic flows (from attachment) is in from the top SRX VPN devices "bganap", then into the cfw devices, where some of the traffic is inspected (special cases), then to the bottom FWs (which are the new SRX devices in question).

     

    SRX & Netscreens all are in the same VLANs.

     

    Then from there out to the internet. So those FWs at the bottom are going to need to be running with Netscreens (not shown), and since I inherited this network, but have to upgrade to separate the traffic, handleing the traffic is what I don't have clear in my mind.

     

    How would I keep the Netscreens inspecting only one group of IPs and the SRXs another without interfering with each other. I guess I'm looking for some possible config options.

     

    As far as zones, we have two: land and satellite. The satellite side is our customer base, land takes them out to the internet.

    Attachment(s)

    pdf
    RETHs NYC POP.pdf   73 KB 1 version


  • 4.  RE: Running Netscreen and SRX together
    Best Answer

    Posted 12-12-2013 03:09

    Hi,

     

    From what i understanding your problem can be solve using FBF (Filter Base Forwarding) or in Cisco term PBR (Policy Based Route).

     

     

    thanks