SRX

Expand all | Collapse all

Add a second SRX240 to network

Jump to Best Answer
  • 1.  Add a second SRX240 to network

    Posted 03-15-2018 07:43
      |   view attached

    Hi everyone.

     

    I have a network with different subnets for the users that can't communicate with each other (this is a requirement from our clients), and a central subnet for the servers that everyone can reach (for domain authentication, file server, printers, and so on). So far, so good, everything is working as fine as should, now I have to expand the network and add a second Firewall SRX240 with other subnets including a new servers subnet, because my current Firewall has no ports available.

     

    In the topology attached I drawed only the main subnets as example, but all the ports on the Firewall FW01 are already in use, only the Ge-0/0/15 are available.

     

    - In the FW01 I added a new zone called "Link", setted the Ge-0/0/15.0 as member and setted the policies to permit traffic in both ways to the others zones-interfaces, then when I connected a notebook to this port with the NIC configurations in this subnet I can ping and access the others subnets.

    - In the FW02 there's already policies that permit traffic between Ge-0/0/0.0 and Ge-0/0/1.0 interfaces zones, but i can't ping from the 172.32.1.0/24 LAN to the the others in the FW01.


    What do I missing here? How can I accomplish this?

    (PS: Sorry by the grammar mistakes, English is not my natural language.)



  • 2.  RE: Add a second SRX240 to network
    Best Answer

     
    Posted 03-15-2018 11:36

    Did you configure static routes so both firewall are aware of subnets connected to each other?

    On FW1

    set routing-options static route 172.32.1/24 next-hop 172.18.3.210

    On FW2

    set routing-options static route 172.33.1/24 next-hop 172.18.3.220
    set routing-options static route 10.45.2/24 next-hop 172.18.3.220
    set routing-options static route 192.168.60/24 next-hop 172.18.3.220

    btw. are you aware of trunks and possibility to move traffic from multiple subnets using single physical interface?

     

    Regards, Wojtek



  • 3.  RE: Add a second SRX240 to network

    Posted 03-15-2018 14:38

    Hi Wojtek, thanks a lot for your help! I did the routes as you suggested and everything is working now here in my lab.

    This weekend we'll mount the servers on the rack and deploy this scenario in production.

     

    When you said "btw. are you aware of trunks and possibility to move traffic from multiple subnets using single physical interface?", did you mean that it's possible to set the two SRX uplink ports as ethernet-switching  and then I'll no longer need this routes? If so, how do I manage to pass the traffic between the subnets?



  • 4.  RE: Add a second SRX240 to network

     
    Posted 03-16-2018 01:56

    I'm glad I could help.

     

    I meant that the limit of physical ports can be avoided by using trunks between switch and firewall. Of course if traffic volume allow that.  You could keep running the network with only one firewall.

     

    Regards, Wojtek