I have a network with different subnets for the users that can't communicate with each other (this is a requirement from our clients), and a central subnet for the servers that everyone can reach (for domain authentication, file server, printers, and so on). So far, so good, everything is working as fine as should, now I have to expand the network and add a second Firewall SRX240 with other subnets including a new servers subnet, because my current Firewall has no ports available.
In the topology attached I drawed only the main subnets as example, but all the ports on the Firewall FW01 are already in use, only the Ge-0/0/15 are available.
- In the FW01 I added a new zone called "Link", setted the Ge-0/0/15.0 as member and setted the policies to permit traffic in both ways to the others zones-interfaces, then when I connected a notebook to this port with the NIC configurations in this subnet I can ping and access the others subnets.
- In the FW02 there's already policies that permit traffic between Ge-0/0/0.0 and Ge-0/0/1.0 interfaces zones, but i can't ping from the 22.214.171.124/24 LAN to the the others in the FW01.
What do I missing here? How can I accomplish this?
(PS: Sorry by the grammar mistakes, English is not my natural language.)
Did you configure static routes so both firewall are aware of subnets connected to each other?
set routing-options static route 172.32.1/24 next-hop 172.18.3.210
set routing-options static route 172.33.1/24 next-hop 172.18.3.220
set routing-options static route 10.45.2/24 next-hop 172.18.3.220
set routing-options static route 192.168.60/24 next-hop 172.18.3.220
btw. are you aware of trunks and possibility to move traffic from multiple subnets using single physical interface?
Hi Wojtek, thanks a lot for your help! I did the routes as you suggested and everything is working now here in my lab.
This weekend we'll mount the servers on the rack and deploy this scenario in production.
When you said "btw. are you aware of trunks and possibility to move traffic from multiple subnets using single physical interface?", did you mean that it's possible to set the two SRX uplink ports as ethernet-switching and then I'll no longer need this routes? If so, how do I manage to pass the traffic between the subnets?
I'm glad I could help.
I meant that the limit of physical ports can be avoided by using trunks between switch and firewall. Of course if traffic volume allow that. You could keep running the network with only one firewall.