Solved

How to connect two firewalls?

Posted on 2010-11-15
7
1,577 Views
Last Modified: 2012-05-10
We need to build a link from our firewall (Sunbet A) to the firewall of partner company (Subnet B).
Because the physical distance is short, just about one meter. We are going to link
them via a switch or Ethernet cable directly.

Requirements:
- Some users from partner company will stay at our company and need to access DC or file  servers/printers at subnet B(partner company)
- Some users from Subnet A need to access printers or file servers at Subnet B
- Other unnecessary ports/service must be blocked due to security concerns.

Environment:
Both firewalls are Juniper SSG5.
Firewall zone design:
 Firewall Zone design Firewall Zone design
Anything should i take care for the attached design?
Thank you.

0
Comment
Question by:dickchan
  • 3
  • 3
7 Comments
 
LVL 11

Expert Comment

by:diprajbasu
Comment Utility
1. BEST you go for site to site IPSEC VPN
2.you need to have static IP(public ip) on both the firewall..
3.if you have static ip on both site then you should go for site to site vpn in ACTIVE-ACTIVE mode
in active-active mode both site will dial
4.if you have one site dynamic ip and other site static ip then you should go for ACTIVE-PASSIVE mode..then the dynamic ip site will be in active mode and that will dial the other one.
5.for accessing server out site. go for static nat..(you should have static ip)..your server local ip will be given to the nic..but anyone want to access the same from out site will type the static ip of that site in his browser and will be able to access the server.
6.printing from a different subnet will not be an issue...take the access of that particular server...add the printer from add printer wizard..and if you have network printer then it will be easier to access the same through vpn.

pls revert if any point missed out or any clarification required
0
 
LVL 68

Accepted Solution

by:
Qlemo earned 500 total points
Comment Utility
No need for any VPN or public IPs here, as long as the switch is dedicated for A <-> B traffic. That is just overkill.

I would use another zone, not Untrust, for the Intersite traffic (I will call that "Intersite" now).
Define a deny all policy for Trust to Intersite (optionally, but good for debugging if you switch on session logging).
Then define policies for the exceptions, if necessary define the related policy objects like addresses and services.
Create a route on each SSG for the other network using the 10.10.21.0/24 interface.

That should be all. No NAT will be applied that way.
0
 

Author Comment

by:dickchan
Comment Utility
Dear Qlemo,
What is the different between use untrusted zone and trusted zone with deny all policy?

Could SSG5 add new zone without affect existing settings? As i know, adding new zone at
Netscreen firewall (old models such as n50) need to reset all settings.
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 

Author Comment

by:dickchan
Comment Utility
Could we use a crossover LAN cable to connect two firewalls directly, without a switch?
0
 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
Yes, you can use a cross-over cable for connecting the SSGs.

There is a fixed handling of traffic passing Trust to Untrust or Untrust to Trust regarding NAT. Every other zone transition needs to have NAT defined in the related policy for having NAT work. The other side of that is that you can't suppress NAT for Trust <-> Untrust - and that is the important part here.

Untrust is exactly that - not trusted, and traffic is first of all "suspicious with exceptions".

Adding new zones (if you can do that - the amount of zones you can use depends on the model and firmware release, SSG5 has 10 zones available AFAIK) does not require you to reset anything.
0
 

Author Comment

by:dickchan
Comment Utility
I will use a cross-over cable method.
And add a new trusted zone with a deny all policy.
10.10.20.0/24 <-> 192.168.0.1/24, default gateway 192.168.0.2/24
 <-cross-over cable ->192.168.0.2/24, default gateway 192.168.0.1/24 <-> 10.10.22.0/24

Is that OK?



0
 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
You should not define a default gateway. Instead, create a specific route to the other site, as I described above.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now