• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2219
  • Last Modified:

How to connect two firewalls?

We need to build a link from our firewall (Sunbet A) to the firewall of partner company (Subnet B).
Because the physical distance is short, just about one meter. We are going to link
them via a switch or Ethernet cable directly.

- Some users from partner company will stay at our company and need to access DC or file  servers/printers at subnet B(partner company)
- Some users from Subnet A need to access printers or file servers at Subnet B
- Other unnecessary ports/service must be blocked due to security concerns.

Both firewalls are Juniper SSG5.
Firewall zone design:
 Firewall Zone design Firewall Zone design
Anything should i take care for the attached design?
Thank you.

  • 3
  • 3
1 Solution
1. BEST you go for site to site IPSEC VPN
2.you need to have static IP(public ip) on both the firewall..
3.if you have static ip on both site then you should go for site to site vpn in ACTIVE-ACTIVE mode
in active-active mode both site will dial
4.if you have one site dynamic ip and other site static ip then you should go for ACTIVE-PASSIVE mode..then the dynamic ip site will be in active mode and that will dial the other one.
5.for accessing server out site. go for static nat..(you should have static ip)..your server local ip will be given to the nic..but anyone want to access the same from out site will type the static ip of that site in his browser and will be able to access the server.
6.printing from a different subnet will not be an issue...take the access of that particular server...add the printer from add printer wizard..and if you have network printer then it will be easier to access the same through vpn.

pls revert if any point missed out or any clarification required
QlemoBatchelor and DeveloperCommented:
No need for any VPN or public IPs here, as long as the switch is dedicated for A <-> B traffic. That is just overkill.

I would use another zone, not Untrust, for the Intersite traffic (I will call that "Intersite" now).
Define a deny all policy for Trust to Intersite (optionally, but good for debugging if you switch on session logging).
Then define policies for the exceptions, if necessary define the related policy objects like addresses and services.
Create a route on each SSG for the other network using the interface.

That should be all. No NAT will be applied that way.
dickchanAuthor Commented:
Dear Qlemo,
What is the different between use untrusted zone and trusted zone with deny all policy?

Could SSG5 add new zone without affect existing settings? As i know, adding new zone at
Netscreen firewall (old models such as n50) need to reset all settings.
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

dickchanAuthor Commented:
Could we use a crossover LAN cable to connect two firewalls directly, without a switch?
QlemoBatchelor and DeveloperCommented:
Yes, you can use a cross-over cable for connecting the SSGs.

There is a fixed handling of traffic passing Trust to Untrust or Untrust to Trust regarding NAT. Every other zone transition needs to have NAT defined in the related policy for having NAT work. The other side of that is that you can't suppress NAT for Trust <-> Untrust - and that is the important part here.

Untrust is exactly that - not trusted, and traffic is first of all "suspicious with exceptions".

Adding new zones (if you can do that - the amount of zones you can use depends on the model and firmware release, SSG5 has 10 zones available AFAIK) does not require you to reset anything.
dickchanAuthor Commented:
I will use a cross-over cable method.
And add a new trusted zone with a deny all policy. <->, default gateway
 <-cross-over cable ->, default gateway <->

Is that OK?

QlemoBatchelor and DeveloperCommented:
You should not define a default gateway. Instead, create a specific route to the other site, as I described above.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now