How to connect two firewalls in one location?

I have two networks in one physical location.  

Network 1:
Juniper SSG140 /w Public Interface IP
192.168.110.x

Network 2:
SonicWall TZ300 /w Public Interface IP
192.168.113.x

The two firewalls are on the same rack.  how do I connect them so both networks can see one another?  Can I run an ethernet cable between the routers?  Thanks.
Infotech2008Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Wayne88Commented:
You can but then you will have to configure the ports, NAT, router and etc. for each router to allow communications between the two.  I have used a few Sonicwall model but not Juniper so I cannot be specific on what's required.  However, the router must allow your internal network from the Sonicwall to communicate through another port (consider it another VLAN) where it's also connected to your Juniper and vice-versa.  It's complicated.  Is there reason for the specific setup?  Maybe I can suggest another configuration.
Infotech2008Author Commented:
sure, what do you suggest?
Fred MarshallPrincipalCommented:
It's a bit complicated but likely reasonable.
On the Juniper Networks box you would likely set up a separate port for the "other" subnet.
And, you would set up communication rules between this new subnet and the existing one.
Then on the Sonicwall, something similar.

If you don't need stateful packet inspection between the subnets then you might simply plug in a simple router between the physical subnets to route traffic.  Then, this router will become the gateway to the opposite subnet.  You would then only need to add a route on each firewall that bounces packets destined for the opposite subnet to the local router port.

***Router (in Router mode, or No NAT mode):
192.168.110.xxx/24 on one side.
192.168.113.yyy/24 on the other side.
Now any packet coming into 192.168.110.xxx that is destined for 192.168.113.0/24 will be routed to the other router port and the 192.168.113.0/24 subnet.
Now any packet coming into 192.168.113.xxx that is destined for 192.168.110.0/24 will be routed to the other router port and the 192.168.113.0/24 subnet.
No added routes are generally necessary to do this as the router port addresses take care of that.

***Juniper SSG140
Added route:
Route packets to 192.168.113.0/24 to 192.168.110.xxx (the local port on the added router).
the CLI would have this added:

routing-options {
    static {
        route 192.168.113.0/24 next-hop 192.168.110.xxx;
               }
}

***Sonicwall TZ300
Added route:
Route packets to 192.168.110.0/24 to 192.168.113.yyy (the local port on the added router).
Need More Insight Into What’s Killing Your Network

Flow data analysis from SolarWinds NetFlow Traffic Analyzer (NTA), along with Network Performance Monitor (NPM), can give you deeper visibility into your network’s traffic.

Infotech2008Author Commented:
So sorry for the late response.  I have site to site VPN tunneling configured that is allowing one network to communicate the other.  I configured it around the time I posted the question.  I know it's not a the right configuration, it's a workaround until I figure out the configuration you are proposing.  Ok, getting back to your solution.  So on the Juniper router, you want me to configure the next available interface, for example 0/3 for network 192.168.110.x (other network) address.  Is that correct?  How do I physically connect the two firewall with an Ethernet cable?  Thanks.
Fred MarshallPrincipalCommented:
Yes, you would assign one of the available ports on the Juniper SSG140 to the other subnet: with 192.168.113.yyy.

Then you would add routes to the Juniper like this:

Packets arriving at 192.168.113.yyy and destined for 192.168.110.0/24 would be routed to 192.168.110.xxx on the Juniper.
Packets arriving at 192.168.110.xxx and destined for 192.168.113.0/24 would be routed to 192.168.113.yyy on the Juniper.

The Sonicwall would still need a route:
Packets arriving at 192.168.113.1 (?) on the Sonicwall and destined for 192.168.110.0/24 would be routed to 192.168.113.yyy on the Juniper.
[Alternately you could put a route in every computer on 192.168.113.0 with destination 192.168.110.0/24 with 192.168.113.yyy as the next hop but this is way too messy to manage.  But, you could do this for testing the Juniper with just one computer on 192.168.113.0/24 before you add this Sonicwall route].

There would be a cable from the newly-configured Juniper port to the 192.168.113.0/24 subnet either directly to an available port on the Sonicwall or to a LAN switch on that same subnet.

It would work like this:

Packets originating on 192.168.113.0/24 to any other subnet, including 192.168.110.0/24 will go to the Sonicwall gateway.
Packets arriving at the Sonicwall and destined for 192.168.110.0/24 will be directed to 192.168.113.yyy which is a Juniper port.
The Juniper will route those packets to 192.168.110.xxx on the Juniper.
The packets will be launched onto "the wire" on 192.168.110.0/24 and to their desitnation.

Packets originating on 192.168.110.0/24 to any other subnet, including 192.168.113.0/24 will go to the Juniper gateway.
Packets arriving at the Juniper and destined for 192.168.113.0/24 will be directed to 192.168.113.yyy which is a Juniper port.
The packets will be launched onto "the wire" on 192.168.110.0/24 and to their destination.

NOTE: The latter path does not include a hop through the Sonicwall at all.  That's fine.  But you should be aware of something that could happen and need to be addressed:
If a packet originates on 192.168.110.0/24 that is destined for a device on 192.168.113.0/24 then it just goes through the Juniper as above in the second case above.
Then, any return packets (and there will be return packets!) will first go to the Sonicwall as in the first case above.
If the Sonicwall has some kind of LAN-LAN packet inspection, it may not recognize the return packets because, for example, since it wasn't involved, it has not state context for the conversation.  The return packets may be blocked or dropped and communication will fail.
So, this type of situation may have to be addressed.  
It's worth trying first without worrying about it.
Infotech2008Author Commented:
Hey guys,

I am closing out this question.  Thank you for the helpful comments.  Unfortunately, I never got the opportunity to revisit the configuration.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Fred MarshallPrincipalCommented:
The fact that the questioner didn't have time to revisit doesn't negate the value of the answers nor the effort put into creating them.  Closing with no points is declasse'
Infotech2008Author Commented:
I never got the opportunity to revisit the configuration.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.