SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Route based VPN tunnel interface questions

    Posted 08-01-2014 09:26

    I’ve done some reading on this, but wanted to run it my others to make sure I’m not missing something. We currently have a screenos based firewall that connects our private IP network to the Internet. We set up a lot of IPSEC VPN tunnels to business partner networks (site to site vpns) using route based vpns with proxy IDs and a single tunnel interface. The NATing is performed on the tunnel interface (MIPS) and provides the business partners with public IP addresses to reach our private IP hosts. Each firewall interface is in its own zone (trust and untrust) and we are using a trust vr and and an untrust vr. We route outgoing traffic from the trust vr to the untrust vr and then into the tunnel interface, which uses NHTB to determine which IPSEC tunnel to send the traffic into. Works great.

     

    We would like to replace this with 2 SRX devices in a layered design. The internal firewall will connect to our internal private network and an external public IP DMZ. The external firewall will connect from the public IP DMZ to the Internet. The internal firewall will handle all NATing and the external will handle all VPN functions. Routing will be handled statically for now.

     

    Priv IP network – internal fw – public IP DMZ – external fw – internet

     

    We are still thinking that using a route based vpn on the external firewall would be best and would like to just use one tunnel interface if possible. If so, are there any pro/cons to whether it is number or not? Can we accomplish this with just the default inet.0 VR instead of having to use 2 VRs?

     

    Any thoughts would be appreciated.



  • 2.  RE: Route based VPN tunnel interface questions

    Posted 08-01-2014 09:48

    Route based vpns should work fine.

    The local network for the external FW would the public IP of he DMZ network.

    This can be achieved by using jjust the default VR. no need of any isnatnces.

     

    Regards,

    c_r

    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too



  • 3.  RE: Route based VPN tunnel interface questions

    Posted 08-05-2014 14:52

    Thanks for the response.  From what I've read, it would be a multipoint enabled VPN using proxy IDs and NHTB entries for push traffic into the appropriate tunnel.  Since we aren't doing OSPF, it seems an unnumbered tunnel interface would be ok, but there does seem to be some advantages to using a numbered interface.  I'll have to think about how Hide NAT will work as I want the IP address seen in the tunnel as our source IP to be the external interface IP of the internal firewall (public DMZ IP).



  • 4.  RE: Route based VPN tunnel interface questions
    Best Answer

    Posted 08-05-2014 18:09

    Hi,

     

    yes the unnumber st0 should be fine.

    Hide nat I believe shoudl notbe a problem, as the other device is doing the NAt the one behind the vpn terminating FIrewall.

    Regards,

    c_r

     

    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too