I’ve done some reading on this, but wanted to run it my others to make sure I’m not missing something. We currently have a screenos based firewall that connects our private IP network to the Internet. We set up a lot of IPSEC VPN tunnels to business partner networks (site to site vpns) using route based vpns with proxy IDs and a single tunnel interface. The NATing is performed on the tunnel interface (MIPS) and provides the business partners with public IP addresses to reach our private IP hosts. Each firewall interface is in its own zone (trust and untrust) and we are using a trust vr and and an untrust vr. We route outgoing traffic from the trust vr to the untrust vr and then into the tunnel interface, which uses NHTB to determine which IPSEC tunnel to send the traffic into. Works great.
We would like to replace this with 2 SRX devices in a layered design. The internal firewall will connect to our internal private network and an external public IP DMZ. The external firewall will connect from the public IP DMZ to the Internet. The internal firewall will handle all NATing and the external will handle all VPN functions. Routing will be handled statically for now.
Priv IP network – internal fw – public IP DMZ – external fw – internet
We are still thinking that using a route based vpn on the external firewall would be best and would like to just use one tunnel interface if possible. If so, are there any pro/cons to whether it is number or not? Can we accomplish this with just the default inet.0 VR instead of having to use 2 VRs?
Any thoughts would be appreciated.