SRX

Hello,

I have a question on back to back firewalls. We have two SRX 3600 configured in a back to back fashion. Now the Internal SRX have about 10 zones and the internal SRX has about 2-3 zones. These zones do not refer to uplinks but interfaces connecting to clients via switches.

Now when the zones on the external SRX has to reach one of the zones on the internal SRX, do we need to define those same 10 zones as subinterfaces on the downlink Interface on the External SRX towards the Internal SRX?

Juniper SRX

      |

      |

      |

Switch

     |

     |

     |

Juniper SRX

     |

     |

Connecting to 10 zones

The zones don't have to match between sepearate SRX clusters.  They only need IP reachability.

Hello,

Thanks for the reply. Sorry for the delay in getting back to you. To understand more on your statement, I have attached a visio diagram for your reference. The zones on the internal FW are not defined on the External Firewall. The internal fw has subinterfaces for the dfifferent zones.

Now if the external IP from the "Internet Zone" wants to access the "Server Zone" then do we need to add the following policy on the external FW

Internet Zone to Trust Zone on the external Firewall

or

Internet Zone to Server Zone on the External Firewall

then on the internal fw

Internet ZOne to Server Zone

or

Trust Zone to Server Zone

Thanks

If you have "Internet" and "Trust" Zones on External firewalls .... whereas "Internet" and "Server" Zones on Internal firewalls then you need to create following policies to allow Internet users to access you server zone ..

External Firewall:  Internet -to- Trust

Internal Firewall: Internet -to- Server

After you create these policies you would get the desired result (unless routing  allows)

Note: Internet zone on both firewalls contains the 192.168.20.200/30 base uplink interfaces

Regards

[Acceptit if it rocks]

Thanks you very much. Its going take some time before I start the deployment. But I am going to rate it as a solution.

Thanks