[j-nsp] Juniper firewall that does HA, "contexts" and VPN?

Stefan Fouant sfouant at shortestpathfirst.net
Thu Aug 5 08:18:24 EDT 2010


> -----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net [mailto:juniper-nsp-
> bounces at puck.nether.net] On Behalf Of Martin Barry
> Sent: Thursday, August 05, 2010 12:51 AM
> To: juniper-nsp at puck.nether.net
> Subject: [j-nsp] Juniper firewall that does HA, "contexts" and VPN?
> 
> So, we're a Cisco shop but we need a firewall that can handle both
> "contexts" and VPNs (which it appears ASAs can't) and be run HA.
> 
> Basically:
> 
> - redundant pair running HA
> - IPSEC and PPTP VPN termination on a single external VLAN
> - separate ACLs and routing for each customer which dumps them into
> their
>   own VLAN
> - must handle overlapping RFC1918 subnets at remote IPSEC endpoints
> 
> Anyone have any recommendations?

Most of the traditional ScreenOS products or the newer SRX line should be
able to meet most of your needs as they can do both stateful firewalling,
VPN functions, and most support high availability (all SRX products do,
whereas only some of the ScreenOS platforms do).

You'll have problems with PPTP however because as far as I can remember
there is no PPTP tunneling support on either of these platforms, however
there is L2TP support if that's a viable alternative.

On the older ScreenOS platforms you should have no problem dropping various
IPsec tunnels into a customer VSYS, and you can also do PBR functions to
route traffic into the appropriate VLAN based on layer 3 and layer 4
characteristics.

On the newer SRX line, you can dump different customer traffic into their
own VLAN in several ways - if it's IPsec encrypted traffic, you can either
bind the tunnel to the customers respective zone, or you can do Firewall
Based Filtering (FBF) on the traffic after it's been decrypted (I suppose
you could probably do FBF on encrypted traffic if you had a unique tunnel
endpoint for each customer and you matched on that unique endpoint but I'm
not sure)...  You'll have no problem supporting RFC1918 subnets at the
remote IPsec endpoints.  For the naysayers who say that there isn't the
equivalent of a VSYS capability in the SRX, you can get similar
functionality out of VRFs... although this is not a "supported"
configuration at this time, I've done it for several customers and it works.

HTHs.

Stefan Fouant, CISSP, JNCIEx2
www.shortestpathfirst.net
GPG Key ID: 0xB5E3803D



More information about the juniper-nsp mailing list