[j-nsp] Juniper firewall that does HA, "contexts" and VPN?

Ivan Ivanov ivanov.ivan at gmail.com
Thu Aug 5 09:13:13 EDT 2010 

Hello,

SRX-HE models could do that. Not sure about PPTP. I am finding only PPTP
ALG functionality.

You can terminate each customer VPN in different VRF, it
is officially supported in 10.0R3.10. I think Stefan is talking for the same
functionality. Then you can have overlapping IP addresses at both ends. And
for example to play with rib-groups if you want Internet access at same time
. The good thing with SRX is that you have the powerful JUNOS for routing
and in the same time firewall functionality, which will become better and
better in the future.

HTH

On Thu, Aug 5, 2010 at 15:18, Stefan Fouant
<sfouant at shortestpathfirst.net>wrote:

> > -----Original Message-----
> > From: juniper-nsp-bounces at puck.nether.net [mailto:juniper-nsp-
> > bounces at puck.nether.net] On Behalf Of Martin Barry
> > Sent: Thursday, August 05, 2010 12:51 AM
> > To: juniper-nsp at puck.nether.net
> > Subject: [j-nsp] Juniper firewall that does HA, "contexts" and VPN?
> >
> > So, we're a Cisco shop but we need a firewall that can handle both
> > "contexts" and VPNs (which it appears ASAs can't) and be run HA.
> >
> > Basically:
> >
> > - redundant pair running HA
> > - IPSEC and PPTP VPN termination on a single external VLAN
> > - separate ACLs and routing for each customer which dumps them into
> > their
> >   own VLAN
> > - must handle overlapping RFC1918 subnets at remote IPSEC endpoints
> >
> > Anyone have any recommendations?
>
> Most of the traditional ScreenOS products or the newer SRX line should be
> able to meet most of your needs as they can do both stateful firewalling,
> VPN functions, and most support high availability (all SRX products do,
> whereas only some of the ScreenOS platforms do).
>
> You'll have problems with PPTP however because as far as I can remember
> there is no PPTP tunneling support on either of these platforms, however
> there is L2TP support if that's a viable alternative.
>
> On the older ScreenOS platforms you should have no problem dropping various
> IPsec tunnels into a customer VSYS, and you can also do PBR functions to
> route traffic into the appropriate VLAN based on layer 3 and layer 4
> characteristics.
>
> On the newer SRX line, you can dump different customer traffic into their
> own VLAN in several ways - if it's IPsec encrypted traffic, you can either
> bind the tunnel to the customers respective zone, or you can do Firewall
> Based Filtering (FBF) on the traffic after it's been decrypted (I suppose
> you could probably do FBF on encrypted traffic if you had a unique tunnel
> endpoint for each customer and you matched on that unique endpoint but I'm
> not sure)...  You'll have no problem supporting RFC1918 subnets at the
> remote IPsec endpoints.  For the naysayers who say that there isn't the
> equivalent of a VSYS capability in the SRX, you can get similar
> functionality out of VRFs... although this is not a "supported"
> configuration at this time, I've done it for several customers and it
> works.
>
> HTHs.
>
> Stefan Fouant, CISSP, JNCIEx2
> www.shortestpathfirst.net
> GPG Key ID: 0xB5E3803D
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>



-- 
Best Regards!

Ivan Ivanov

More information about the juniper-nsp mailing list