Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Netscreen interface question

From: "Mayers, Philip J" <p.mayers () ic ac uk>
Date: Thu, 30 Aug 2001 13:41:19 +0100
Not as far as I'm aware, although you could do this successfully:

Site -> Netscreen -> router -> Internet
                    ___|___
                   /   |   \
                  /    |    \
                site1 site2 site3

...using normal routing, traffic for site1/site2/site3 will automatically go
out to the right place, and all mainsite -> other site traffic will be
firewalled - however, intra-(External) site traffic won't be, which could be
a problem if you don't trust one of the sites but do the other two.

You may be able to pull some cunning tricks with policy-based routing into a
vlan, and the virual systems technique (although vsys licenses aren't
cheap). Alternatively, you could use policy-based DNAT to bounce the traffic
back out the same interface it came in on (UGH! :o)

Also bear in mind the NS1000 only has two interfaces. The 500s have modular
interface cards, but essentially still have trusted/untrusted "ports".

Regards,
Phil

+------------------------------------------+
| Phil Mayers                              |
| Network & Infrastructure Group           |
| Information & Communication Technologies |
| Imperial College                         |
+------------------------------------------+

-----Original Message-----
From: Michael Condren [mailto:mjcon () hotmail com]
Sent: 29 August 2001 16:04
To: firewall-wizards () nfr com
Subject: [fw-wiz] Netscreen interface question



Hi,

We are thinking of purchasing a Netscreen product to act a central firewall 
for all traffic in and out of our site.  Currently there are 4 routers used 
for traffic.  One for Internet access, the other three are used for 
communication with other sites over leased lines.  Netscreen firewalls only 
have three interfaces per box.  Is it possible to use the Netscreen as a 
firewall between our site and the other site when there are only 3 
interfaces on the firewall and four router LAN interfaces?  Can you route 
traffic to go in through one interface (router1->firewall int1) and out 
through the same interface (firewall int1 -> router1)?

Thanks


_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: