two fireboxes one lan.

We are in a situation where M200 for 40 remote users is getting busy. We do have three internet external IP on it, and still issue.Users are getting kicked out often. Will it be possible to add another firebox like T40/80 and separate one of our external IP for remote users only? How will be possible to use two fireboxes, with different external interfaces and one trusted LAN IP?

Comments

  • You could do this.
    However, first what is causing the users to get kicked out?

    What client VPN type are you using?
    IKEv2 & L2TP are faster than SSLVPN.

    How busy is your ISP link - down & up?
    If your ISP link is too busy, adding a 2nd firewall will not address the ISP link issue.

  • I am using IKEv2 and SSLVPN. Each one on separate ISP. Both ISP are 1Gbps. Since we do have two IPS, dont know if we can say that both are busy same time. To my understanding, using different client for different ISP, separates only entry point.
    How can we have two firboxes on same trusted interface? Two different local IP in same internal switch?

  • I believe that this will work:

    Set up the 2nd firewall Trusted IP addr from an unused subnet.
    Add a Secondary IP addr on the 2nd firewall Trusted IP addr with an unused IP addr from the Trusted subnet. Add this as a /32 subnet.

    The VPN client subnet(s) must be different on the 2nd firewall from the 1st firewall.

    To get reply packets from internal devices to go to the 2nd firewall:
    on the SSLVPN & IKEv2 incoming policies, on the Advanced tab: Dynamic NAT -> All traffic in this policy -> select Set Source IP, and enter the IP addr of the 2nd firewall trusted interface Secondary IP addr. Thus the reply packets will be send to the 2nd firewall trusted interface.

  • Thanks. Will try this.

Sign In to comment.