SRX

Hello!

I have Juniper SRX100 with Junos 11.4R2. I've configured dynamic VPN according to Security Configuration Guide. The only question I have is how to configure access restrictions for specific users or user groups?

For example, sellers, managers and administrators need remote access to LAN. But I don't want sellers and managers to have network access to file servers or other specific resources. Sellers and managers also should have different kind of access. How can I manage it?

Firewall rules are too static and tedious.

maybe in this way:

set security dynamic-vpn clients dep_it remote-protected-resources 192.168.1.11/32
set security dynamic-vpn clients dep_it remote-protected-resources 192.168.1.12/32
set security dynamic-vpn clients dep_it remote-exceptions 0.0.0.0/0
set security dynamic-vpn clients dep_it ipsec-vpn dyn-vpn
set security dynamic-vpn clients dep_it user user1
set security dynamic-vpn clients dep_it user user2

Tedy, I thought about it, but this configuration do not allow set port/application restrictions. For example, I want managers to have only 53 port access to DNS server.

Generally i have the  same problem like You..

Hi,

as much as I tried, you can restrict applications in security policy, configured for tunneling, only junos-ike application is necessary for vpn and others can be added as you wish. Also, in access profile configuration you can assign static IP addresses for each client and create several security policies for tunneling with different ipsec vpns, using these addresses as source-address. In such manner it is possible  to apply restrictions for xauth users, the only thing is that the trick with source IP addresses worked fine in 12.1X44-D10.4 release, but it stopped working in 12.1X44-D20.3, atleast for me:) I have attached a small example to make it more clearly.

Attachment(s)

example.txt   2 KB 1 version

Thank you, but it's also not flexible enough. I'll try it if I don't find anything more flexible 😃

I also encountered with several new problems.

The first one:

After losing network I can't use dynamic vpn. Juniper Pulse connection status is "IKE negotiation failed". I haven't changed my config since last time. And I use standard proposal set. So I have no idea why it occures.

The second one:

On another Juniper SRX100H device I was trying to resolve above problem. But after changing configuration https access to dynamic vpn portal was lost. I made rollback to the previous configurations, but there was no success with https access. I don't know the reason. It was working with the same config but now it is failed.

My dynamic VPN config is attached.

Any ideas? 😃

UPD: It seems the first problem is because of : Number of connections (2) for the ike gateway exceeds connection limit. Terminating the connection. But show security ike security-associations and show security ike active-peer shows nothing.

Attachment(s)

dyn-vpn.txt   3 KB 1 version

are you still using Junos 11.4 or you have updated to Junos 12.1x44?

Yes, I'm still on 11.4. But after update to 11.4R9 the above problems seem to be disappeared.

Also I added:

set security ipsec vpn dyn-vpn ike idle-time 300

Hello

I am facing the same issue. I want to restrict vpn client on certain ports only but when i apply it in policy with application, client is not connected. I works fine with any any policy. Please suggest any method to restrcit user on particular port only.

Regards,

Aamer

The solution to what you you want to do lies in a different product. MAG devices. It would take quite a lot of confiurations on the SRX to allow that kind of fine tuned access restrictions to resources. I can think of the "cluster" of security policy rules that would be required for such functionality, that if you can try to see if management would be willing to get you a MAG. Maybe someone else has accomplished it, so we will watch for a response later.