SRX Services Gateway
Reply
Contributor
PisPix
Posts: 11
Registered: ‎11-10-2010
0
Accepted Solution

Filter traffic within policy based vpn

Hi,

 

I'm setting up a policy based VPN with a Cisco device on a SRX 240 Chassis cluster. I have multiple subnets which need to be reachable through the vpn. I know I have to make multiple gw's because of the single subnet proxy-id support. Is it possible to define a subnet and allow that and filter within the VPN?

 

Let say:

 

Juniper Local net: 192.168.10.0/24

Cisco Remote net's: 10.20.30.0/24 & 192.168.20.0/24

 

I want to allow traffic and have an exception (within the Juniper cluster):

 

permit tcp host 192.168.10.10 host 10.20.30.40 eq 25

deny tcp 192.168.10.0/24 10.20.30.0/24 eq 25

permit ip 192.168.10.0/24 10.20.30.0/24

 

How is that possible with Junos?

 

Regards,

 

PisPix

Super Contributor
colemtb
Posts: 312
Registered: ‎09-30-2009

Re: Filter traffic within policy based vpn

You will have your remote networks defined under your untrust zone for your VPN pair policies.

 

So.

 

Before you get into your VPN pair policies on trust to untrust, insert a policy that negates source-address 192.168.10.0/24 destination-address 10.20.30.0/24 application junos-smtp then deny.

 

Then jump into your pair policies.

Contributor
PisPix
Posts: 11
Registered: ‎11-10-2010
0

Re: Filter traffic within policy based vpn

Thank you, that seems logical. I will test and report back. Also, thank you for your previous post regarding the VPN connection between ASA/Junos, very usefull!

 

Regards,

 

PisPix

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.