Filter traffic within policy based vpn

PisPix · ‎11-10-2010

Hi,

I'm setting up a policy based VPN with a Cisco device on a SRX 240 Chassis cluster. I have multiple subnets which need to be reachable through the vpn. I know I have to make multiple gw's because of the single subnet proxy-id support. Is it possible to define a subnet and allow that and filter within the VPN?

Let say:

Juniper Local net: 192.168.10.0/24

Cisco Remote net's: 10.20.30.0/24 & 192.168.20.0/24

I want to allow traffic and have an exception (within the Juniper cluster):

permit tcp host 192.168.10.10 host 10.20.30.40 eq 25

deny tcp 192.168.10.0/24 10.20.30.0/24 eq 25

permit ip 192.168.10.0/24 10.20.30.0/24

How is that possible with Junos?

Regards,

PisPix

colemtb · ‎09-30-2009

You will have your remote networks defined under your untrust zone for your VPN pair policies.

So.

Before you get into your VPN pair policies on trust to untrust, insert a policy that negates source-address 192.168.10.0/24 destination-address 10.20.30.0/24 application junos-smtp then deny.

Then jump into your pair policies.

PisPix · ‎11-10-2010

Thank you, that seems logical. I will test and report back. Also, thank you for your previous post regarding the VPN connection between ASA/Junos, very usefull!

Regards,

PisPix

Filter traffic within policy based vpn

Re: Filter traffic within policy based vpn

Re: Filter traffic within policy based vpn