11-05-2010 10:15 AM
For a remote site, with a SRX100, I want to be able to manage it with ssh and web but only from my external ip address. Similarly there will be an IPSec VPN between the sites but I only want to accept ike from it's specific peer's ip address.
Am I right in thinking that security policies won't have any effect as I'm not going between zones?
11-05-2010 12:10 PM
You are correct in stating the the security policies will not have an effect. The features you are looking for are "host-inbound-traffic", where you set the allowed services on the particular interfaces in a security zone (or the entire zone), and then setting up a firewall filter and applying it to the loopback interface to specifically allow and / or deny certain remote addresses.
11-06-2010 01:37 PM
The host-inbound traffic defines what service is allowed, not where from. If you want that: ttake a look at the post I wrote about this in the config library: http://forums.juniper.net/t5/Configuration-Library/Configuration-Example-permited-IP-on-SRX/m-p/5839... .
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI
If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.