SRX

last person joined: 16 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Restrict some PC to access Internet

    Posted 12-09-2013 19:05
      |   view attached

    Hi All,

     

    My topology

     

    PC------SRX-------WAN(internet)------SRX----HQ

     

    All PC connect to my SRX can access both VPN and Internet

     

    Now I want to limit some PC can connect to Internet. But all PC are still use VPN.

     

    How can i config on my SRX? 

     

    Thanks,

     

    Attachment(s)

    txt
    config.txt   6 KB 1 version


  • 2.  RE: Restrict some PC to access Internet

    Posted 12-09-2013 19:58

    Dear Hoang,

     

    As per your configuration pl write a address book entry for which IP wanted to block internet access.

     

    Using existing policy Internal---- Untrust write a specify address allowing both VPN & internet.

     

    And you can define the source address book entries under security zones(internal) or else globally under #[edit security] hierarchy  level also.

     

     

    Best Regards,

    Suresh

     



  • 3.  RE: Restrict some PC to access Internet

    Posted 12-09-2013 20:13

    Hi Suresh,

     

    Can I allow for a specific IP address to connect to Internet ?

    I mean now all network 192.168. 2.1/24 can connect to Internet and also VPN to HQ (site-to-site)

    But now i want only two PC(maybe define IP 192.168.2.2 and 192.168.2.3 ) at net work 192.168.2.1/24 can connect to Internet and use VPN. Other PC just use VPN, can not connect to internet. 

     

    Thanks,

     

     

     



  • 4.  RE: Restrict some PC to access Internet
    Best Answer

     
    Posted 12-09-2013 20:14

    Hi 

     

    As per the attached config , you are not using DHCP to assign IPs to your internal PCs , so  you just need to define your PCs allowed to access Internet in address-book address-set under the zone Internal which contains all addresses allowed , and define two security policies from zone Internal to zone Untrust , the first one to permit traffic from the Allowed-PCs address-set and the second to deny anything else.

     

    [edit security zones security-zone internal]

    root@SRX1# show

    address-book {
    address PC1 192.168.2.101/32;
    address PC2 192.168.1.102/32;
    address-set Allowed-PCs {
    address PC1;
    address PC2;
    }
    }

     

    [edit security policies from-zone internal to-zone untrust]
    root@HQ-SRX1# show
    policy allow-internet {
    match {
    source-address Allowed-PCs;
    destination-address any;
    application any;
    }
    then {
    permit;
    }
    }
    policy deny-else {
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    deny;
    }
    }

     

    Regards



  • 5.  RE: Restrict some PC to access Internet

     
    Posted 12-09-2013 20:18

    Don't forget to remove the old policy internal-to-untrust 

     

    the new change will block any traffic from your internal zone to vpn zone , all PCs will be allowed to access VPN as before.

     

    Regards

    Red1

     


  • 6.  RE: Restrict some PC to access Internet

    Posted 12-09-2013 22:56

    Hi,

     

    Thanhk for your guide, it's working very well

     

    Thanks,

    Hoang



  • 7.  RE: Restrict some PC to access Internet

    Posted 12-10-2013 03:45
    Hi, I have another case for restrict PC to access internet; Now follow your guide(filter by IP Address) is OK. But now my boss request me to filter by Mac Address How can i do this. Restrict some PC to access Internet by MAC Address. So the client can not change their IP to access Internet Thanks


  • 8.  RE: Restrict some PC to access Internet

    Posted 12-10-2013 15:52

    I would be more concerned about how open your firewall is than the internal users. You do realise your current config is extremely insecure?



  • 9.  RE: Restrict some PC to access Internet

    Posted 12-10-2013 19:06

    Hi, 

     

    First, I open all my policies to sure the connection ok. So for policies i will change later. But now I want filter some MAC to access Internet. How can i do ?

     

    Thanks,



  • 10.  RE: Restrict some PC to access Internet

     
    Posted 12-10-2013 22:10

    Hi 

     

    do you know that mac addresses can be easily spoofed , so I recommed you to use proxy server to force customer authenticate before connecting to Internet, you can also use NAC solution which provides more control/ security of your local network. 

     

    Security policies use only IP addressing , so you can also use DHCP IP binding on your SRX to bind an IP to MAC address and configure security policies based on those reserved IPs .

     

    you can also you stateless firewall filter on your inbound interface , that can use mac address as a criteria (starting from Junos 11.4) which will allow all MAC addresses to access VPN and specific MAC addresses to internet

     

    please check the below link :

     

    http://www.juniper.net/techpubs/en_US/junos11.4/topics/concept/firewall-filter-stateless-match-conditions-address-fields.html

     

    Regards

     

     

     

    Security policies can only use ip addressing.  So you would be limited to the old work around of using a DHCP reservation to connect a mac address to an ip address.  Then creating the security policy based on that ip address.



  • 11.  RE: Restrict some PC to access Internet

    Posted 12-11-2013 01:44
    Hi, So the latest my solution is use DHCP and Assign a fixed IP address with the MAC address. After that use security policy for fixed IP. Thanks,