Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Restrict SSG 140 VPN user to specific IPs?

    Posted 01-10-2014 09:51

    Hello,

     

    Using an SSG 140, is it possible to allow VPN users to connect but only access a few specific IPs in the subnet?

     

    Maybe I could create a VPN user group that are assigned IPs from a specific subnet, then set Policies to restrict access from that subnet to only the IPs I want?  Would this work?



  • 2.  RE: Restrict SSG 140 VPN user to specific IPs?

    Posted 01-10-2014 11:04

    Yes it can be done, in policy action you configure tunnel , you can add addresses for source and destination

     Go to objects then policy elements, make address group and assign address group to vpn policy (source and destination as per requirement)

     

     

     

     

     

     

    Please mark this as accepted solution if it works for you

    A kudos is a good way of appreciation

     

    Kashif Nawaz

    JNCIP-Sec ,JNCIP-Ent

    JNCIS-Ent, JNCIS-Sec

    JNCIA-Junos



  • 3.  RE: Restrict SSG 140 VPN user to specific IPs?

    Posted 01-11-2014 11:52

    For the process of setting up these dymanic vpn see kb15272.

     

    http://kb.juniper.net/InfoCenter/index?page=content&id=KB15272

     

    Your specific question on access policies is in step 9 on this configuration sheet.  At this point you would configure the address objects you want to allow access and setup this policy so that only those items were permitted.

     

    This master listing of all kb for the dynamic vpn option may also be helpful.

     

    http://kb.juniper.net/InfoCenter/index?page=content&id=KB8535



  • 4.  RE: Restrict SSG 140 VPN user to specific IPs?

    Posted 01-13-2014 09:56

    Thanks for the reply.

     

    On looking at this closer, I'm not sure if what I need is possible. Specifically, I need to grant VPN access to some contractors, but I need to limit their access to a few servers.

     

    It seems to me that policy-based VPN would work only in restricting the computer that has initiated the VPN connection.   For example, if they remote desktop or SSH into an allowed server from their computer, they could then access the rest of the network from that server (since there are no restrictions on the server itself).

     

    I am wondering if I need to VLAN or segment the entire environment into a different subnet.



  • 5.  RE: Restrict SSG 140 VPN user to specific IPs?

    Posted 01-14-2014 01:17

    Now this is another scenario , here You need to deploy access control polices on your server . You may restrict user from doing this through domain polices. You may place set of servers to whom permission granted for VPN users in one zone and all other servers in other zone. You may then configure inter zone policies by restricting unwanted ports from that server to other servers.

     

     

     

     

     

     

     

     



  • 6.  RE: Restrict SSG 140 VPN user to specific IPs?
    Best Answer

    Posted 01-14-2014 15:07

    jlehtinen,

     

    You have correctly identified the issues and a potential solution.  You are correct that once you grant access to a server login to the remote user they get all the access that this server has available.

     

    You can lock down the server by placing this into a restricted vlan with their own zone policies.  But you do need to be careful that you don't break the functionality of the server application in the process.

     

    You can also restrict the access of their domain credentials that access the server.  This limits what they can do once logged into the domain for access.