Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Secondary Policy/Policy After VPN Tunnel

    Posted 10-04-2010 13:08

    Is it possible to apply a 2nd policy (basically, one that is applied after traffic exits a tunnel) to further limit traffic based on additional criteria? I can do this with multiple VPNs, but I would rather the simplicity of a single tunnel.

     

    For example:

    Subnet 172.16.1.0/24 is accessed by 192.168.1.0/24 over a tunnel.

    Some hosts in the 192.168.1.0 network should be allowed access to only specific resources, while the remainder of hosts (non-contiguous addressses) should have unrestricted access.

     

    Thanks!

    Les



  • 2.  RE: Secondary Policy/Policy After VPN Tunnel
    Best Answer

    Posted 10-04-2010 20:23

    Hi,

     

    You can accomplish this with a route-based VPN by binding the tunnel interface to the untrust and adding policies.  The first policy would include the most restricted and unique to those workstations, the second would be the blanket policy that would cover the rest.  You just want to make sure the more restrictive policy is first.

     

    -John



  • 3.  RE: Secondary Policy/Policy After VPN Tunnel

    Posted 10-05-2010 17:47

    Thanks John - that's what I figured the answer would be (currently I'm using a policy-based VPN). 



  • 4.  RE: Secondary Policy/Policy After VPN Tunnel

    Posted 10-08-2010 12:12

    John quick quick question here, so if some one is using a policy based VPN they can't accomplish this correct?  with a policy based VPN it would be permit to all traffic from all hosts between the two locations correct?