09-14-2011 10:15 AM
People come from [UnTrusted] ip addresses
at the Juniper Firewall they are authenticated (VPN) against an [Active Directory] server
once authenticated, they have access to a server within our DMZ
Can I maintain the VPN authentication, but, change the FIRST STEP above to a specific set of IP Addresses? If so.. how?
People come from [UnTrusted] ip address RANGE of (234.345.*.*) ...
09-14-2011 03:57 PM
You will just need to modify your vpn access policy that goes from untrust to your dmz.
Create the address objects you want as source addresses in the untrust zone
Create an address group of these objects
Edit the policy and change the source address from "any" to your new group
09-15-2011 07:41 AM
Our Source Address for this policy is 'Dial-UP VPN'.... which is apparently built in... if we try to change the source address to a ip group we get the following error:
You must use 'Dial-Up VPN' as one the source or destination address of a policy configured with a dial-up VPN.
09-16-2011 04:08 AM
Sorry about that, I didn't catch the requirement for the source object. If you can't narrow that policy, I can't think of a way to restrict the access.