ScreenOS Firewalls (NOT SRX)
Blogs
Discussion Forums
Programs & Events
turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Reply
Topic Options
MSUTech
Contributor
MSUTech
Posts: 13
Registered: ‎04-14-2009
0

VPN/XAuth -> Can I still restrict UnTrusted IP Access?

Options

‎09-14-2011 10:15 AM

Hello All...

 

People come from [UnTrusted] ip addresses

.

.

.

at the Juniper Firewall they are authenticated (VPN) against an [Active Directory] server

.

.

.

once authenticated, they have access to a server within our DMZ

 

_________________________________________________________

question:

 

Can I maintain the VPN authentication, but, change the FIRST STEP above to a specific set of IP Addresses?  If so.. how?

 

example:

People come from [UnTrusted] ip address RANGE of (234.345.*.*) ...

 

 

thanks...

Message 1 of 4 (262 Views)
 
Reply
Distinguished Expert
Distinguished Expert
spuluka
Posts: 1,612
Registered: ‎03-30-2009
0

Re: VPN/XAuth -> Can I still restrict UnTrusted IP Access?

Options

‎09-14-2011 03:57 PM

You will just need to modify your vpn access policy that goes from untrust to your dmz.

 

Create the address objects you want as source addresses in the untrust zone

Policy--Policy Elements--Addresses--List

 

Create an address group of these objects

Policy--Policy Elements--Addresses--Groups

 

Edit the policy and change the source address from "any" to your new group

Policy--Policies--Edit

Steve Puluka BSEET
Juniper Ambassador
Senior Network Engineer
JNCIA-ER JNCIA-EX JNCIS-SEC JNCIP-SEC
JNCIS-FWV JNCIS-SSL
MCP - Managing Server 2003 MCP - Windows XP Professional
MCTS Windows 7
http://puluka.com/home
Message 2 of 4 (249 Views)
 
Reply
MSUTech
Contributor
MSUTech
Posts: 13
Registered: ‎04-14-2009
0

Re: VPN/XAuth -> Can I still restrict UnTrusted IP Access?

Options

‎09-15-2011 07:41 AM

Our Source Address for this policy is 'Dial-UP VPN'.... which is apparently built in... if we try to change the source address to a ip group we get the following error:

 

You must use 'Dial-Up VPN' as one the source or destination address of a policy configured with a dial-up VPN.

Message 3 of 4 (242 Views)
 
Reply
Distinguished Expert
Distinguished Expert
spuluka
Posts: 1,612
Registered: ‎03-30-2009
0

Re: VPN/XAuth -> Can I still restrict UnTrusted IP Access?

Options

‎09-16-2011 04:08 AM

Sorry about that, I didn't catch the requirement for the source object.  If you can't narrow that policy, I can't think of a way to restrict the access.

Steve Puluka BSEET
Juniper Ambassador
Senior Network Engineer
JNCIA-ER JNCIA-EX JNCIS-SEC JNCIP-SEC
JNCIS-FWV JNCIS-SSL
MCP - Managing Server 2003 MCP - Windows XP Professional
MCTS Windows 7
http://puluka.com/home
Message 4 of 4 (230 Views)
 
Reply
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.