ScreenOS Firewalls (NOT SRX)
Reply
Contributor
MSUTech
Posts: 13
Registered: ‎04-14-2009
0

VPN/XAuth -> Can I still restrict UnTrusted IP Access?

Hello All...

 

People come from [UnTrusted] ip addresses

.

.

.

at the Juniper Firewall they are authenticated (VPN) against an [Active Directory] server

.

.

.

once authenticated, they have access to a server within our DMZ

 

_________________________________________________________

question:

 

Can I maintain the VPN authentication, but, change the FIRST STEP above to a specific set of IP Addresses?  If so.. how?

 

example:

People come from [UnTrusted] ip address RANGE of (234.345.*.*) ...

 

 

thanks...

Distinguished Expert
spuluka
Posts: 2,808
Registered: ‎03-30-2009
0

Re: VPN/XAuth -> Can I still restrict UnTrusted IP Access?

You will just need to modify your vpn access policy that goes from untrust to your dmz.

 

Create the address objects you want as source addresses in the untrust zone

Policy--Policy Elements--Addresses--List

 

Create an address group of these objects

Policy--Policy Elements--Addresses--Groups

 

Edit the policy and change the source address from "any" to your new group

Policy--Policies--Edit

Steve Puluka BSEET
Juniper Ambassador
Expert Network Security Engineer - UPMC Pittsburgh, PA
JNCIA-ER JNCIA-EX JNCIS-SEC JNCIP-SEC
JNCIS-FWV JNCIS-SSL
ACE PanOS 6
MCP - Managing Server 2003 MCP - Windows XP Professional
MCTS Windows 7
http://puluka.com/home
Contributor
MSUTech
Posts: 13
Registered: ‎04-14-2009
0

Re: VPN/XAuth -> Can I still restrict UnTrusted IP Access?

Our Source Address for this policy is 'Dial-UP VPN'.... which is apparently built in... if we try to change the source address to a ip group we get the following error:

 

You must use 'Dial-Up VPN' as one the source or destination address of a policy configured with a dial-up VPN.

Distinguished Expert
spuluka
Posts: 2,808
Registered: ‎03-30-2009
0

Re: VPN/XAuth -> Can I still restrict UnTrusted IP Access?

Sorry about that, I didn't catch the requirement for the source object.  If you can't narrow that policy, I can't think of a way to restrict the access.

Steve Puluka BSEET
Juniper Ambassador
Expert Network Security Engineer - UPMC Pittsburgh, PA
JNCIA-ER JNCIA-EX JNCIS-SEC JNCIP-SEC
JNCIS-FWV JNCIS-SSL
ACE PanOS 6
MCP - Managing Server 2003 MCP - Windows XP Professional
MCTS Windows 7
http://puluka.com/home
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.