SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Filter traffic within policy based vpn

    Posted 01-19-2011 05:41

    Hi,

     

    I'm setting up a policy based VPN with a Cisco device on a SRX 240 Chassis cluster. I have multiple subnets which need to be reachable through the vpn. I know I have to make multiple gw's because of the single subnet proxy-id support. Is it possible to define a subnet and allow that and filter within the VPN?

     

    Let say:

     

    Juniper Local net: 192.168.10.0/24

    Cisco Remote net's: 10.20.30.0/24 & 192.168.20.0/24

     

    I want to allow traffic and have an exception (within the Juniper cluster):

     

    permit tcp host 192.168.10.10 host 10.20.30.40 eq 25

    deny tcp 192.168.10.0/24 10.20.30.0/24 eq 25

    permit ip 192.168.10.0/24 10.20.30.0/24

     

    How is that possible with Junos?

     

    Regards,

     

    PisPix



  • 2.  RE: Filter traffic within policy based vpn
    Best Answer

    Posted 01-19-2011 06:24

    You will have your remote networks defined under your untrust zone for your VPN pair policies.

     

    So.

     

    Before you get into your VPN pair policies on trust to untrust, insert a policy that negates source-address 192.168.10.0/24 destination-address 10.20.30.0/24 application junos-smtp then deny.

     

    Then jump into your pair policies.



  • 3.  RE: Filter traffic within policy based vpn

    Posted 01-19-2011 06:48

    Thank you, that seems logical. I will test and report back. Also, thank you for your previous post regarding the VPN connection between ASA/Junos, very usefull!

     

    Regards,

     

    PisPix