SRX Services Gateway
SRX Services Gateway

Filter traffic within policy based vpn

01.19.11   |  
‎01-19-2011 05:40 AM

Hi,

 

I'm setting up a policy based VPN with a Cisco device on a SRX 240 Chassis cluster. I have multiple subnets which need to be reachable through the vpn. I know I have to make multiple gw's because of the single subnet proxy-id support. Is it possible to define a subnet and allow that and filter within the VPN?

 

Let say:

 

Juniper Local net: 192.168.10.0/24

Cisco Remote net's: 10.20.30.0/24 & 192.168.20.0/24

 

I want to allow traffic and have an exception (within the Juniper cluster):

 

permit tcp host 192.168.10.10 host 10.20.30.40 eq 25

deny tcp 192.168.10.0/24 10.20.30.0/24 eq 25

permit ip 192.168.10.0/24 10.20.30.0/24

 

How is that possible with Junos?

 

Regards,

 

PisPix

2 REPLIES
SRX Services Gateway

Re: Filter traffic within policy based vpn

01.19.11   |  
‎01-19-2011 06:24 AM

You will have your remote networks defined under your untrust zone for your VPN pair policies.

 

So.

 

Before you get into your VPN pair policies on trust to untrust, insert a policy that negates source-address 192.168.10.0/24 destination-address 10.20.30.0/24 application junos-smtp then deny.

 

Then jump into your pair policies.

SRX Services Gateway

Re: Filter traffic within policy based vpn

01.19.11   |  
‎01-19-2011 06:48 AM

Thank you, that seems logical. I will test and report back. Also, thank you for your previous post regarding the VPN connection between ASA/Junos, very usefull!

 

Regards,

 

PisPix