SRX Services Gateway
SRX Services Gateway

Restricting access policy assistance

‎08-28-2018 06:35 AM

I think this will be relatively simple to achieve, but I can't get over the final hurdle:-


I have a site (A) connected via VPN. At the moment 'inter-site' traffic i.e. between me, the site in question and any other connected sites is allowed. However, I wish this remote site to only be able to access the internet (locally connected via the SRX) and not the wider internal network (for security reasons), but I need to maintain 'admin' of this site from my location. We use OSPF for routing. I think the solution is to leave OSPF alone and configure a local firewall rule(s) of some sort on the remote SRX or perhaps apply a filter?!


Any thoughts?

SRX Services Gateway

Re: Restricting access policy assistance

‎08-29-2018 12:24 AM



Block access to all other networks. Allow this site/network access to the Internet via the physical or logical instances/interfaces.


I'm guessing from your site you NAT? Or is it VPN DHCP allocated address? Allow your source address or allocated address range to the site network.


I'm not sure what your current topology is, including your VPN so it's hard to give a definitive answer.


Do you have separate routing instances or is it just simply trust/untrust?


Can you post a topology diagram please?


Do you need other networks to access this site? Makes it trickier with the policies as you need a return route for those networks...... 


That's my two pence for what it's worth  🙂



SRX Services Gateway

Re: Restricting access policy assistance

‎08-29-2018 03:09 AM

Sounds like you currently have a site to site vpn that is route based using ospf from the remote site to the hub.


There will be a securiity policy on both the hub and the remote site that allows traffic from this vpn.  Based on your message this is likely an allow all policy.  You can find that by looking at the security zone name for the tunnel interface and the zone name for the local traffic.

On the remote site:

show configuration security zones | display set | match st0.x  <<tunnel interface then put in the local interface


Using these names:

show security policy from-zone VPN_NAME to-zone LOCAL_NAME

show security policy from-zone LOCAL_NAME to-zone VPN_NAME


Now you can create new policies in these zone to zone locations that include the restrictions you want to enforce and delete this current policyies.


Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
SRX Services Gateway

Re: Restricting access policy assistance

‎08-30-2018 04:01 AM

Thank you both for your replies. I will review and get back to you.