SRX Services Gateway
Highlighted
SRX Services Gateway

SSH Access via VPN Only

[ Edited ]
‎06-18-2018 12:59 AM

Is it possible to have two policies from the same zone to the same zone to only allow SSH access from the VPN range of address rather than from everywhere please?

 

I will try and explain the issue:

 

I have a "Customer-VR" which is connected to an aggregated interface "AE1". This in turn is connected to the internal network where the LNS resides and the Core.

I have a second VR, let's call it "ssh-vpn-VR". This has a physical interface of ge-0/0/8.

The ST interface, as the end point for data, is located within the "Customer-VR".

 

This all works perfectly at the moment but now I have the issue of allowing all traffic other than SSH through the Customer-VR but only SSH traffic from the VPN. So, can I craft two policies to complete this please?

4 REPLIES 4
Highlighted
SRX Services Gateway

Re: SSH Access via VPN Only

‎06-18-2018 01:27 AM

if SSH access is working as you expect with one policy "application any", you can configure more specific policy to restrict the access. Make sure you place the specific policy above the any any policy.

 

 

Thanks,
Suraj
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too
Highlighted
SRX Services Gateway
Solution
Accepted by topic author adgwytc
‎06-18-2018 06:02 AM

Re: SSH Access via VPN Only

[ Edited ]
‎06-18-2018 02:38 AM

You actually need three policies:

 

1-allow ssh from the desired subnets to desired sources

2-deny ssh for any any

3-your current allow all policy

 

This will permit the desired ssh and deny all the other ssh before passing to your base policy.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
SRX Services Gateway

Re: SSH Access via VPN Only

‎06-18-2018 03:18 AM

Hi Spuluka,

 

So, I would need something like the following:

 

set security policies from-zone Customer-Network to-zone radius-server policy test match source-address <VPN Address Range>

set security policies from-zone Customer-Network to-zone radius-server policy test match destination-address <radius server>

set security policies from-zone Customer-Network to-zone radius-server policy test match application junos-ssh

set security policies from-zone Customer-Network to-zone radius-server policy tesy then permit

 

set security policies from-zone Customer-Network to-zone radius-server policy test1 match source-address any

set security policies from-zone Customer-Network to-zone radius-server policy test1 match destination-address <radius server>

set security policies from-zone Customer-Network to-zone radius-server policy test1 match application junos-ssh

set security policies from-zone Customer-Network to-zone radius-server policy test1 then deny

 

set security policies from-zone Customer-Network to-zone radius-server policy test2 match source-address any

set security policies from-zone Customer-Network to-zone radius-server policy test2 match destination-address <radius-server>

set security policies from-zoneCustomer-Network to-zone radius-server policy test2 match application <applications>

set security policies from-zone Customer-Network to-zone radius-server policy test2 then permit

 

Is this right?

 

Highlighted
SRX Services Gateway

Re: SSH Access via VPN Only

‎06-18-2018 06:01 AM

Worked perfectly. Thank you Spuluka

Feedback