ScreenOS Firewalls (NOT SRX)
Highlighted
ScreenOS Firewalls (NOT SRX)

VPN/XAuth -> Can I still restrict UnTrusted IP Access?

09.14.11   |  
‎09-14-2011 10:15 AM

Hello All...

 

People come from [UnTrusted] ip addresses

.

.

.

at the Juniper Firewall they are authenticated (VPN) against an [Active Directory] server

.

.

.

once authenticated, they have access to a server within our DMZ

 

_________________________________________________________

question:

 

Can I maintain the VPN authentication, but, change the FIRST STEP above to a specific set of IP Addresses?  If so.. how?

 

example:

People come from [UnTrusted] ip address RANGE of (234.345.*.*) ...

 

 

thanks...

3 REPLIES
ScreenOS Firewalls (NOT SRX)

Re: VPN/XAuth -> Can I still restrict UnTrusted IP Access?

09.14.11   |  
‎09-14-2011 03:57 PM

You will just need to modify your vpn access policy that goes from untrust to your dmz.

 

Create the address objects you want as source addresses in the untrust zone

Policy--Policy Elements--Addresses--List

 

Create an address group of these objects

Policy--Policy Elements--Addresses--Groups

 

Edit the policy and change the source address from "any" to your new group

Policy--Policies--Edit

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home
ScreenOS Firewalls (NOT SRX)

Re: VPN/XAuth -> Can I still restrict UnTrusted IP Access?

09.15.11   |  
‎09-15-2011 07:41 AM

Our Source Address for this policy is 'Dial-UP VPN'.... which is apparently built in... if we try to change the source address to a ip group we get the following error:

 

You must use 'Dial-Up VPN' as one the source or destination address of a policy configured with a dial-up VPN.

ScreenOS Firewalls (NOT SRX)

Re: VPN/XAuth -> Can I still restrict UnTrusted IP Access?

09.16.11   |  
‎09-16-2011 04:08 AM

Sorry about that, I didn't catch the requirement for the source object.  If you can't narrow that policy, I can't think of a way to restrict the access.

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home