Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  how can I connect via vpn to a few hosts in one subnet but not others with a single policy?

    Posted 10-19-2011 17:54

    Hi guys, I have 4 different AD sites each with an SSG device.  It's ok for sites A and B to have full access to sites C D, but as far as the other way around we only want a couple of hosts to be able to talk to sites A and B.

     

    I am having trouble figuring out how to set this up without having to create a ton of individual tunnel policies for each pair of server objects to talk to each other.

     

    It would be easy if I set up a separate subnet for servers and workstations at sites C and D, but unfortuantely I have SSG5s there which would limit server to workstation communication to 100 mbits.

     

    Is it possible to somehow configure address objects to "carve" out a small portion of the /24 subnets at sites C and D and allow those to talk freely to sites A and B?

     

    Thanks!

    Wes



  • 2.  RE: how can I connect via vpn to a few hosts in one subnet but not others with a single policy?
    Best Answer

    Posted 10-20-2011 04:07

    Hi Wes,

     

    The answer is very simple - route based VPN.

    You can either configure a dedicated tunnel interface for each remote gateway or terminate multiple VPNs on a single tunnel interface und use NHTB for correct routing.

    The point is that VPN as such and the access policies are de-coupled from each other, if route based VPN is used. You can route an entire network through a tunnel but allow access to a couple of remote hosts, fully independent on VPN. And you can change the access policy at any time while the VPN configuration stays the same all the time.



  • 3.  RE: how can I connect via vpn to a few hosts in one subnet but not others with a single policy?

    Posted 10-20-2011 12:27

    thank you!  looked it up and got it going; working great.