VPN Question

Answered Question

Hi

I am creating a VPN between a Juniper and PIX 8.x

I have successfully created the tunnel between remote network (Juniper 10.160.0.0/16) and local network (PIX 10.118.0.0/16) using the command sysopt conneciton permit-VPN and hosts on both networks can ping each other.

Now I want to restrict access via the tunnel so that remote host 10.160.2.70 has only access to local host 10.118.10.102

Can this be achived using the crypto ACL's ? or do I need to issuse the no sysopt conneciton permit-vpn command and then set up an ACL on the PIX outside interface to only allow 10.160.2.70 onto the local networ?? do I also need to configure the ACL to allow incoming IPSEC traffic from the remot host peer???

any help or examples would be appreciated.

Thanks

Rod

I have this problem too.
0 votes
Correct Answer by Jennifer Halim about 6 years 8 months ago

No, you do not have to disable the sysopt connection permit-vpn command.

This vpn-filter is applied to the tunnel-group for Juniper.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jennifer Halim Tue, 04/06/2010 - 02:18

You can configure vpn-filter to only allow traffic from remote host 10.160.2.70 to local host 10.118.10.102.

Example:

access-list juniper-filter permit ip host 10.160.2.70 host 10.118.10.102

group-policy juniper-policy internal

group-policy juniper-policy attribute

     vpn-filter value juniper-filter

tunnel-group general-attributes

     default-group-policy juniper-policy

Hope that helps.

Actions

This Discussion