VPN Question

Answered Question

Hi


I am creating a VPN between a Juniper and PIX 8.x


I have successfully created the tunnel between remote network (Juniper 10.160.0.0/16) and local network (PIX 10.118.0.0/16) using the command sysopt conneciton permit-VPN and hosts on both networks can ping each other.


Now I want to restrict access via the tunnel so that remote host 10.160.2.70 has only access to local host 10.118.10.102


Can this be achived using the crypto ACL's ? or do I need to issuse the no sysopt conneciton permit-vpn command and then set up an ACL on the PIX outside interface to only allow 10.160.2.70 onto the local networ?? do I also need to configure the ACL to allow incoming IPSEC traffic from the remot host peer???


any help or examples would be appreciated.


Thanks


Rod

Correct Answer by Jennifer Halim about 7 years 3 months ago

No, you do not have to disable the sysopt connection permit-vpn command.


This vpn-filter is applied to the tunnel-group for Juniper.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jennifer Halim Tue, 04/06/2010 - 02:18
User Badges:
  • Cisco Employee,

You can configure vpn-filter to only allow traffic from remote host 10.160.2.70 to local host 10.118.10.102.


Example:

access-list juniper-filter permit ip host 10.160.2.70 host 10.118.10.102


group-policy juniper-policy internal

group-policy juniper-policy attribute

     vpn-filter value juniper-filter


tunnel-group general-attributes

     default-group-policy juniper-policy


Hope that helps.

Correct Answer
Jennifer Halim Tue, 04/06/2010 - 02:33
User Badges:
  • Cisco Employee,

No, you do not have to disable the sysopt connection permit-vpn command.


This vpn-filter is applied to the tunnel-group for Juniper.

Actions

This Discussion