cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
571
Views
0
Helpful
5
Replies

VPN Question

Rod.Blackie
Level 1
Level 1

Hi

I am creating a VPN between a Juniper and PIX 8.x

I have successfully created the tunnel between remote network (Juniper 10.160.0.0/16) and local network (PIX 10.118.0.0/16) using the command sysopt conneciton permit-VPN and hosts on both networks can ping each other.

Now I want to restrict access via the tunnel so that remote host 10.160.2.70 has only access to local host 10.118.10.102

Can this be achived using the crypto ACL's ? or do I need to issuse the no sysopt conneciton permit-vpn command and then set up an ACL on the PIX outside interface to only allow 10.160.2.70 onto the local networ?? do I also need to configure the ACL to allow incoming IPSEC traffic from the remot host peer???

any help or examples would be appreciated.

Thanks

Rod

1 Accepted Solution

Accepted Solutions

No, you do not have to disable the sysopt connection permit-vpn command.

This vpn-filter is applied to the tunnel-group for Juniper.

View solution in original post

5 Replies 5

Jennifer Halim
Cisco Employee
Cisco Employee

You can configure vpn-filter to only allow traffic from remote host 10.160.2.70 to local host 10.118.10.102.

Example:

access-list juniper-filter permit ip host 10.160.2.70 host 10.118.10.102

group-policy juniper-policy internal

group-policy juniper-policy attribute

     vpn-filter value juniper-filter

tunnel-group general-attributes

     default-group-policy juniper-policy

Hope that helps.

Thanks for your quick response.

If I configure the vpn-filter as you have indicated do I need to issue the no sysop conneciton permit-vpn command

I need to be 100% sure that only traffic from the 10.160.2.70 host will be allowed to host 10.118.10.102

Thanks again

Rod

No, you do not have to disable the sysopt connection permit-vpn command.

This vpn-filter is applied to the tunnel-group for Juniper.

Many thanks for your help.

Rod

Jennifer Halim
Cisco Employee
Cisco Employee
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: