Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
580
Views
0
Helpful
5
Replies

VPN Question

Go to solution
Rod.Blackie
Level 1
Level 1

‎04-06-2010 02:11 AM

Hi

I am creating a VPN between a Juniper and PIX 8.x

I have successfully created the tunnel between remote network (Juniper 10.160.0.0/16) and local network (PIX 10.118.0.0/16) using the command sysopt conneciton permit-VPN and hosts on both networks can ping each other.

Now I want to restrict access via the tunnel so that remote host 10.160.2.70 has only access to local host 10.118.10.102

Can this be achived using the crypto ACL's ? or do I need to issuse the no sysopt conneciton permit-vpn command and then set up an ACL on the PIX outside interface to only allow 10.160.2.70 onto the local networ?? do I also need to configure the ACL to allow incoming IPSEC traffic from the remot host peer???

any help or examples would be appreciated.

Thanks

Rod

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Rod.Blackie

‎04-06-2010 02:33 AM

No, you do not have to disable the sysopt connection permit-vpn command.

This vpn-filter is applied to the tunnel-group for Juniper.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎04-06-2010 02:18 AM

You can configure vpn-filter to only allow traffic from remote host 10.160.2.70 to local host 10.118.10.102.

Example:

access-list juniper-filter permit ip host 10.160.2.70 host 10.118.10.102

group-policy juniper-policy internal

group-policy juniper-policy attribute

     vpn-filter value juniper-filter

tunnel-group general-attributes

     default-group-policy juniper-policy

Hope that helps.

0 Helpful

Go to solution
Rod.Blackie
Level 1
Level 1
In response to Jennifer Halim

‎04-06-2010 02:23 AM

Thanks for your quick response.

If I configure the vpn-filter as you have indicated do I need to issue the no sysop conneciton permit-vpn command

I need to be 100% sure that only traffic from the 10.160.2.70 host will be allowed to host 10.118.10.102

Thanks again

Rod

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Rod.Blackie

‎04-06-2010 02:33 AM

No, you do not have to disable the sysopt connection permit-vpn command.

This vpn-filter is applied to the tunnel-group for Juniper.

0 Helpful

Go to solution
Rod.Blackie
Level 1
Level 1
In response to Jennifer Halim

‎04-06-2010 02:36 AM

Many thanks for your help.

Rod

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎04-06-2010 02:36 AM

Here is sample configuration for your reference:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

0 Helpful
Customers Also Viewed These Support Documents