04-06-2010 02:11 AM
Hi
I am creating a VPN between a Juniper and PIX 8.x
I have successfully created the tunnel between remote network (Juniper 10.160.0.0/16) and local network (PIX 10.118.0.0/16) using the command sysopt conneciton permit-VPN and hosts on both networks can ping each other.
Now I want to restrict access via the tunnel so that remote host 10.160.2.70 has only access to local host 10.118.10.102
Can this be achived using the crypto ACL's ? or do I need to issuse the no sysopt conneciton permit-vpn command and then set up an ACL on the PIX outside interface to only allow 10.160.2.70 onto the local networ?? do I also need to configure the ACL to allow incoming IPSEC traffic from the remot host peer???
any help or examples would be appreciated.
Thanks
Rod
Solved! Go to Solution.
04-06-2010 02:33 AM
No, you do not have to disable the sysopt connection permit-vpn command.
This vpn-filter is applied to the tunnel-group for Juniper.
04-06-2010 02:18 AM
You can configure vpn-filter to only allow traffic from remote host 10.160.2.70 to local host 10.118.10.102.
Example:
access-list juniper-filter permit ip host 10.160.2.70 host 10.118.10.102
group-policy juniper-policy internal
group-policy juniper-policy attribute
vpn-filter value juniper-filter
tunnel-group
default-group-policy juniper-policy
Hope that helps.
04-06-2010 02:23 AM
Thanks for your quick response.
If I configure the vpn-filter as you have indicated do I need to issue the no sysop conneciton permit-vpn command
I need to be 100% sure that only traffic from the 10.160.2.70 host will be allowed to host 10.118.10.102
Thanks again
Rod
04-06-2010 02:33 AM
No, you do not have to disable the sysopt connection permit-vpn command.
This vpn-filter is applied to the tunnel-group for Juniper.
04-06-2010 02:36 AM
Many thanks for your help.
Rod
04-06-2010 02:36 AM
Here is sample configuration for your reference:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide