Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN Question

Hi

I am creating a VPN between a Juniper and PIX 8.x

I have successfully created the tunnel between remote network (Juniper 10.160.0.0/16) and local network (PIX 10.118.0.0/16) using the command sysopt conneciton permit-VPN and hosts on both networks can ping each other.

Now I want to restrict access via the tunnel so that remote host 10.160.2.70 has only access to local host 10.118.10.102

Can this be achived using the crypto ACL's ? or do I need to issuse the no sysopt conneciton permit-vpn command and then set up an ACL on the PIX outside interface to only allow 10.160.2.70 onto the local networ?? do I also need to configure the ACL to allow incoming IPSEC traffic from the remot host peer???

any help or examples would be appreciated.

Thanks

Rod

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: VPN Question

No, you do not have to disable the sysopt connection permit-vpn command.

This vpn-filter is applied to the tunnel-group for Juniper.

5 REPLIES
Cisco Employee

Re: VPN Question

You can configure vpn-filter to only allow traffic from remote host 10.160.2.70 to local host 10.118.10.102.

Example:

access-list juniper-filter permit ip host 10.160.2.70 host 10.118.10.102

group-policy juniper-policy internal

group-policy juniper-policy attribute

     vpn-filter value juniper-filter

tunnel-group general-attributes

     default-group-policy juniper-policy

Hope that helps.

New Member

Re: VPN Question

Thanks for your quick response.

If I configure the vpn-filter as you have indicated do I need to issue the no sysop conneciton permit-vpn command

I need to be 100% sure that only traffic from the 10.160.2.70 host will be allowed to host 10.118.10.102

Thanks again

Rod

Cisco Employee

Re: VPN Question

No, you do not have to disable the sysopt connection permit-vpn command.

This vpn-filter is applied to the tunnel-group for Juniper.

New Member

Re: VPN Question

Many thanks for your help.

Rod

Cisco Employee

Re: VPN Question

193
Views
0
Helpful
5
Replies