SRX

Expand all | Collapse all

Restricting access to a site-to-site VPN connection

Jump to Best Answer
  • 1.  Restricting access to a site-to-site VPN connection

    Posted 08-31-2017 09:23

    For compliance reasons I need to be able to restrict what users or computers are able to traverse a site to site tunnel to our colo facility. From what I've read here and in the KB it isn't clear to me what options there and how to implement them. Would any of you be able to provide a bit more clarity on that subject?

     

    Here is the configuration:

     

    Main (SRX340) is connecting to Colo (SRX300). 

     

    Users A, B, and C need to be able to connect to the Colo on 22, 80, and 443 (perhaps others), but users D, E, and F cannot be allowed to connect under any circumstances.

     

    Any questions, thoughts or suggestions?



  • 2.  RE: Restricting access to a site-to-site VPN connection
    Best Answer

     
    Posted 08-31-2017 14:58

    If you create the site-to-site as a route based VPN, then you can create all the specific security policies you need against the traffic that traverses the tunnel.

     

    In step 1 & 2 you simply create more address objects and write as many secuirty policies as needed to allow and block the required traffic. 

     

    https://www.juniper.net/documentation/en_US/junos/topics/example/ipsec-route-based-vpn-configuring.html



  • 3.  RE: Restricting access to a site-to-site VPN connection

    Posted 09-01-2017 13:52

    Thanks for clearing that up. I'll dig into the KBs and go from there.