SRX

Expand all | Collapse all

SSH Access via VPN Only

Jump to Best Answer
  • 1.  SSH Access via VPN Only

     
    Posted 06-18-2018 01:00

    Is it possible to have two policies from the same zone to the same zone to only allow SSH access from the VPN range of address rather than from everywhere please?

     

    I will try and explain the issue:

     

    I have a "Customer-VR" which is connected to an aggregated interface "AE1". This in turn is connected to the internal network where the LNS resides and the Core.

    I have a second VR, let's call it "ssh-vpn-VR". This has a physical interface of ge-0/0/8.

    The ST interface, as the end point for data, is located within the "Customer-VR".

     

    This all works perfectly at the moment but now I have the issue of allowing all traffic other than SSH through the Customer-VR but only SSH traffic from the VPN. So, can I craft two policies to complete this please?



  • 2.  RE: SSH Access via VPN Only

     
    Posted 06-18-2018 01:27

    if SSH access is working as you expect with one policy "application any", you can configure more specific policy to restrict the access. Make sure you place the specific policy above the any any policy.

     

     



  • 3.  RE: SSH Access via VPN Only
    Best Answer

     
    Posted 06-18-2018 02:38

    You actually need three policies:

     

    1-allow ssh from the desired subnets to desired sources

    2-deny ssh for any any

    3-your current allow all policy

     

    This will permit the desired ssh and deny all the other ssh before passing to your base policy.

     



  • 4.  RE: SSH Access via VPN Only

     
    Posted 06-18-2018 03:19

    Hi Spuluka,

     

    So, I would need something like the following:

     

    set security policies from-zone Customer-Network to-zone radius-server policy test match source-address <VPN Address Range>

    set security policies from-zone Customer-Network to-zone radius-server policy test match destination-address <radius server>

    set security policies from-zone Customer-Network to-zone radius-server policy test match application junos-ssh

    set security policies from-zone Customer-Network to-zone radius-server policy tesy then permit

     

    set security policies from-zone Customer-Network to-zone radius-server policy test1 match source-address any

    set security policies from-zone Customer-Network to-zone radius-server policy test1 match destination-address <radius server>

    set security policies from-zone Customer-Network to-zone radius-server policy test1 match application junos-ssh

    set security policies from-zone Customer-Network to-zone radius-server policy test1 then deny

     

    set security policies from-zone Customer-Network to-zone radius-server policy test2 match source-address any

    set security policies from-zone Customer-Network to-zone radius-server policy test2 match destination-address <radius-server>

    set security policies from-zoneCustomer-Network to-zone radius-server policy test2 match application <applications>

    set security policies from-zone Customer-Network to-zone radius-server policy test2 then permit

     

    Is this right?

     



  • 5.  RE: SSH Access via VPN Only

     
    Posted 06-18-2018 06:02

    Worked perfectly. Thank you Spuluka