Hi,
We have the following setup:
** Policy Based VPN between a SRX 1400 and a Palo-Alto.
Extra info on why we are using Policy-Based VPN:
1- We need one phase2 per local/remote network pair (proxy-id).
2- Right now in the SRX side it is one network, but in the future there will be more.
3- Our current JunOS version is just behind the relase that included traffic selectors.
SRX side:
10.10.10.0/24 (lan_1)
PaloAlto side:
192.168.8.0/24 (vpn_net_1)
192.168.9.0/24 (vpn_net_2)
192.168.10.0/24 (vpn_net_3)
We have the following rules:
[edit security policies from-zone untrust to-zone management-lan]
policy vpnpolicy-untrust-management-lan-1 {
match {
source-address vpn_net_1;
destination-address lan_1;
application any;
}
then {
permit {
tunnel {
ipsec-vpn ipsec-vpn-1;
pair-policy vpnpolicy-management-lan-untrust-1;
}
}
}
}
policy vpnpolicy-untrust-management-lan-2 {
match {
source-address vpn_net_2;
destination-address lan_1;
application any;
}
then {
permit {
tunnel {
ipsec-vpn ipsec-vpn-1;
pair-policy vpnpolicy-management-lan-untrust-2;
}
}
}
}
policy vpnpolicy-untrust-management-lan-3 {
match {
source-address vpn_net_3;
destination-address lan_1;
application any;
}
then {
permit {
tunnel {
ipsec-vpn ipsec-vpn-1;
pair-policy vpnpolicy-management-lan-untrust-3;
}
}
}
}
[edit security policies from-zone management-lan to-zone untrust]
policy vpnpolicy-management-lan-untrust-1 {
match {
source-address lan_1;
destination-address vpn_net_1;
application any;
}
then {
permit {
tunnel {
ipsec-vpn ipsec-vpn-1;
pair-policy vpnpolicy-untrust-management-lan-1;
}
}
}
}
policy vpnpolicy-management-lan-untrust-2 {
match {
source-address lan_1;
destination-address vpn_net_2;
application any;
}
then {
permit {
tunnel {
ipsec-vpn ipsec-vpn-1;
pair-policy vpnpolicy-untrust-management-lan-2;
}
}
}
}
policy vpnpolicy-management-lan-untrust-3 {
match {
source-address lan_1;
destination-address vpn_net_3;
application any;
}
then {
permit {
tunnel {
ipsec-vpn ipsec-vpn-1;
pair-policy vpnpolicy-untrust-management-lan-3;
}
}
}
}
{primary:node0}[edit]
The VPN is established correctly, and traffic works in both directions.
Now, how can you filter specific traffic on that VPN? As we have "application any", all traffic is allowed.
For outgoinf traffic (SRX->PaloAlto) I think it would be enough to just add a deny rule before the tunnel rule. But, how can I filter inbound traffic (PaloAlto->SRX) ? I'm not sure the same approach would work.
If for example, we want remote server 192.168.8.200 to only be able to access 10.10.10.0/24 on port 80/TCP, where should we do it? Or do we have to actually modify the tunnel rule? If so, wouldn't that then create a different phase2 per tunnel rule created?
Thanks for the input!
Best regards.