SSG5 Network Configuration

Hi Experts,

I'm configuring an SSG5 box for the first time and so far has been failry straight forward. I have 2 networks that I will be separating using layer 3, I added both to the trust zone and different bgroups. One will route traffic through a site to site vpn back to the Shop and the other will not except for maybe only one device., Is this the correct approach ? Once I setup the site to site tunnel is it going to be a problem to have devices from either network traverse the vpn tunnel ?  
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Normally I would suggest that if you have 2 separate sets of network security requirements, ie an internal and an external interface, I would suggest that you have 2 separate zones.

ie trust zone for internal based interfaces/networks and untrust zone for the external interfaces and nets.

This will then allow you to define policies from zone trust to zone untrust (and vice versa)

If you keep all interfaces in the trust zone, then by default, ALL traffic will be allowed without the need for a policy.

If this is what you are looking for then carry on however, I suspect that you bought an SSG 5 to be more than a router hehe.

If you use 2 zones here, then you can define suitable polices for the normal traffic as well as refine your VPNs to only allow required traffic over the tunnel


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
My approach would be to make it a route based vpn (if it is not already).

Then place your tunnel interface in a (new) VPN zone.
Then filter the traffic you want to allow in (or out) the tunnel via normal security policies from trust to vpn (and/or vice versa).

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.