SSG5 Network Configuration

Hi Experts,

I'm configuring an SSG5 box for the first time and so far has been failry straight forward. I have 2 networks that I will be separating using layer 3, I added both to the trust zone and different bgroups. One will route traffic through a site to site vpn back to the Shop and the other will not except for maybe only one device., Is this the correct approach ? Once I setup the site to site tunnel is it going to be a problem to have devices from either network traverse the vpn tunnel ?  
Who is Participating?
deimarkConnect With a Mentor Commented:
Normally I would suggest that if you have 2 separate sets of network security requirements, ie an internal and an external interface, I would suggest that you have 2 separate zones.

ie trust zone for internal based interfaces/networks and untrust zone for the external interfaces and nets.

This will then allow you to define policies from zone trust to zone untrust (and vice versa)

If you keep all interfaces in the trust zone, then by default, ALL traffic will be allowed without the need for a policy.

If this is what you are looking for then carry on however, I suspect that you bought an SSG 5 to be more than a router hehe.

If you use 2 zones here, then you can define suitable polices for the normal traffic as well as refine your VPNs to only allow required traffic over the tunnel

mindwiseConnect With a Mentor Commented:
My approach would be to make it a route based vpn (if it is not already).

Then place your tunnel interface in a (new) VPN zone.
Then filter the traffic you want to allow in (or out) the tunnel via normal security policies from trust to vpn (and/or vice versa).

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.