SSG5 - Port Forwarding

Hi Experts,

I'm in the early stages of configuring a network using the SSG5 box. I have 2 networks that will need to access corporate resources over A VPN L2L VPN tunnel and it sounds like this can be acccomplished with either a route or policy VPN. My question is I have 2 networks configured on the "Untrust" network one being the internet - Is this ok to configure as so ? Where should the VPN tunnnel terminate once configured trust or untrust so I can route traffic from both?  

e0/0 - internet (kayer3)
e0/4 & e0/5 - bgroup1 (layer3)

e0/2 & e0/3 - bgroup0 (layer3)
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

In short, yes you can have 2 nets in the same zone,

The security zones are basically a container for networks and interfaces that require a similar level of security applied, so if both of the nets in the untrust zone require the same type of policies and access then this is fine

As for teh VPN tunnel inteface, I would either create a new zone for teh VPN or add it to the untrust.

In your set up, I would have it in a new zone and then define the specific policies you need for the allowed traffic from source zone to destination zone.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Adding to deimark,

Remember that you can also make your own 'zone'. (set zone name zonename).
It's okay to have multiple networks on your untrust zone, but it's not best practice.

For example, if i terminate a route based VPN on my untrust side, i'd need to create a policy to allow traffic to my trust side.
IF you don't enable 'spoof detection', that will leave the config vulnerable to spoofing.

Rather create specific zones for specific functions.
A 'VPN' zone to terminate your vpn's in is much better.

By default, the untrust zone will have the 'intra-zone-block' turned on, so traffic from eth0/0 to bg1 (or vice versa) needs a policy before it will flow.

It's a bit hard to tell if the 2 nets on untrust are good practice, since we don't know what the function of that 2nd net is.

Routing to the vpn is not going to be a problem whereever you terminate the tunnel, it's more a question of where and if you need to  create policies.....

I am not a big fan of terminating vpn's in the untrust zone for beforementioned reasons.

Have fun,
cisco20Author Commented:
Hey guys - Ok so if I create a new "VPN zone" what interface would I bind it to, would that be the eth0/0 (internet) and I'm guessing this would remain in the trust zone since my traffic will be routed from this zone , with the exception of a few devices in bgroup1 that have to send some traffic throught the VPN tiunnel as well.

The whole reason I purchased a firewall was to separate the networks so creating a named Zone and making it a untrust zone would be the same as the setup I have now wouldn't it?

Thanks for your support.
I would suggest creating a route based VPN and associating it with a tunnel interface.  Its this tunnel interface that goes into the new VPN zone.

This allows you to define separate policies for the VPN traffic
cisco20Author Commented:
Ok I've created the VPN zone now how to bind to Tunnel If ?
Assuming unnumbered it gives me 3 options to choose
e0/0 - internet
e0/1 - DMZ
bgroup0 - Local Lan ( this is the zone that most traffic will be flowing from, why does it show zone and not int #  ?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.