SSG5 - Port Forwarding

Hi Experts,

I'm in the early stages of configuring a network using the SSG5 box. I have 2 networks that will need to access corporate resources over A VPN L2L VPN tunnel and it sounds like this can be acccomplished with either a route or policy VPN. My question is I have 2 networks configured on the "Untrust" network one being the internet - Is this ok to configure as so ? Where should the VPN tunnnel terminate once configured trust or untrust so I can route traffic from both?  

UNTRUST
e0/0 - internet (kayer3)
e0/4 & e0/5 - bgroup1 (layer3)

TRUST
e0/2 & e0/3 - bgroup0 (layer3)
cisco20Asked:
Who is Participating?
 
deimarkConnect With a Mentor Commented:
In short, yes you can have 2 nets in the same zone,

The security zones are basically a container for networks and interfaces that require a similar level of security applied, so if both of the nets in the untrust zone require the same type of policies and access then this is fine

As for teh VPN tunnel inteface, I would either create a new zone for teh VPN or add it to the untrust.

In your set up, I would have it in a new zone and then define the specific policies you need for the allowed traffic from source zone to destination zone.
0
 
mindwiseConnect With a Mentor Commented:
Adding to deimark,

Remember that you can also make your own 'zone'. (set zone name zonename).
It's okay to have multiple networks on your untrust zone, but it's not best practice.

For example, if i terminate a route based VPN on my untrust side, i'd need to create a policy to allow traffic to my trust side.
IF you don't enable 'spoof detection', that will leave the config vulnerable to spoofing.

Rather create specific zones for specific functions.
A 'VPN' zone to terminate your vpn's in is much better.

By default, the untrust zone will have the 'intra-zone-block' turned on, so traffic from eth0/0 to bg1 (or vice versa) needs a policy before it will flow.

It's a bit hard to tell if the 2 nets on untrust are good practice, since we don't know what the function of that 2nd net is.

Routing to the vpn is not going to be a problem whereever you terminate the tunnel, it's more a question of where and if you need to  create policies.....

I am not a big fan of terminating vpn's in the untrust zone for beforementioned reasons.

Have fun,
0
 
cisco20Author Commented:
Hey guys - Ok so if I create a new "VPN zone" what interface would I bind it to, would that be the eth0/0 (internet) and I'm guessing this would remain in the trust zone since my traffic will be routed from this zone , with the exception of a few devices in bgroup1 that have to send some traffic throught the VPN tiunnel as well.

The whole reason I purchased a firewall was to separate the networks so creating a named Zone and making it a untrust zone would be the same as the setup I have now wouldn't it?

Thanks for your support.
 
0
 
deimarkCommented:
I would suggest creating a route based VPN and associating it with a tunnel interface.  Its this tunnel interface that goes into the new VPN zone.

This allows you to define separate policies for the VPN traffic
0
 
cisco20Author Commented:
Ok I've created the VPN zone now how to bind to Tunnel If ?
Assuming unnumbered it gives me 3 options to choose
e0/0 - internet
e0/1 - DMZ
bgroup0 - Local Lan ( this is the zone that most traffic will be flowing from, why does it show zone and not int #  ?
0
All Courses

From novice to tech pro — start learning today.