How To Configure User-Aware Access Control - ZyXEL Communications ZyWALL USG 200 Series User Manual
Unified security gateway
Hide thumbs
Also See for ZyWALL USG 200 Series:
- User manual (902 pages) ,
- Manual (1157 pages) ,
- Reference manual (394 pages)
Table of Contents
Advertisement
Chapter 7 Tutorials
7.6.0.1 Hub-and-spoke VPN Requirements and Suggestions
Consider the following when implementing a hub-and-spoke VPN.
• This example uses a wide range for the ZyNOS-based ZyWALL's remote
network, to use a narrower range, see
example of configuring a VPN concentrator.
• The local IP addresses configured in the VPN rules should not overlap.
• The hub router must have at least one separate VPN rule for each spoke. In the
local policy, specify the IP addresses of the hub-and-spoke networks with which
the spoke is to be able to have a VPN tunnel. This may require you to use more
than one VPN rule.
• To have all Internet access from the spoke routers to go through the VPN
tunnel, set the VPN rules in the spoke routers to use 0.0.0.0 (any) as the
remote IP address.
• Your firewall rules can still block VPN packets.
• If the USG ZyWALLs' VPN tunnels are members of a single zone, make sure it is
not set to block intra-zone traffic.
• The ZyNOS based ZyWALLs don't have user-configured policy routes so the only
way to get traffic destined for another spoke router to go through the ZyNOS
ZyWALL's VPN tunnel is to make the remote policy cover both tunnels.
• Since the USG ZyWALLs automatically handle the routing for VPN tunnels, if a
USG ZyWALL is a hub router and the local policy covers both tunnels, the
automatic routing takes care of it without needing a VPN concentrator.
• If a ZyNOS-based ZyWALL's remote network setting overlaps with its local
network settings, set ipsec swSkipOverlapIp to on to send traffic destined to
A's local network to A's local network instead of through the VPN tunnel.
7.7 How to Configure User-aware Access Control
You can configure many policies and security settings for specific users or groups
of users. This is illustrated in the following example, where you will set up the
following policies. This is a simple example that does not include priorities for
different types of traffic. See
bandwidth management.
Table 21 User-aware Access Control Example
GROUP (USER)
Finance (Leo)
Engineer (Steven) Yes
Sales (Debbie)
Boss (Andy)
146
Bandwidth Management on page 555
WEB
WEB
BANDWIDTH MSN
SURFING
Yes
200K
100K
Yes
100K
Yes
100K
Section 25.4.1 on page 495
No
No
Yes (M-F, 08:30~18:00)
Yes
ZyWALL USG 100/200 Series User's Guide
for an
for more on
LAN-TO-DMZ
ACCESS
Yes
No
Yes
Yes
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
