USG 1000 Restricting access through a site to site tunnel

CaptSQL Posts: 1  Freshman Member
First Anniversary
edited April 2021 in Security

Our central office has a USG1000 with several site to site ipsec tunnels coming from our remote divisions. The local network on our end is "wide open" to our divisions.  No issue there.  We will be doing business with a 3rd party who also wants a site to site tunnel to the central officed.  We only want this 3rd party to have access to 2 machines with a specific port number.  As traffic comes through the tunnel from the remote 3rd party how do we restrict them to the 2 machines.  Any help would be appreciated as we have never restricted a tunnel before and it is a bit over my head.



  • jonatan
    jonatan Posts: 146  Ally Member
    First Anniversary 10 Comments Friend Collector First Answer
    I think the rule in Polisy Route will help you: in Source to specify a remote subnet of the new client, in Destination to specify group of the PCs necessary to you from your network , in Service necessary ports and NH vpn tunnel.
  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    I would like to confirm the below information.
    1. Do you want the PCs which behind third party device only can access to Server  with specific port and servers are in the local policy?
    2. Does your topology is like this:
    Servers----USG1000---VPN connection---3rd party----PCs

    If yes, you need to set the configuration as below
    First rule

    Second rule


Security Highlight