USG40 - routing traffic between two networks

LenBH
LenBH Posts: 12  Freshman Member
First Comment Seventh Anniversary
in Security

I have two networks in our office: one for general office traffic (192.168.2.x - P1/lan1), and one for a control system (machine automation, PLCs, etc) (192.168.15.x - P4/DMZ). I need to keep the control network isolated so it doesn't get bogged down by heavy office traffic. However, I want to be able to access specific nodes on the .15.x control network from the office network. Can anyone point me to the right way to do that? Thanks!

Accepted Solution

  • PeterUK
    PeterUK Posts: 3,318  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    Answer ✓

    So you can do a rule

    from LAN1

    to DMZ

    source any

    destination group of control devices

    service if you know it

    The office PC's will make the connection into DMZ for a reply back and DMZ can not make connections to LAN1 unless you make a rule to do so.

All Replies

  • PeterUK
    PeterUK Posts: 3,318  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited September 23

    Depending on the Zones you used it be from LAN1 to DMZ policy rule you can add source/destination IP and service what you can't do is allow broadcast traffic between subnets

  • LenBH
    LenBH Posts: 12  Freshman Member
    First Comment Seventh Anniversary
    edited September 23

    Thanks for the reply! Since many office PCs will want to access three control network devices, is there an easy way to open access from all office PCs to three individual control devices, without allowing broadcast traffic? What if I had three rules allowing "from any" on LAN1 to a specific IP on DMZ? Is that safe to do? And in doing this, I'd be exposing specific 192.168.15.x devices to the office network, and they would be accessed from the office network via that same IP (.15.x), right? (Sorry if my novice-ness is showing!)

  • PeterUK
    PeterUK Posts: 3,318  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    Answer ✓

    So you can do a rule

    from LAN1

    to DMZ

    source any

    destination group of control devices

    service if you know it

    The office PC's will make the connection into DMZ for a reply back and DMZ can not make connections to LAN1 unless you make a rule to do so.

  • LenBH
    LenBH Posts: 12  Freshman Member
    First Comment Seventh Anniversary

    Many thanks, Peter. Worked like a charm. Created the group of control devices, added the policy rule, and added a route on my desktop PC, and voila! Connected!

Categories

Security Highlight


Read more

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)