I would not trust anyone.
Since you do not soley manage the Netscreen, your best bet is probably
to do what Moreno said: "2) use 2 monowall on you side (one behind the
This way you have control over what their machines have access to on
your network. A bit much possibly in terms of management etc, but safest
way when you don't control the other side.
Joe Lagreca wrote:
> I thought about that, but its not very secure, because they, as well
> as other consultants, have access to the netscreen, and can change
> those rules anytime.
> I was thinking the best would be to block their traffic on my side.
> That way they couldn't disable the rules to prevent them from
> accessing my network segment.
> I guess at this point I will just have to trust them.
> On 4/12/06, mtnbkr <waa dash m0n0wall at revpol dot com> wrote:
>> Joe Lagreca wrote:
>>> Is it possible to create a one way IPsec VPN?
>>> For example, I have created a IPsec VPN from my office m0n0wall, to
>>> one of my clients Netscreen's. Is there some way I can set it up so
>>> that I can access resources on their LAN, but not let them have them
>>> have access to my LAN?
>>> I have tried creating a few rules to try and prevent them having
>>> access, but haven't had any success.
>>> Has anyone tried this before? Is this even a possibility?
>> Hi Joe.
>> Yes, and yes. But it depends on Netscreen's capabilities. I do this with
>> many of my clients - but all from m0n0wall <-> m0n0wall.
>> To do this you will need to think in reverse. That is, on the CLIENT's
>> Netscreen you will need to set up rule(s) to block all traffic TO your lan.
>> If that is not possible on the Netscreen, you may consider moving them
>> to a m0n0wall.
>> Bill Arlofski
>> Reverse Polarity