Hello all. I have recently finished wading through the config of a Netscreen 5GT. It has been interesting. I now have a sucessful VPN tunnel to my HUB Cisco 1841, and am almost ready to deploy. However, I have one fundamental question. On most of my Cisco and Vyatta routers, I implement an inbound WAN ACL to prevent RFC1918 traffic and other traffic that should, under no circumstances, be getting in my network. Example below: (This is just a snip of the full ACL)
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 169.254.0.0 0.0.0.255 any
permit udp host <remote> eq isakmp host <local> eq isakmp
permit esp host <remote> host <local>
What is the best way to do this in screenOS? Should I be utilizing both untrust-vr and trust-vr? Thanks for the insights!