04-20-2012 01:08 AM
If you use the route-based VPN the policies and VPN itself are fully independent on each other. This is a great advantage of the route based VPN. The multiple and very granular policies can be created while the VPN stays the same. But if you need a simple access policy, the same for all dialup users, create an Untrust subnet object like 126.96.36.199/27 which covers the remote IP pool or a group of the host objects like 188.8.131.52/32 - 172.168.3.x/32. Configure a single Untrust-to-Trust policy:
Subnet object or Group -> 184.108.40.206/24 Service: Any.
If you assign no DNS in the IP pool the client uses DNS servers which are configured in TCP/IP. If internal servers should be used their addresses should be added to the pool configuration. If these servers are not located in the network 220.127.116.11/24 you need one more VPN Proxy ID (topology entry) both on the client and the FW. Otherwise the cllients will not be able to reach the DNS servers.
I assume that you use ScreenOS 6.3 which supports multiple Proxy IDs with the route-based VPN.