VPN wrong/weird way of use?

[massimiliano]

Hi all,

I'm configuring a vpn-1pro as a vpn gateway (will be a cluster soon) NG55AI.
The topology is this one:

-internal corporate network (10.0.0.0) not managed from us.
-a corporate network subnet given to us (10.196.88.0/24) but as a stub network (no next hop router given, is a flat address range... I'm using proxy arp now)
-our internal server farm networks (many 192.168.x.0) not advertised to the corporate or the internet (of course).
-six public internet addresses.
-remote users have Mac,Windows and linux.

It's mandatory to (boss request..I cannot say no..):

1) let users from corporate network access in vpn to the server farm.
2) let users from corporate network access internet via the same vpn.
3) let users from corporate network access the corporate network (yes) trough the firewall 10.196.88.0 corporate ip.
4) let remote users from internet, access the server farm.
5) let remote users from internet, access the 10.0.0.0 corporate network.
6) let remote users from internet, access internet trough the firewall public ip.

I've managed to accomplish points 1,2,3 configuring a weird encryption domain (with internet defined in..), but I'm feeling i'm going too much against the normal deploy of a vpn-1, and I have not the remote access features. Securemote client should be out the encryption domain or not?


The question is:
Is possible with just one enforcement module, to accomplish this request?
Is there a way to route packet from vpn clients to others networks not in the enc domain? (drop implied rule encountered: packet decrypted, but policy say connection should nott be decrypted).

Thanks in advance,

Massimiliano