GldenJoe,
Thanks for the reply. I'm not sure if I'm following on what makes this a bad practice. The point would be to limit the incoming traffic on WAN2 to 2 private networks, if not select IPs. Sure, if one of the internal corp devices got compromised, they'd have full access to the state devices, but they'd already have access to the corp devices and all VPN devices, so I'm pretty screwed at that point anyhow. I'm just looking to avoid having to have the state office need to go over the Internet for a connection to our corp office, as it is simply across a hall. Obviously, incoming traffic is blocked for a reason. I'm not arguing. I'm just trying to understand what makes it a bad practice.
As for your workaround, can you help me get a better picture of it? Are you suggesting that I should have an MX behind an MX? Currently, corp has an MX250 connected to an MS250. The MS250 port that is connected to the WAN2 on the state MX is configured with the server VLAN as native and only the server and voice VLANs are allowed. At this point, the desire is to have the state users be able to access the corp servers and the corp servers see the state printers, while the state phones see the voice controllers and the voice controllers see the state phones. With your suggestion, are you saying for me to create a "state" VLAN, assign it to the MS250 port and have it connect to something other than the state MX WAN2 port? I'm trying to draw it out, but I'm not seeing how it works.
Again, I'm not arguing, and appreciate the reply. I'm just not quite understanding it. Fortunately, the state office is not currently live, so I can test any design, as long as it doesn't negatively impact the existing corp network.
Thank you,
Jeremy