Hello hope all is well. we are now at a point to deploy the Z3 to remote workers for vpn phone (Avaya's).we want to restrict everything as much as possible.
So here's what I'm goanna do make sure if anyone plugs into the z3 besides our equipment to help it
- Remote end user to plug in from whatever soho device they use at home to the wan/internet port of the Z3 gets uplink
- Z3 then has its own network segregated form the home they're in.( I tested this at my house so I know this works)
- Build the z3 local vlan as xxx.xxx.xxx.xxx / 30 to try keep down from anyone plugging extra in and not work by limiting IP's.
- Have remote user plug into port 5 as POE Power phone
- reserve the avaya phone ip it gets via dashboard
- setup tunnel in z3 network to spoke/hub where call server is
All the above works and call talk call server etc. Now here's where I'm stuck
I want to limit if possible the one ip the Avaya phone has at the remote site on the tunnel to the vpn site where call server resides.in s2s scenario with asa's. I had no issue just assigning one host. I don't want anything else from the remote user to ever pass traffic just incase by some miracle they plugged a pc in same network on z3.
Is there a way to do that with out breaking all other other S2S corporate vpns we have setup? Should this be on the s2s firewall rules? I'm worried this will affect other S2S rules as i read it applies tot all mx s2s.
any input would highly be appreciated. thanks for all the help.