If you want all remote sites' participating vlans to access the subnet at HQ: Example: HQ Subnet: 192.168.1.0/24 Remote Site 1 Subnet: 192.168.2.0/24 Site-to-Site VPN rule: Allow Any (protocol) Any (src) Any (port) 192.168.1.0/24 (dest) Any (port) Site-to-Site VPN rule: Deny Any (protocol) Any (src) Any (port) Any (dest) Any (port) This would block traffic originating at HQ destined to the remote sites unless you specify that with another allow rule before the Deny Any.
... View more
