Site - Site VPN with different Access Rights.

Another option would be endian firewall becuase of its enhanced features.

how about setting up a seperate vlan that they have to plug into on a switch ( or a couple of ports on a switch) which has a dhcp scope of around 10 ips for example sake and then acl that netowkr range from the network so that it doesn't go through the vpn tunnel?????

Not sure what you are trying to achieve here? Sounds overly complicated for what you state you need to achieve.

Need more info such as the network services you want to allow to your trusted/untrusted clients?

apologies if i wasn't clear.

Basically i have 2 types of users.

1: untrusted - They plug into the remote LAN and access local resources and internet access.

2. trusted - same as above but they need to access corporate LAN over VPN tunnel connection which i would like to set up using a 506e or 515e.

Question is: How can I enforce a policy where by untrusted users connect to the lan but not into the corporate LAN over the vpn tunnel.

remeber i intend on setting up a site 2 site vpn soon.

Hope thats clear ??

IP-bod

It's all clear now IP-bod. At your remote site, you've got two sets of users. One set will have access to the Site-Site VPN while the other set won't. I think the confusion arose because you mentioned two tunnels.

You should only need one VPN tunnel and then you could use ACLs on the firewall at the remote office to allow restrict access to the corporate LAN for the IPs of the trusted users.

If you running an MS domain then you could have a remote access group that has access via then VPN to corporate lan and limit your untrusted clients permissions to local network resources in a separate group.

That sounds like the best idea.