I need to place a centrally managed SMB FW into a partners network, behind his firewall, to allow a small number of the partners systems to be placed behind the SMB device and thus be allowed to communicate to my corporate network via VPN.  The partner's systems that will be behind the SMB FW will still need access to the rest of the partner's network and to the world through the partner's corporate network.

So, I'm wondering if something like this will work for the policy.  Note that these pseudo rules are for src, dst, vpn community, service, action

1. Precursor rules to allow the SMB to call home and other things.

2. VPN rules to allow very limited communication between specific systems.  These rules will all have a vpn community in the rule

3. A cleanup rule for the VPN which looks like: any, any, vpn community, any, drop

4. An outbound rule for other traffic: InternalZone, ExternalZone, any, any, accept

5. A full clean up rule: any, any, any, any, drop

My question is about rule 3:  It's intended to stop any other traffic from entering the VPN tunnel.  Will it work?

If it would work, could I then write the VPN rules with an inline layer, something like:

  a. any, any, vpn community, any, inline layer

    i.  inline layer vpn rule 1

    ii.  inline layer vpn rule 2

    iii.  in line layer clean up rule: any any any any drop

 b. other rules for non vpn traffic

Thanks and Best Regards,

Dale