Let me see if I can write a test case to make sure nothing was missed ;) There are two locations, I' ll call them SITE-A and SITE-B. SITE-A has an internal network with a subnet of 192.168.100.0/24. SITE-B has an internal network with a subnet of 192.168.200.0/24. The internal interface of SITE-A is assigned 192.168.100.1 and PING is enabled on the interface. The internal interface of SITE-B is assigned 192.168.200.1 and PING is enabled on the interface. There is a nailed-up IPSec tunnel between SITE-A and SITE-B. The SITE-A side of the tunnel is called VPN-A-TO-B. The System/Network configuration for the VPN-A-TO-B interface lists a local IP of 10.10.10.1, a remote IP of 10.10.10.2 and PING is enabled on the interface. The SITE-B side of the tunnel is called VPN-B-TO-A. The System/Network configuration for the VPN-B-TO-A interface lists a local IP of 10.10.10.2, a remote IP of 10.10.10.1 and PING is enabled on the interface. At SITE-A, under Router/Static there is a static route entry added for 192.168.200.0/24 assigned to device VPN-A-TO-B. There is also a static route entry added for 10.10.10.0/30 assigned to device VPN-A-TO-B. At SITE-B, under Router/Static there is a static route entry added for 192.168.100.0/24 assigned to device VPN-B-TO-A. There is also a static route entry added for 10.10.10.0/30 assigned to device VPN-B-TO-A. Under Firewall/Address, both SITE-A and SITE-B have the following address entries: Local-Subnet-100 assigned to 192.168.100.0/24 Local-Subnet-200 assigned to 192.168.200.0/24 VPN-Subnet assigned to 10.10.10.0/30 At SITE-A, the following firewall policies exist: From internal/ALL to VPN-A-TO-B/ALL service:ANY action:ACCEPT (NAT unchecked) From VPN-A-TO-B/ALL to internal/ALL service:ANY action ACCEPT (NAT unchecked) At SITE-B, the following firewall policies exist: From internal/ALL to VPN-B-TO-A/ALL service:ANY action:ACCEPT (NAT unchecked) From VPN-B-TO-A/ALL to internal/ALL service:ANY action:ACCEPT (NAT unchecked) At this point, a device on the internal network of SITE-A should be able to successfully PING the following: 10.10.10.1, 10.10.10.2, 192.168.200.1, 192.168.200.x (another device on the SITE-B internal network) At this point, a device on the internal network of SITE-B should be able to successfully PING the following: 10.10.10.2, 10.10.10.1, 192.168.100.1, 192.168.100.x (another device on the SITE-A internal network) For SSL-VPN web access at SITE-A, create the following firewall policies at the bottom of their respective groups: From wan1/ALL to internal/Local-Subnet-100 service:ANY action:SSL-VPN (NAT unchecked) From wan1/ALL to VPN-A-TO-B/Local-Subnet-200 & VPN-Subnet (Multiple) service:ANY action:SSL-VPN (NAT unchecked) Assign the same SSL user/group to both policies. Log in to SSL-VPN at SITE-A. You should be able to use the web interface to ping 192.168.100.x, 10.10.10.1, 10.10.10.2, 192.168.200.x, subject to web portal restrictions. Any of the above firewall policies can (or should) be restricted to appropriate destinations and services.