Branch Office VPN with WAN Accelerator

Products: WXC WAN Accelerator any model & SSG Firewall any Model
Version:  Tested with ScreenOS 6.1 & 6.2 & WXC 5.7

Network Topology:

Network diagram:

SSG5 is the sample design

eth0/0 – WAN
eth0/1 – WXC Remote
eth0/2 – WXC Local
bgroup0 – layer 2 local LAN ports eth0/2-0/6


The WXC WAN Accelerator product can operate in-line or off-path mode.  The in-line mode is simplest to setup where all traffic from the site passes through the device.  Acceleration tunnels are created between the branch office device and the data center device.

This in-line deploy on a branch firewall requires that all ports for the branch LAN be on the local port side of the WXC device.  Generally this means only one port on the firewall will be used for the remote connection of the WXC and all local devices are then connected to switch(es) on the local interface side of the WXC.

This design uses the ScreenOS ability to create layer2 groups of interfaces in order to isolate all available ports on the firewall and keep them on the local connection of the WXC.  Thus all firewall ports are usable again.  This also prevents the accidental connection of local computers or network devices on the incorrect side of the WXC and excluding them from the WXC acceleration tunnel.

This configuration allows an IPSEC VPN site then to participate in the WXC mesh while preserving the use of all available ethernet ports on the firewall.

When configuring interfaces on a WXC mesh be sure to select fixed speed and duplex whenever possible.  For the SSG series this will be 100 full on the interfaces connected.  This will avoid potential throughput problems that can occur when auto-negociation falls back to half-duplex.

SSG configuration steps
•     Remove ip address and convert bgroup0 to layer 2 mode
unset interface bgroup0 ip
•     Set fixed link speed and duplex to 100 full on local port eth0/2
set interface eth0/2 phy full 100mb
•     Configure eth0/1 with LAN ip address
set interface eth0/1 ip
•     Configure trust zone on eth0/1
set interface eth0/1 zone trust
•    Configure management options for eth0/1
set interface eth0/1 manage ssl
set interface eth0/1 manage ssh
set interface eth0/1 manage telnet
set interface eth0/1 manage web
•    Set fixed link speed and duplex to 100 full on remote port eth0/2
set interface eth0/1 phy full 100mb
•     Configure normal WAN & VPN settings on firewall for the site

WXC Configuration steps
•     Configure link speed and duplex to 100 full on remote & local ports
config interface set speed-duplex local 100-full
config interface set speed-duplex remote 100-full
•    Configure ip information for local LAN
config ip set ip-address
config ip set default-gateway
config ip set subnet-mask
•    Configure matching policy load for the WXC mesh for your network


SSG Interface checks
Verify the speed/duplex, ip address and zone assignment of the interface.

get interface eth0/1
Interface ethernet0/1:
description ethernet0/1
number 5, if_info 440, if_index 0, mode nat
link up, phy-link up/full-duplex
status change:3, last change:10/24/2001 21:00:20
vsys Root, zone Trust, vr trust-vr 

WXC Interface checks
On the CLI:

show interface
Settings for local interface
Link state: up
Speed/duplex: 100-full
Hardware address: 00:30:48:9c:56:28
Media type: copper
Settings for remote interface
Link state: up
Speed/duplex: 100-full
Hardware address: 00:30:48:9c:56:29
Media type: copper

Log into the web interface on the WXC

Menu: Device Setup – Interfaces
“Test Settings” button
Select “remote” and the ip address of SSG eth0/1 (
The interface test will confirm the remote port is correctly connected to eth0/1 on the firewall
Repeat with an ip address active on the LAN for the “local” port.


ScreenOS Concepts & Examples Guides
Volume 2: Fundamentals – Chapter 3 Interfaces

WXOS 5.7 Operator’s Guide
Chapter 3 – Configuring Interface Settings

Originally Posted October 16, 2010
Last Revised on November 27, 2010