VPN: Configuring One-Way VPN (Single-Arm Mode) in SonicOS Enhanced

Description

VPN: Configuring One-Way VPN (Single-Arm Mode) in SonicOS Enhanced

Resolution

Feature/Application:

SonicOS Enhanced 2.x, 3.x, 4.x and 5.x

Single-Arm mode enables the connection of only a SonicWall appliance's WAN interface to a network for the purpose of providing VPN capabilities. Traffic arrives inbound on the WAN interface, gets encrypted according to the appropriate VPN Security Association and sent out the same interface. This feature is especially useful for scenarios which require VPN functionality from a device that is non-intrusive, simply sitting on a subnet outside the firewall or on an isolated interface or subnet without any additional bridging, packet inspection or routing. This also allows the user to offload VPN functionality to a separate firewall to remove the burden of encryption/decryption from the Internet access firewall.

Procedure:

Configuring one-way VPN for SonicOS Enhanced:

NOTE: This feature only works if the SonicWall is in transparent mode.

NOTE: TZ 170W and TZ 170 SPW wireless appliances do not support transparent mode when running SonicOS Standard firmware. It is supported on TZ 170 wireless appliances running SonicOS Enhanced.

Before trying to configure a one-way VPN, set up a VPN in the standard configuration as given in the SonicOS Enhanced Administrator's Guide. Once the VPN is up and running and you can confirm that it is working, configure the one-way VPN as follows:

On the SonicWall whose LAN you want to deny access to over VPN:

  1. Select: Firewall --> Access rules
  2. Under View style, check the matrix radio button
  3. Select the configure icon for VPN to LAN
  4. Click “Add” to add an Access Rule. The Add rule window will appear.
  5. Under Action, select the “Deny” radio button
  6. Under Service, select Any
  7. Under Source, select the address object of the remote network behind the other SonicWall that you have created when establishing the VPN tunnel
  8. Under Destination, select Any
  9. Click OK to save the configuration

Now the network behind the other SonicWall will not be able to access the network behind the SonicWall where the deny rule is applied.

Related Articles

  • How to export and import connection profiles in NetExtender
    Read More
  • Unable access High availability idle device using monitoring IP address
    Read More
  • SSL Control enabled with "Detect Certificate signed by an Untrusted CA" causes Windows Update to fail.
    Read More

Categories

Firewalls
TZ Series
Firewalls
SonicWall SuperMassive E10000 Series
Firewalls
SonicWall SuperMassive 9000 Series
Firewalls
SonicWall NSA Series
not finding your answers?
Ask the Community
was this article helpful?
YesNo