• Secure Mobile Access 10.2 for the Series
• Deployment Scenarios Overview
  • Selecting a Deployment Scenario
  • SMA 210/410 and 500v Deployment Scenarios
• Connecting the SMA on a New DMZ
  • Connecting the SMA to the Gateway
  • Allowing a WAN to SMA Connection
  • Allowing an SMA to LAN Connection
• Connecting the SMA on an Existing DMZ
  • Connecting the SMA to the Gateway
  • Allowing WAN to LAN Connection
  • Allowing DMZ to LAN Connection
• Deploying SMA on the LAN
  • Connecting the SMA to the Gateway
  • Configuring SMA to LAN Connectivity
• Additional Configuration
  • Configuring the X0 IP Address
  • Configuring a Default Route
  • Adding a NetExtender Client Route
  • Setting Your NetExtender Address Range
  • Adding a New SMA Custom Zone
• Testing and Troubleshooting Your Remote Connection
  • Verifying a User Connection from the Internet
  • Policy > Access Rules Matrix View
• SonicWall Support
  • About This Document

Allowing DMZ to LAN Connection

When users have connected to the SMA, they need to be able to connect to resources on the LAN.

To allow a DMZ to LAN connection

1. Using SonicOS, navigate to the OBJECT | Match Objects > Addresses page on the gateway appliance.
2. In the Address Objects tab, click +Add.

3. In the Address Object Settings dialog box, create an address object for the X0 interface IP address of your SMA appliance:

   Name	Name of the SMA appliance
   Zone Assignment	DMZ
   Type	Host
   IP Address	X0 IP address of the SMA appliance within your DMZ range, such as 10.1.1.10.

4. Click OK to create the object. Once added, click Close.
5. Click +Add again to create an address object for the NetExtender range.

6. In the Add Object dialog box, create an address object for the NetExtender range using the following options, then click Add:

   Name	Name for NetExtender
   Zone Assignment	DMZ
   Type	Range
   Starting IP address	Start of the NetExtender IP address range within your DMZ range, such as 10.1.1.220.
   Ending IP address	End of the NetExtender IP address range within your DMZ range, for example 10.1.1.249.

   

7. On the OBJECT | Match Objects > Addresses page, click the Address Groups tab.
8. Click +Add.

9. In the Add Address Groups dialog box, create a group for the X0 interface IP address of your SMA appliance and the NetExtender IP range:

   • Enter a name for the group.
   • In the left column, select the address objects you created and click the right arrow button.

   • Click Save to create the group when both objects are in the right column.

     

10. Navigate to the POLICY | Rules and Policies > Access Rules page, and select the Matrix view style.

11. Click the DMZ > LAN icon.

12. On the page that displays for SMA to LAN, click +Add.

13. In the Add Rule window, create a rule to allow access to the LAN for the address group you just created:

    Source Zone/Interface	SMA
    Source Destination	LAN
    Source Port	Any
    Service	Any
    Source	The address group you just created, such as SMA and NetExtender.
    Destination	Any
    Users Allowed	All
    Users Excluded	None
    Schedule	Always on
    Select the following check box(es)	Enable Logging Allow Fragmented Packets

14. Click OK to create the rule.

This completes Scenario B.

Some gateway appliances have a default zone named SSLVPN. Do not select this zone when configuring for the SMA appliance. The SSLVPN zone is intended for use with the more limited SSLVPN features that are included in the firewall products.

Continue to Additional Configuration and Testing and Troubleshooting Your Remote Connection.