Secure Mobile Access 100 10.2 Deployment Planning Guide

Connecting the SMA on a New DMZ > Allowing an SMA to LAN Connection
Table of Contents

Allowing an SMA to LAN Connection

When users have connected to the SMA, they need to be able to connect to resources on the LAN.

To allow an SMA to LAN connection

  1. Using SonicOS, navigate to the OBJECT | Match Objects > Addresses page on the gateway appliance.
  2. In the Address Objects tab, click +Add.

  3. In the Address Object Settings dialog box, create an address object for the X0 interface IP address of your SMA appliance:

    Name Name of the SMA appliance
    Zone Assignment SMA
    Type Host
    IP Address SMA appliance X0 IP address (default 192.168.200.1)

  4. Click Save to create the object. Once done, click Close.
  5. Click Add again to create an address object for the NetExtender range.

  6. In the Add Address Object dialog box, create an address object for the NetExtender range:

    Name Name for NetExtender range
    Zone Assignment SMA
    Type Range
    Starting IP Address Start of the NetExtender IP address range (default 192.168.200.100)
    Ending IP Address End of the NetExtender IP address range (default 192.168.200.200)
  1. Click Save to create the object. Once added, click Close.
  2. On the OBJECT | Match Objects > Addresses page, click the Address Groups tab.
  3. Click +Add.

  4. In the Add Address Groups dialog box, create a group for the X0 interface IP address of your SMA appliance and the NetExtender IP range:

    • Enter a name for the group.
    • In the left column, select the address objects you created and click the right arrow button.

    • Click Save to create the group when both objects are in the right column.

  5. Navigate to the POLICY | Rules and Policies > Access Rules page, and select the Matrix view style.

  6. Click the SMA > LAN icon.

  7. On the page that displays for SMA to LAN, click +Add.

  8. In the Add Rule window, create a rule to allow access to the LAN for the address group you just created:

    Source Zone/Interface SMA
    Source Destination LAN
    Source Port Any
    Service Any
    Source The address group you just created, such as SMA and NetExtender.
    Destination Any
    Users Allowed All
    Users Excluded None
    Schedule Always on
    Select the following check box(es)
    • Enable Logging
    • Allow Fragmented Packets
  9. Click OK to create the rule.

This completes Scenario A.

Some gateway appliances have a default zone named SSLVPN. Do not select this zone when configuring for the SMA appliance. The SSLVPN zone is intended for use with the more limited SSLVPN features that are included in the firewall products.

Continue to Additional Configuration and Testing and Troubleshooting Your Remote Connection.