VPN: Configuring One-Way VPN (Single-Arm Mode) in SonicOS Enhanced

03/26/2020 5 People found this article helpful 197,937 Views

Download

Print

Share

• LinkedIn
• Twitter
• Facebook
• Email
• Copy URL The link has been copied to clipboard

Description

VPN: Configuring One-Way VPN (Single-Arm Mode) in SonicOS Enhanced

Resolution

Feature/Application:

SonicOS Enhanced 2.x, 3.x, 4.x and 5.x

Single-Arm mode enables the connection of only a SonicWall appliance's WAN interface to a network for the purpose of providing VPN capabilities. Traffic arrives inbound on the WAN interface, gets encrypted according to the appropriate VPN Security Association and sent out the same interface. This feature is especially useful for scenarios which require VPN functionality from a device that is non-intrusive, simply sitting on a subnet outside the firewall or on an isolated interface or subnet without any additional bridging, packet inspection or routing. This also allows the user to offload VPN functionality to a separate firewall to remove the burden of encryption/decryption from the Internet access firewall.

Procedure:

Configuring one-way VPN for SonicOS Enhanced:

NOTE: This feature only works if the SonicWall is in transparent mode.

NOTE: TZ 170W and TZ 170 SPW wireless appliances do not support transparent mode when running SonicOS Standard firmware. It is supported on TZ 170 wireless appliances running SonicOS Enhanced.

Before trying to configure a one-way VPN, set up a VPN in the standard configuration as given in the SonicOS Enhanced Administrator's Guide. Once the VPN is up and running and you can confirm that it is working, configure the one-way VPN as follows:

On the SonicWall whose LAN you want to deny access to over VPN:

1. Select: Firewall --> Access rules
2. Under View style, check the matrix radio button
3. Select the configure icon for VPN to LAN
4. Click “Add” to add an Access Rule. The Add rule window will appear.
5. Under Action, select the “Deny” radio button
6. Under Service, select Any
7. Under Source, select the address object of the remote network behind the other SonicWall that you have created when establishing the VPN tunnel
8. Under Destination, select Any
9. Click OK to save the configuration

Now the network behind the other SonicWall will not be able to access the network behind the SonicWall where the deny rule is applied.

Related Articles

• Bandwidth usage and tracking in SonicWall
• How to force an update of the Security Services Signatures from the Firewall GUI
• Configure Guest VLAN in the TZ firewall, for guest users to access Internet only.

Categories

• Firewalls > TZ Series
• Firewalls > SonicWall SuperMassive E10000 Series
• Firewalls > SonicWall SuperMassive 9000 Series
• Firewalls > SonicWall NSA Series