VPN: Configuring One-Way VPN (Single-Arm Mode) in SonicOS Enhanced

03/26/2020 5 13352

DESCRIPTION:
VPN: Configuring One-Way VPN (Single-Arm Mode) in SonicOS Enhanced

RESOLUTION:

Feature/Application:

SonicOS Enhanced 2.x, 3.x, 4.x and 5.x

Single-Arm mode enables the connection of only a SonicWall appliance's WAN interface to a network for the purpose of providing VPN capabilities. Traffic arrives inbound on the WAN interface, gets encrypted according to the appropriate VPN Security Association and sent out the same interface. This feature is especially useful for scenarios which require VPN functionality from a device that is non-intrusive, simply sitting on a subnet outside the firewall or on an isolated interface or subnet without any additional bridging, packet inspection or routing. This also allows the user to offload VPN functionality to a separate firewall to remove the burden of encryption/decryption from the Internet access firewall.

Procedure:

Configuring one-way VPN for SonicOS Enhanced:

NOTE: This feature only works if the SonicWall is in transparent mode.

NOTE: TZ 170W and TZ 170 SPW wireless appliances do not support transparent mode when running SonicOS Standard firmware. It is supported on TZ 170 wireless appliances running SonicOS Enhanced.

Before trying to configure a one-way VPN, set up a VPN in the standard configuration as given in the SonicOS Enhanced Administrator's Guide. Once the VPN is up and running and you can confirm that it is working, configure the one-way VPN as follows:

On the SonicWall whose LAN you want to deny access to over VPN:

1. Select: Firewall --> Access rules
2. Under View style, check the matrix radio button
3. Select the configure icon for VPN to LAN
4. Click “Add” to add an Access Rule. The Add rule window will appear.
5. Under Action, select the “Deny” radio button
6. Under Service, select Any
7. Under Source, select the address object of the remote network behind the other SonicWall that you have created when establishing the VPN tunnel
8. Under Destination, select Any
9. Click OK to save the configuration

Now the network behind the other SonicWall will not be able to access the network behind the SonicWall where the deny rule is applied.