VPN: Configuring One-Way VPN (Single-Arm Mode) in SonicOS Enhanced
03/26/2020 5 13352
DESCRIPTION: VPN: Configuring One-Way VPN (Single-Arm Mode) in SonicOS Enhanced
SonicOS Enhanced 2.x, 3.x, 4.x and 5.x
Single-Arm mode enables the connection of only a SonicWall appliance's WAN interface to a network for the purpose of providing VPN capabilities. Traffic arrives inbound on the WAN interface, gets encrypted according to the appropriate VPN Security Association and sent out the same interface. This feature is especially useful for scenarios which require VPN functionality from a device that is non-intrusive, simply sitting on a subnet outside the firewall or on an isolated interface or subnet without any additional bridging, packet inspection or routing. This also allows the user to offload VPN functionality to a separate firewall to remove the burden of encryption/decryption from the Internet access firewall.
Configuring one-way VPN for SonicOS Enhanced:
NOTE: This feature only works if the SonicWall is in transparent mode.
NOTE: TZ 170W and TZ 170 SPW wireless appliances do not support transparent mode when running SonicOS Standard firmware. It is supported on TZ 170 wireless appliances running SonicOS Enhanced.
Before trying to configure a one-way VPN, set up a VPN in the standard configuration as given in the SonicOS Enhanced Administrator's Guide. Once the VPN is up and running and you can confirm that it is working, configure the one-way VPN as follows:
On the SonicWall whose LAN you want to deny access to over VPN:
Select: Firewall --> Access rules
Under View style, check the matrix radio button
Select the configure icon for VPN to LAN
Click “Add” to add an Access Rule. The Add rule window will appear.
Under Action, select the “Deny” radio button
Under Service, select Any
Under Source, select the address object of the remote network behind the other SonicWall that you have created when establishing the VPN tunnel
Under Destination, select Any
Click OK to save the configuration
Now the network behind the other SonicWall will not be able to access the network behind the SonicWall where the deny rule is applied.