Secure Mobile Access 10.2 Deployment Guide

Allowing DMZ to LAN Connection

When users have connected to the SMA, they need to be able to connect to resources on the LAN.

To allow a DMZ to LAN connection

  1. Using SonicOS, navigate to the OBJECT | Match Objects > Addresses page on the gateway appliance.
  2. In the Address Objects tab, click +Add.
  3. In the Address Object Settings dialog box, create an address object for the X0 interface IP address of your SMA appliance:

    NameName of the SMA appliance
    Zone AssignmentDMZ
    TypeHost
    IP AddressX0 IP address of the SMA appliance within your DMZ range, such as 10.1.1.10.
  4. Click OK to create the object. Once added, click Close.
  5. Click +Add again to create an address object for the NetExtender range.
  6. In the Add Object dialog box, create an address object for the NetExtender range using the following options, then click Add:

    NameName for NetExtender
    Zone AssignmentDMZ
    TypeRange
    Starting IP addressStart of the NetExtender IP address range within your DMZ range, such as 10.1.1.220.
    Ending IP addressEnd of the NetExtender IP address range within your DMZ range, for example 10.1.1.249.

  1. On the OBJECT | Match Objects > Addresses page, click the Address Groups tab.
  2. Click +Add.
  3. In the Add Address Groups dialog box, create a group for the X0 interface IP address of your SMA appliance and the NetExtender IP range:

    • Enter a name for the group.
    • In the left column, select the address objects you created and click the right arrow button.
    • Click Save to create the group when both objects are in the right column.

  4. Navigate to the POLICY | Rules and Policies > Access Rules page, and select the Matrix view style.
  5. Click the DMZ > LAN icon.

  6. On the page that displays for SMA to LAN, click +Add.
  7. In the Add Rule window, create a rule to allow access to the LAN for the address group you just created:

    Source Zone/InterfaceSMA
    Source DestinationLAN
    Source PortAny
    ServiceAny
    SourceThe address group you just created, such as SMA and NetExtender.
    DestinationAny
    Users AllowedAll
    Users ExcludedNone
    ScheduleAlways on
    Select the following check box(es)
    • Enable Logging
    • Allow Fragmented Packets
  8. Click OK to create the rule.

This completes Scenario B.

Some gateway appliances have a default zone named SSLVPN. Do not select this zone when configuring for the SMA appliance. The SSLVPN zone is intended for use with the more limited SSLVPN features that are included in the firewall products.

Continue to Additional Configuration and Testing and Troubleshooting Your Remote Connection.

Was This Article Helpful?

Help us to improve our support portal

Techdocs Article Helpful form

Techdocs Article NOT Helpful form

  • Still can't find what you're looking for? Try our knowledge base or ask our community for more help.