Embed Size (px)
Citation preview
How to: Setup a VPN tunnel and use it as default route for all (Internet)-traffic
Prepared by SonicWALL, Inc. 11/25/2003
Setup: The SonicWALL TZ170 routes all traffic into a VPN tunnel terminating at a Pro4060. The Pro4060 routes the traffic as needed to its destination. Until now, it was not possible to route traffic returning to a VPN tunnel from the Internet via the same gateway. Before, it was necessary to use a second gateway, but with the introduction of SonicOS Enhanced 2.0, this is no longer the case. This document demonstrates the configuration of this particular scenario.
PRO 4060
Laptop
TZ 170
Laptop
VPN
Internet
Configuring a VPN Tunnel Between Two SonicWALL Appliances Step 1 (Optional) - TZ170: Change the Unique Firewall Identifier (UFI). Step 2 - Add a new SA or edit an existing VPN configuration.
Step 3 - TZ170: Configure the destination network to “Use this VPN Tunnel as default route…”
Step 4 - TZ170: Configure the Proposals and Advanced tabs as needed.
Configuring the Pro4060 with SonicOS Enhanced 2.0.0.3 Step 1 - Configure your Network Interfaces and assign each interface a Zone. Step 2 - Create the Network Objects. In this example, a remote network on the TZ 170 local LAN was created, and it is accessible through a VPN tunnel.
Step 3 (Optional) - Change your UFI. Step 4 - Add a new SA or edit an existing VPN configuration.
Be sure the tunnel becomes active, status green, after completing the VPN tunnel configuration. Step 5 – Click the Notepad icon to continue VPN tunnel configuration.
Step 6 - On the Network tab, select Any address under Local Networks. Under Destination Networks, select Choose destination network from list, and select the network object (the remote network behind the TZ170) from the list.
Step 7 - Configure the Proposals and Advanced tabs as needed to match the TZ170 settings.
Step 8 – Click OK to add the changes to the SonicWALL.
Step 7 – Click Firewall.
Step 9 - Configure the appropriate Access Rules to all destinations. Be sure to only give access to needed destinations and services. Do not use the Any/Allow as it appears in this example!
Step 10 - Finally, create a NAT rule that maps traffic coming from the TZ170 local network and goes back to the Internet and to the public WAN IP.
Configuration is now complete.
