background image

Sonic OS 2.x Quick Start Guide 

8.  For the Remote IKE ID, select 

Sonicwall Identifier and enter the 
serial number of the Pro 4060. 

 

9.  Select the Network Tab. 

10. For the Local Network, choose 

LAN Primary Subnet. This is a 
pre-defined address object for t
LAN interface of the TZ170. 

he 

11. For Destination Networks, select 

the previously defined address 
object for the network located 
behind the Pro 4060 
(192.168.168.0/24) 

12. Select the Proposal tab. 

13. For Exchange, select Aggressive 

Mode. Remember, the TZ170 
receives a dynamic IP address 
from the ISP. 

 

14. Select the rest of the Phase 1 and 

2 proposal settings as required. 
Ensure they match up with the 
settings you’ve made on the Pro 
4060. 

15. Select the Advanced tab. 

16. Check (turn on) the Enable Keep 

Alive option. This will keep the 
tunnel active and will renegotiate 
the tunnel if the WAN IP of the 
TZ170 changes. 

17. Click OK. 

18. You should now be able to 

communicate between the two 
Sonicwalls via the VPN. 

 

 

 

 

 

 

 

 

15

Summary of Contents for OS 2.x

Page 1: ...SonicWALL SonicOS 2 x Enhanced Quick Start Guide Rev 1 1 February 2004 ...

Page 2: ... generation of Sonicwall firmware The example network used throughout this guide is illustrated below 192 168 1 1 24 Default Gateway 192 168 1 1 192 168 168 1 24 Default Gateway 192 168 168 168 SonicWALL PRO 4060 Remote User with Global VPN Client LAN X0 WAN 1 X1 T1 Router IP 208 48 32 1 29 WAN 2 X2 DMZ X3 Public WWW Server 10 0 0 2 24 208 48 32 3 Mail Server 192 168 168 4 24 192 168 168 168 208 4...

Page 3: ... way and to write security rules that apply to all the segments in a Zone without needing to address each physical interface individually In our example we have two interfaces X1 and X2 used for WAN load balancing and failover If we group the two interfaces in the WAN Zone we will only need to write one set of firewall rules that will apply regardless of which interface is active This greatly simp...

Page 4: ... custom zone proceed as follows 1 Select the Zones option under the Network button of the GUI 2 Click the Add button and the Add Zone pop up is displayed 3 Name your Zone as desired 4 Select whether the Zone is Trusted or Public 5 If Content Filtering is desired select the checkbox 6 If AV enforcement is desired select the checkbox 7 If multiple interfaces are assigned to this zone selecting the A...

Page 5: ... as opposed to the DNS servers automatically provided by the PPPoE connection click DNS Servers and enter the values Select th Specify 9 e Ethernet tab NOTE Even though the Sonicwall auto negotiates the Ethernet settings you should make it a 0 Select the Force checkbox and enter the 11 te changes to 12 enter the 13 14 r d habit to force the settings to match the connected network equipment 1 appro...

Page 6: ...ements hosts subnets or ranges users and services Throughout the new Enhanced firmware we will need to define objects and groups in order to create the desired security policy Example 1 We want to write firewall rules to allow mail in to and out from our mail server Instead of just using the mail server s IP address we ll create an Address Object called Mail Server and write our firewall rules usi...

Page 7: ...u will have a list of he following will guide you through the process of crea Define the Objects 1 Select the Addre Network button 2 Click the Add button under Address Objects 3 Enter an applicable name for the obje 4 Select the object type Host Range or Network TE Settin example select the Host type For the VPN select the Network type the Starting and Ending IP addresses 6 Select which Zone the r...

Page 8: ...ocal Pro 4060 LAN for the VPN 192 168 168 0 24 d Remote TZ170 LAN for the VPN 192 168 1 0 24 Define the Group 1 Click the Add Group b under Address Groups Enter a n utton 2 ame for the 3 ress ned p 4 cted to save your That s it Later we ll make use of this group in a rule to block IM access Address Group Select the IM add objects previously defi and click the button to move them into your grou Whe...

Page 9: ...firmware is the istrator ublic access to an SMTP server ss of task with SonicOS Enhanced requires a few more steps First we must ensure at we have a Network Address Object defined that contains the actual IP address of the SMTP Public LAN Server Specifying a Public LAN Server in 6 x firmware automatically took care of everything for the admin behind the scenes NAT service protocol port definition ...

Page 10: ...nslated Service select Original Our mail server is expecting SMTP on port 25 so we leave the service as the original no service translations required 9 For Inbound Interface select X1 the primary WAN 10 For Outbound Interface select ANY 11 Click OK to add the NAT policy Mail Server Firewall Policy This NAT policy will take any TCP packets coming in on the primary WAN interface that are destined fo...

Page 11: ...ver 5 For Source select ANY Allow incoming E Mail from any location NOTE Unlike the 6 x firmware the firewall rule is written for the routable WAN IP address not the private IP address of the Mail Server 6 For Destination select WAN Primary IP All incoming mail is being sent to the IP address assigned to the WAN interface 7 For Users Allowed select all You should not restrict E Mail by using User ...

Page 12: ...ther the built in internal User database of the Sonicwall or via a Radius server Create User s Group s You can use the following steps to create additional Users and Groups for other purposes such as VPN Client access To create a User and associated Group 1 From the GUI select the USERS option and then LOCAL USERS 2 Click the ADD USER button 3 Enter the User s Name and Password Click OK 4 Repeat t...

Page 13: ...owed IMers user group This means that the rule will only apply to users who have first logged in with the appropriate username and password To use IM programs a user would first launch a web browser and point it to the Sonicwall s LAN IP address http 192 168 168 168 or whatever that address may be After supplying the username and password the user will be authenticated and will then have rights to...

Page 14: ...appropriate n for this VPN SA ame equired 5 Secret enter an 6 ect the 7 e 8 oose the t will 10 ect the 192 168 1 0 24 4 For both the IPSec Primary and Secondary Gateways enter 0 0 0 0 The remote TZ170 receives a dynamic IP address from the ISP so an Aggressive Mode IKE is r For Shared appropriate combination of characters and numbers For the Local IKE ID sel Sonicwall Identifier and enter serial n...

Page 15: ...p with the settings you make on the TZ170 We will Advanced Setting for this example g the Enhanced software Define the TZ170 SA as follows 1 Fr option and then click ADD For IPSec Keying Mode sele IKE using Preshared Secret For Name enter an appropria name for this VPN SA For the IPSec Primary Gateway enter 208 48 This is the IP address assigne to the X1 WAN interface of the Pro4060 For the IPS Ga...

Page 16: ...ed behind the Pro 4060 192 168 168 0 24 12 Select the Proposal tab 13 For Exchange select Aggressive Mode Remember the TZ170 receives a dynamic IP address from the ISP 14 Select the rest of the Phase 1 and 2 proposal settings as required Ensure they match up with the settings you ve made on the Pro 4060 15 Select the Advanced tab 16 Check turn on the Enable Keep Alive option This will keep the tun...

Page 17: ...omers will also want to configure Probe Monitoring which adds monitoring at a logical level using either TCP connection requests or ICMP This allows a failure of an upstream device to be detected Active Passive Only the Primary WAN link is active unless a link failure is detected Although the Secondary link is unused except during a failure of the Primary greater redundancy can be achieved for inb...

Page 18: ...t both the Probe Target and the Optional Probe Target are active for the link to be considered UP Both the Probe Target and the Optional Probe Target must have valid entries OR The OR option requires that only one of the probe targets be active for the link to be considered UP The O Probe Target is not required when using the OR logic ptional As you can see you have the option to probe 1 and or 2 ...

Page 19: ...width available on the two WAN links You must specify the percentage of bandwidth for the Primary WAN link and the Sonicwall automatically allocates the remaining percentage to the Secondary link 1 From the GUI select the type of Load Balancing that fits your customer s needs 2 For other than Round Robin enter the appropriate bandwidth amount or spillover percentage 3 Don t forget to click the App...

Page 20: ...inal Again we want the traffic to go to its original destination via its original service protocol 12 For Inbound Interface select ANY or you could select the X0 LAN interface only 13 For Outbound Interface select X2 NAT all outbound traffic to the IP of the X2 Secondary WAN IP 14 Click OK to add the NAT policy With the addition of the new NAT rule any load balanced traffic going out through the X...

Reviews: