Sunteți pe pagina 1din 5

VPN

Typical DMZ setups with FTP, SMTP and DNS Servers

Product
TZ and Pro series running SonicOS Enhanced

Introduction
This tech note provides information on a typical DMZ setup with a SonicWall firewall for FTP, SMTP and DNS servers. First, a DMZ stands for Demilitarized Zone. It is a network segment that is separate from your internal network, where publicly accessible servers reside, (ie: an FTP server). This separation provides an additional layer of security for your internal network. If one of these DMZ servers is compromised, intruders will not be allowed direct access to your internal network as well. To provide segregation from your internal network, the DMZ should be created on an interface of the SonicWall that is different from the one used for your internal LAN. The diagram below illustrates this separation.

SonicWall

DMZ 192.168.10.0/24

LAN 10.247.17.0/24
FTP Server SMTP Server DNS Server

`
User Laptop User Workstation Internal Server

Configuration
Configuring a separate interface on the SonicWall to be used as a DMZ: (TZ series with Enhanced firmware) 1. In the Management UI, click on Network and open the Interfaces page. 2. Click on Configure for the OPT port.

3.

In the Interface OPT Settings window, configure the following. Zone: DMZ IP Assignment: STATIC IP Address: 192.168.10.1 Subnet Mask: 255.255.255.0 Comment: DMZ

4.

Click on Ok.

You have now configured the Opt interface to be your DMZ and can connect devices to that interface on the firewall. Configuring a separate interface on the SonicWall to be used as a DMZ: (Pro series with Enhanced firmware) 1. In the Management UI, click on Network and open the Interfaces page. 2. Click on Configure for X2.

3.

In the Interface X2 Settings window, configure the following. Zone: DMZ IP Assignment: STATIC IP Address: 192.168.10.1 Subnet Mask: 255.255.255.0 Comment: DMZ

4.

Click on Ok.

You have now configured the X2 interface to be your DMZ and can connect devices to that interface on the firewall. Configuring public access for your DMZ servers: The firewall configuration to allow public access to your DMZ servers will depend on the number of public IP addresses you have. If you have enough public IP addresses to designate one public address to each server in your DMZ, then a one to one NAT needs to be created for each DMZ server. If you need help configuring one to one NAT, please reference the following tech notes in the knowledge portal (http://www.sonicwall.com/knowledgeportal). One-to-One Nat examples Using Public Wizard with SonicOS Enhanced

If you do not have enough public IP addresses to designate to each DMZ server, then port forwarding will need to be created for each service that is running on the DMZ servers. If you need help configuring port forwarding, please reference the following tech note in the knowledge portal (http://www.sonicwall.com/knowledgeportal). Port Forwarding with the SonicWALL

Once the NAT or Port Forwarding is created, you will also need to create the corresponding firewall access rule which is also detailed in the above tech notes. Configuring DMZ access to the internal LAN: Sometimes the servers on the DMZ need to access the servers on the internal LAN. For this to happen, access rules need to be created on the firewall. It is recommended to create the rules as specifically as possible, defining the IP address, protocol and port of the internal server that needs to be accessed. The directions below show where to create this access rule. 1. 2. 3. 4. In the Management UI, click on Firewall and open the Access Rules settings page. In the Access Rules matrix, click on from DMZ to LAN. Click on Add. In the Rule Setting window, configure the rule to allow access to the internal server.

5.

Click on OK when finished.

Verification
Once the NAT or Port Forwarding and access rules are configured, you should be able to access the DMZ servers from the Internet via the public IP addresses used in the NAT or Port Forwarding.

Troubleshooting
Troubleshooting hints on NAT or Port Forwarding are also detailed in the tech notes listed above.

Related Documents
For more information, refer to the following SonicWALL Technotes on www.sonicwall.com/support/documentation: 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. SonicOS Enhanced: Using a Secondary Public IP Range for NAT SonicOS Enhanced: Configuring the SonicWALL DHCP for GVC Configuring the SonicWALL DHCP for GVC Configuring Port Forwarding with the SonicWALL Terminating the WAN GroupVPN and Using VPN Access in SonicOS Enhanced Terminating the WAN GroupVPN to the LAN/DMZ using SonicOS Standard

Using the SonicOS Enhanced Wizard To Configure a Public Server


Common Issues with GVC Network Browsing with IP Helper NetBIOS Relay Creating One-to-One NAT Policies in SonicOS Enhanced SonicOS Enhanced: Three Types of Network Modes

Document Last Updated: 11/06/06