Ah the joys of computers. Where to begin....

I'm running a SonicWall PRO 200 firewall at my corporate office. This firewall connects via VPN to several branch offices around the country. The branch offices are also using SonicWall firewalls (SOHO2, SOHO3, or an older model WebRamp 700s). The way the VPNS connect treats the connection as part of the LAN. This means that each branch can access all systems and servers at corporate. Security is in place, but I'd rather not even let them get to that level. The SonicWalls have an option to "Enable NAT and Firewall Rules" to each VPN. This essentially terminates the VPN at the WAN port rather than the LAN port. All rules are applied to the connection and would then be able to be restricted.

Sounds easy.... oh hell no.

The SonicWall has a default rule, which is uneditable and cannot be turned off, that denies ALL access from the WAN to the LAN. Hmmmmmm. Ok. So I add a simple rule to my firewall to test with:

Allow - Ping - From: x.x.x.1 - x.x.x.254 (WAN) To: y.y.y.123 (LAN)
IPs have been changed to protect the innocent and the ignorant.

Seems like it would work. Nope. Logs show a connection dropped due to Rule 0 (the default deny everything). Ok, so I try to ease up on the restrictions:

Allow - Default (everything) - From: x.x.x.1 - x.x.x.254 (WAN) To: y.y.y.1 - y.y.y.254 (LAN)

Connection dropped. Rule 0. Ok. Step back, take a breath, drink a beer.

So I hop onto SonicWall's site and try to find some answers. The knowledge base tells me all about Rule 0 and how the only way to bypass it is to setup a public service on the firewall, such as a designated Web server associated with an IP and check a box marked LAN In for that service. So I scratch my head a little trying to figure out why I not only have to add a rule to allow the access, but enable this as a service on the device too. But nevermind that! I've got the answer now! Log onto the firewall, hit the Services tab and what to my wondering eyes should appear..... sure as hell not the LAN In checkboxes I was expecting. Time for another beer or three. Now I'm off to SonicWall's support site again to find out about LAN In. Low and behold the LAN In checkboxes are only there if you are not using NAT. Screwed.

I'm still discussing with the CEO about reinstating our support contract with SonicWall, but they are trying to say we need to purchase contracts for each year since the last contract expired. Ok. So you want us to give you money for support in 2002 and 2003 that we never used and obviously never can use?

So now that the rant..er... explanation, is out of the way, here's what I'm looking for:

To setup a VPN between two SonicWall firewalls, PRO 200 on one side, other could be varying models. The systems connecting from the branch to the PRO 200 should be restricted to HTTP and HTTPS protocols on a specific IP. They are to have no other access on the corporate network.

I will accept any and all thoughts, ideas, criticsms, complaints, suggestions, motivations, propositions and humiliations.