Making server available with NAT doesn't work

L3 Networker

Making server available with NAT doesn't work

Today I tried to configure our PA500 firewall to make a server from our DMZ zone available for Office 365. But first I will explain our network topology.
In our company we have 2 internet lines, one for internet and the other one as backup. After this backup line we have several public IP adresses, so I want to use these IP adressen for publishing my DMZ server.

So I configured the settings, but its not working at all. The server can't get to internet and the internet can't reach the server (like a ping).
In the monitoring I see that the server can send bytes to the internet with the correct NAT IP, but doesn't recieve anything from the internet.

Everything I configured I took a screenshot and loaded it up with this post. Belacom is the backup line. Can someone help me out?




L3 Networker

Re: Making server available with NAT doesn't work

Hello Zebit,

From your NAT policies, it looks like your primary ISP is on ethernet 1/3 and the secondary is ethernet 1/4. Is this correct?

I notice that your PBF policy dictates that all traffic sourced from the INTERN and DMZ zones should be forwarded out of eth1/3.

Based on your description, if you are trying to use a Public IP address given to you by the secondary ISP, then your current configurations would not work.

Problem #1

I'm assuming that your Office365 server's IP address is and your ISP_1 public IP is and ISP_2 public_IP is

You have configured the to be NAT'd to so that when anyone on the internet pings that public IP, it would be sent to the server's private address. (NAT Policy "ADFS Intern").

When that traffic ingresses on eth1/4 for, your secondary ISP connection, the return traffic will incorrectly egress out of eth1/3 based on the configured PBF (Internet Monitor).

To fix this, you would need to configure a PBF policy with symmetric return and position it above the "Internet Monitor" policy.

Basically, this would make the firewall send responses out on the same interface that the requests had come in. Here is a document that explains this concept in greater detail:

How to Configure Symmetric Return

Problem #2

I'm assuming the "Extern zone DMZ" security policy is the one that should permit traffic from the EXTERN zone to the DMZ zone.

If that's the case, you would need to configure the source zone as EXTERN while the destination zone should be DMZ zone.

Pages 15-16 of this document explain this configuration in greater detail as well:

Understanding PAN-OS NAT

In the future, I'd suggest that you open a case with Support to help resolve this type of issue, but let us know if the recommendations above help to solve the problem.



L3 Networker

Re: Making server available with NAT doesn't work

Hi Tasonbare,

You understand my issue correct, I will try your sugesstions and come back to you.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!