Configure NAT Policy for Exchange Server

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Configure NAT Policy for Exchange Server

Not applicable

We are brand new to Palo Alto and are configuring our first device, a PA-3020. We've been trying to configure a NAT policy that will direct inbound email to our Exchange server. Outbound email seems to work fine. Inbound email doesn't seem to be even hitting the firewall since there are no log entries. We have a Sonicwall firewall in place now and email works fine. When we move the cables from the Sonicwall to the PA-3020, inbound emails stop flowing. Any thoughts?

1 accepted solution

Accepted Solutions

Not applicable

Thanks to everyone for your suggestions. Turns out we had it configured properly in the first place. The problem turned out to be the ARP table in the switch. The public facing IP had a MAC address pointing to the Sonicwall. When we moved the cables to the PA-3020, the switch was still trying to send the traffic to the Sonicwall. When we cleared the ARP table in the switch, traffic started flowing.

View solution in original post

5 REPLIES 5

L6 Presenter

Hi Oliver,

Is it a Static NAT or just Destination NAT? Can you provide us snapshot of NAT configuration.

Regards,

Hardik Shah

L6 Presenter

Hi Oliver,

You can refer bellow mentioned video for DNAT.

Video Link : 1550

Regards,

Hardik Shah

L4 Transporter

Hello

If You are new to PAN please read Understanding PAN-OS NAT first, and next  search this community for u-turn problems that could hit you Smiley Wink

With regards

Slawek

L7 Applicator

Sonicwall nat and policy organization is basically the same as you have in PanOS.  They are separate and require two rules.

Look at your Sonicwall nat rule for the inbound address to the exchange server.

Create this same rule in the nat section on the PA

In the security policy add a rule on the PA to permit the inbound smtp application to the exchange server.

Once you have both the nat rule and security policy the inbound traffic should flow.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Not applicable

Thanks to everyone for your suggestions. Turns out we had it configured properly in the first place. The problem turned out to be the ARP table in the switch. The public facing IP had a MAC address pointing to the Sonicwall. When we moved the cables to the PA-3020, the switch was still trying to send the traffic to the Sonicwall. When we cleared the ARP table in the switch, traffic started flowing.

  • 1 accepted solution
  • 5330 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!