In this post, I will be configuring the rules needed to configure PaloAlto firewall in order to make NAT works for the following:
1. Incoming emails NAT rule which works with IP X.X.X.X and port SMTP (25)
2. Incoming webmail sessions on the exchange, NAT rule which works with same IP X.X.X.X but port HTTPS
by doing this, the firewall will be translating the incoming sessions based on the destination port.
if the session was started to target HTTPS, then firewall will send the traffic to internal exchange private IP address 10.10.10.20.
if the session was targeting SMTP on port (25) then firewall will be sending the traffic to DMZ zone which contains the Email security gateway. (in my case it is brightmail from symantec)
Ok, now it's time to show some NAT rules configured for this:
1. Configuring the NAT rule for the incoming emails:
incoming traffic (original packet) on outside interface with service tcp 25 on the public IP address of the exchange server
will be translated to > Brightmail in DMZ private IP with port also translated to TCP 25
2.Configure security rule for incoming email:
outside to > inside with the source of public ip address of the exchange and port https is allowed
outside to > inside with source of public ip address of the exchange and port of SMTP is allowed
3. configure NAT rule for the incoming web sessions
same as smtp applies but for different port (https) and translated to different destination which will be the exchange private internal address
Now, let's configure the security policy for both email and webmail:
at the end, the NAT rules will be looking like below:
No comments:
Post a Comment