How can I create a Policy NAT on a Sonicwall NSA 3500?

I need to create a policy NAT on a Sonicwall NSA 3500 running Enhanced OS  

We have about 14 IP addresses available, with a good number of inbound services already configured and NAT-ing.  ALL services outbound NAT using the IP address of the Sonicwall itself, INCLUDING the email servers.

We were recently blacklisted on this IP address due to a virus outbreak, so now we need to NAT our Exchange server to go out on a different IP address, but I cannot figure out how to do this on a Sonicwall.  On a Cisco, I would just create a Policy-Nat with an access list and a global statement, but I dont' know where to do this kindof change on a Sonicwall enhanced OS.

Please help!

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

OK, I'm going to give this a shot.
1) Setup an address object (under network) with a your intended public IP, Type=Host, zone=Wan, name it something like "SMTP_Public_IP".  Save.

2) Determine what address object is assigned to your email server. (for reference I will call it "Email_Server")

3) Under Network, NAT policies - find the entry that has your Email_Server in the destination/ translated conumn and SMTP in the service/ original column.  Edit that entry and change the destination/ original (probably Wan Primary IP) to your new SMTP_Public_IP object.  Save.

4) Go to the Firewall, Access Rules (MAtrix) and select LAN to WAN, and setup the following rules:
   a) Allow -> Service=SMTP, Source=Email_Server, Destination=ANY, Users=ALL, Always on.
   b) Deny -> Service=SMTP, Source=ANY, Destination=ANY, Always on
   ** make sure that rule "a" is above rule "b"  - Of not, use the up/down arrows to position it.

5) Go to your Email_Server and change the default gateway to the IP address referenced by the SMTP_Public_IP object.

I don't have a way of testing this but it should work.  
The rules are to stop all email sent from any computer except your Mail Server.  If you have other computers that you need to send email, just make an object to reference them and make another rule similar to rule "a" using it's object name.  these rules will keep you our of hot water with the black lists in the future.  Make sure you change your public DNS settings as well as the reverse DNS settings for the new Public IP.

You can use the enable / disable feature to turn the rules on and off and if you don't want to modify the NAT rule, Make a new one instead and just enable / disable as needed.  Don't have both NAT statements enabled or disabled at the same time.  If one is enabled, the other should be disabled.
Let us know how it goes.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jkeegan123Author Commented:
Thanks,that did it!
jkeegan123Author Commented:
Correction, this didn't EXACTLY do the trick.  Here is a complete writeup of what I had to do to enable an outbound policy NAT that changed the IP address that my Exchange server used to deliver SMTP mail only.  This did NOT modify the inbound NAT policies for RECEIVING MAIL, Outlook Web Access, and did NOT change the IP address that all of my workstations were using to browse the internet.

Address Object for PUBLIC IP of Server
Address Object for PRIVATE IP of Server
Service defined for NAT policy (i.e. SMTP)

Setup a NAT POLICY such that:
Translated Source:  NEW PUBLIC IP OBJECT
Original Destination:  ANY
Translated Destination:  Original
Original Service:  Service required (i.e. SMTP)
Translated Service:  Original
Inbound Interface:  PRIVATE INTERFACE (usually X0)
Outbound Interface:  PUBLIC INTERFACE (usually X1)
I'm sorry, I mis-understood.
I thought you just wanted to NAT your exchange server on a different IP, and not anything else.  

To change all your services, you would only need to edit the the WAN Primary IP object and change it to the new IP address.

You would still probably want the 2 access rules to protect against future possible problems.
jkeegan123Author Commented:
Absolutely, if that was in in the FIRST place, none of this ever would have happened.

Thanks again.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.