https://live.paloaltonetworks.com/t5/general-topics/can-only-access-dmz-server-using-private-address-u-turn-nat-not/m-p/514702#M106823 <P>Configuring a new PA-850, new to this so go easy on me.</P> <P>&nbsp;</P> <P>I have three zones, internal, outside, DMZ.</P> <P>&nbsp;</P> <P>DMZ webserver</P> <P>Private IP = 192.168.2.16</P> <P>Public IP = 212.12.34.56</P> <P>&nbsp;</P> <P>I have created two NAT rules as follows:</P> <P>&nbsp;</P> <P>internal u-turn to DMZ</P> <P>source zone = internal</P> <P>dest zone = outside</P> <P>dest address = 212.12.34.56</P> <P>dest translated address = 192.168.2.16</P> <P>&nbsp;</P> <P>external to DMZ</P> <P>source zone = any</P> <P>dest one = outside</P> <P>dest address = 212.12.34.56</P> <P>dest translated address = 192.168.2.16</P> <P>&nbsp;</P> <P>For purposes of testing this is working I have created a security rule of ANY ANY.</P> <P>&nbsp;</P> <P>I can only view the webserver from the internal network using the internal IP address of 192.168.2.16, using the FQDN or public IP I only get timeouts.&nbsp; Wireshark on the internal clients show outbound HTTP but Wireshark on the server shows no traffic inbound except when using 192.168.2.16.</P> <P>&nbsp;</P> <P>The u-turn NAT rule is above the public NAT rule and the hide-NAT rule is last in the list.&nbsp; I am sure I am missing something simple but I have been through the how to u-turn video and guide here: <A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEiCAK" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEiCAK</A></P> <P>&nbsp;</P> <P>The only thing I can see is there is also some source translation in the video which is not shown in the document but I think that is a red herring.</P> <P>&nbsp;</P> <P>Any ideas?</P> Tue, 13 Sep 2022 10:19:56 GMT WilliamD 2022-09-13T10:19:56Z https://live.paloaltonetworks.com/t5/general-topics/can-only-access-dmz-server-using-private-address-u-turn-nat-not/m-p/514702#M106823 <P>Configuring a new PA-850, new to this so go easy on me.</P> <P>&nbsp;</P> <P>I have three zones, internal, outside, DMZ.</P> <P>&nbsp;</P> <P>DMZ webserver</P> <P>Private IP = 192.168.2.16</P> <P>Public IP = 212.12.34.56</P> <P>&nbsp;</P> <P>I have created two NAT rules as follows:</P> <P>&nbsp;</P> <P>internal u-turn to DMZ</P> <P>source zone = internal</P> <P>dest zone = outside</P> <P>dest address = 212.12.34.56</P> <P>dest translated address = 192.168.2.16</P> <P>&nbsp;</P> <P>external to DMZ</P> <P>source zone = any</P> <P>dest one = outside</P> <P>dest address = 212.12.34.56</P> <P>dest translated address = 192.168.2.16</P> <P>&nbsp;</P> <P>For purposes of testing this is working I have created a security rule of ANY ANY.</P> <P>&nbsp;</P> <P>I can only view the webserver from the internal network using the internal IP address of 192.168.2.16, using the FQDN or public IP I only get timeouts.&nbsp; Wireshark on the internal clients show outbound HTTP but Wireshark on the server shows no traffic inbound except when using 192.168.2.16.</P> <P>&nbsp;</P> <P>The u-turn NAT rule is above the public NAT rule and the hide-NAT rule is last in the list.&nbsp; I am sure I am missing something simple but I have been through the how to u-turn video and guide here: <A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEiCAK" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEiCAK</A></P> <P>&nbsp;</P> <P>The only thing I can see is there is also some source translation in the video which is not shown in the document but I think that is a red herring.</P> <P>&nbsp;</P> <P>Any ideas?</P> Tue, 13 Sep 2022 10:19:56 GMT https://live.paloaltonetworks.com/t5/general-topics/can-only-access-dmz-server-using-private-address-u-turn-nat-not/m-p/514702#M106823 WilliamD 2022-09-13T10:19:56Z https://live.paloaltonetworks.com/t5/general-topics/can-only-access-dmz-server-using-private-address-u-turn-nat-not/m-p/514748#M106829 <P>Hello,</P> <P>Make sure you have logging enabled on your policies and see where the traffic is flowing. I know you have your any any policy, but it might not be setup correctly. The thought I had was possible asymmetric routing. So check your virtual router and make sure everything is getting routed correctly.</P> <P>Regards,</P> Tue, 13 Sep 2022 19:10:43 GMT https://live.paloaltonetworks.com/t5/general-topics/can-only-access-dmz-server-using-private-address-u-turn-nat-not/m-p/514748#M106829 OtakarKlier 2022-09-13T19:10:43Z https://live.paloaltonetworks.com/t5/general-topics/can-only-access-dmz-server-using-private-address-u-turn-nat-not/m-p/514815#M106845 <P>Plugging in the Outside interface into a small switch brought the interface up and the translation between internal and DMZ then occurred as expected.&nbsp; I don't remember seeing anything about this in the documentation but I guess a one-liner I may have missed.</P> <P>&nbsp;</P> <P>Thanks for posting back OtakarKlier I did learn how to use the monitor a little so it wasn't a waste of time.</P> Wed, 14 Sep 2022 12:25:31 GMT https://live.paloaltonetworks.com/t5/general-topics/can-only-access-dmz-server-using-private-address-u-turn-nat-not/m-p/514815#M106845 WilliamD 2022-09-14T12:25:31Z