https://live.paloaltonetworks.com/t5/general-topics/problem-with-interzone-u-turn-nat/m-p/3286#M2453 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>I followed the instructions in the paloalto "understanding NAT-4.1RevC" pdf for implementing U turn NAT.</P><P></P><P>It works when I try to access a server in the DMZ from the trusted zone via it's public untrusted IP.</P><P></P><P>I have now a web server which somehow tries to do a http connect to it's own URL, which describes Case 5 in this document "server in the same zone as the client"</P><P>I followed the instructions:</P><P>NAT rule: DMZ-Zone to Untrust Zone with destination public IP translated to private IP and source translated to untrusted Interface and IP. I even created a security policy although the document says it is not needed as the traffic is in the same zone.</P><P></P><P>The problem is that I can't get it working the connection always times out, the same when I try to access the Public IP from an other server in the DMZ. I worked around the problem by setting up a DNS in the DMZ which points the URL to the servers private IP.</P><P></P><P>I can't see any traffic in the traffic logs which is probably due to the inter zone traffic.</P><P></P><P>Has anyone an idea why this isn't working?</P><P></P><P>Thanks</P></BODY></HTML> Thu, 31 Jan 2013 10:00:35 GMT saint-paul 2013-01-31T10:00:35Z https://live.paloaltonetworks.com/t5/general-topics/problem-with-interzone-u-turn-nat/m-p/3286#M2453 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>I followed the instructions in the paloalto "understanding NAT-4.1RevC" pdf for implementing U turn NAT.</P><P></P><P>It works when I try to access a server in the DMZ from the trusted zone via it's public untrusted IP.</P><P></P><P>I have now a web server which somehow tries to do a http connect to it's own URL, which describes Case 5 in this document "server in the same zone as the client"</P><P>I followed the instructions:</P><P>NAT rule: DMZ-Zone to Untrust Zone with destination public IP translated to private IP and source translated to untrusted Interface and IP. I even created a security policy although the document says it is not needed as the traffic is in the same zone.</P><P></P><P>The problem is that I can't get it working the connection always times out, the same when I try to access the Public IP from an other server in the DMZ. I worked around the problem by setting up a DNS in the DMZ which points the URL to the servers private IP.</P><P></P><P>I can't see any traffic in the traffic logs which is probably due to the inter zone traffic.</P><P></P><P>Has anyone an idea why this isn't working?</P><P></P><P>Thanks</P></BODY></HTML> Thu, 31 Jan 2013 10:00:35 GMT https://live.paloaltonetworks.com/t5/general-topics/problem-with-interzone-u-turn-nat/m-p/3286#M2453 saint-paul 2013-01-31T10:00:35Z https://live.paloaltonetworks.com/t5/general-topics/problem-with-interzone-u-turn-nat/m-p/3287#M2454 <HTML><HEAD></HEAD><BODY><P>Hi...Please try changing the source NAT from 'untrusted Interface and IP' to the interface and IP of the DMZ-zone.&nbsp; Thanks.</P></BODY></HTML> Fri, 01 Feb 2013 19:04:39 GMT https://live.paloaltonetworks.com/t5/general-topics/problem-with-interzone-u-turn-nat/m-p/3287#M2454 rmonvon 2013-02-01T19:04:39Z https://live.paloaltonetworks.com/t5/general-topics/problem-with-interzone-u-turn-nat/m-p/3288#M2455 <HTML><HEAD></HEAD><BODY><P>Thank you, this solved the problem. </P><P>I had some strange glitch that the nat rule wouldn't accept to IP of the interface, it always reset to "none". I had to delete the rule and recreate it, after that I had to move the NAT rule up as it was shadowed by an other rule. It then finally worked.</P></BODY></HTML> Mon, 04 Feb 2013 14:18:14 GMT https://live.paloaltonetworks.com/t5/general-topics/problem-with-interzone-u-turn-nat/m-p/3288#M2455 saint-paul 2013-02-04T14:18:14Z