https://live.paloaltonetworks.com/t5/general-topics/destination-public-ip-that-nats-to-dmz-private-ip/m-p/302#M251 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>What you're describing is what we call "U-Turn NAT". There is a great document called understanding NAT and it seems to cover your questions and should help you in creating your security policies and NAT policies for this particular type of NAT.</P><P></P><P>Here is the link:</P><P></P><P><A class="active_link" href="https://support.paloaltonetworks.com/index.php?option=com_pan&amp;task=dl_tech_doc&amp;filename=Understanding-NAT.pdf">https://support.paloaltonetworks.com/index.php?option=com_pan&amp;task=dl_tech_doc&amp;filename=Understanding-NAT.pdf</A></P><P></P><P>Page 27 begins the U-Turn NAT discussion and examples. (With Screenshots)</P><P></P><P>If for some reason the link above doesn't work, the document can be found on the support portal under technical documentation.</P><P></P><P>Let us know if this helps.</P><P></P><P>Thanks,<BR /><BR />Jason Seals </P></BODY></HTML> Thu, 22 Mar 2012 04:47:39 GMT jseals 2012-03-22T04:47:39Z https://live.paloaltonetworks.com/t5/general-topics/destination-public-ip-that-nats-to-dmz-private-ip/m-p/301#M250 <HTML><HEAD></HEAD><BODY><P>Hi all,</P><P></P><P>I'm trying to get a better understanding of how a specific request is completed. If an internal private IP, say 10.10.10.20 leaves the provate network behind an IP of 2.2.2.2 and heads to the Internet fine then tries to go to an IP which the firewall NATs, such as 2.2.2.3 to a DMZ IP of 10.10.50.20. What is the source for the packet?</P><P></P><P>Does the firewall consider the packet from 10.10.10.20 as having really gone straight to 10.10.50.20 and do no address translation? If it's really gone out and back in, then surely 10.10.50.20 would get a source address for the inbound packet as 2.2.2.2 (the IP that the general inside traffic goes out behind).</P><P></P><P>Any clarification of all this would be very useful to me in troubleshooting an ongoing issue I have with inside devices contacting a DMZ device by it's external IP, and currently failing.</P><P></P><P>Thanks in advance</P><P>UKRB.</P></BODY></HTML> Thu, 22 Mar 2012 00:12:12 GMT https://live.paloaltonetworks.com/t5/general-topics/destination-public-ip-that-nats-to-dmz-private-ip/m-p/301#M250 UKRB 2012-03-22T00:12:12Z https://live.paloaltonetworks.com/t5/general-topics/destination-public-ip-that-nats-to-dmz-private-ip/m-p/302#M251 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>What you're describing is what we call "U-Turn NAT". There is a great document called understanding NAT and it seems to cover your questions and should help you in creating your security policies and NAT policies for this particular type of NAT.</P><P></P><P>Here is the link:</P><P></P><P><A class="active_link" href="https://support.paloaltonetworks.com/index.php?option=com_pan&amp;task=dl_tech_doc&amp;filename=Understanding-NAT.pdf">https://support.paloaltonetworks.com/index.php?option=com_pan&amp;task=dl_tech_doc&amp;filename=Understanding-NAT.pdf</A></P><P></P><P>Page 27 begins the U-Turn NAT discussion and examples. (With Screenshots)</P><P></P><P>If for some reason the link above doesn't work, the document can be found on the support portal under technical documentation.</P><P></P><P>Let us know if this helps.</P><P></P><P>Thanks,<BR /><BR />Jason Seals </P></BODY></HTML> Thu, 22 Mar 2012 04:47:39 GMT https://live.paloaltonetworks.com/t5/general-topics/destination-public-ip-that-nats-to-dmz-private-ip/m-p/302#M251 jseals 2012-03-22T04:47:39Z https://live.paloaltonetworks.com/t5/general-topics/destination-public-ip-that-nats-to-dmz-private-ip/m-p/303#M252 <HTML><HEAD></HEAD><BODY><P>You are basically describing a u-turn NAT scenario. Have a look at below article as it could help to understand how this scenario works.</P><P></P><P><A href="https://live.paloaltonetworks.com/docs/DOC-1678">https://live.paloaltonetworks.com/docs/DOC-1678</A></P><P></P><P></P><P>You may also find below Tech Note useful as well.</P><P></P><P><A href="https://support.paloaltonetworks.com/index.php?option=com_pan&amp;task=dl_tech_doc&amp;filename=Understanding-NAT.pdf"><SPAN style="color: #355491; font-size: 12px; background-color: #ffffff; font-family: Arial, Helvetica, sans-serif; ">https://support.paloaltonetworks.com/index.php?option=com_pan&amp;task=dl_tech_doc&amp;filename=Understanding-NAT.pdf</SPAN> </A></P><P></P><P></P><P>-Richard</P></BODY></HTML> Thu, 22 Mar 2012 04:53:15 GMT https://live.paloaltonetworks.com/t5/general-topics/destination-public-ip-that-nats-to-dmz-private-ip/m-p/303#M252 Retired Member 2012-03-22T04:53:15Z