https://live.paloaltonetworks.com/t5/general-topics/cannot-browse-nat-webpage-internally-in-lan/m-p/39990#M29321 <HTML><HEAD></HEAD><BODY><P>If the clients and the servers are on the same LAN then the response from the server is likely going directly to the client and not back through the firewall.&nbsp; The client is receiving a response packet with the internal address instead of the external one so it rejects the packet as unexpected.&nbsp; </P><P></P><P>To fix this scenario you can set up a Source-NAT + Destination-NAT rule from the client subnet to the servers so the return traffic is forced back to the firewall and correctly processed for NAT and security before it gets to the client. This concept is known as a U-Turn NAT Rule.</P><P></P><P>Cheers,</P><P></P><P>Kelly</P></BODY></HTML> Tue, 12 Jul 2011 05:42:56 GMT kbrazil 2011-07-12T05:42:56Z https://live.paloaltonetworks.com/t5/general-topics/cannot-browse-nat-webpage-internally-in-lan/m-p/39989#M29320 <HTML><HEAD></HEAD><BODY><P>Hello All,</P><P></P><P>We have some internet facing servers who has NAT public address.</P><P></P><P>1)&nbsp;&nbsp;&nbsp;&nbsp; Externally we can access the public address of the server.</P><P></P><P>2)&nbsp;&nbsp;&nbsp;&nbsp; Internally on our LAN, we cannot access the public address of the server, it timed out. However the appliance monitor tab shows accept, nothing was denied.</P><P></P><P>The policy rules i set was</P><P></P><P></P><P>Any to Any - Server_public_address - Web browsing allowed</P><P></P><P></P><P></P><P>Anyone knows what could be causing this issue ?</P><P></P><P>Thanks</P><P></P><P>Ben</P></BODY></HTML> Tue, 12 Jul 2011 04:44:48 GMT https://live.paloaltonetworks.com/t5/general-topics/cannot-browse-nat-webpage-internally-in-lan/m-p/39989#M29320 mmxong 2011-07-12T04:44:48Z https://live.paloaltonetworks.com/t5/general-topics/cannot-browse-nat-webpage-internally-in-lan/m-p/39990#M29321 <HTML><HEAD></HEAD><BODY><P>If the clients and the servers are on the same LAN then the response from the server is likely going directly to the client and not back through the firewall.&nbsp; The client is receiving a response packet with the internal address instead of the external one so it rejects the packet as unexpected.&nbsp; </P><P></P><P>To fix this scenario you can set up a Source-NAT + Destination-NAT rule from the client subnet to the servers so the return traffic is forced back to the firewall and correctly processed for NAT and security before it gets to the client. This concept is known as a U-Turn NAT Rule.</P><P></P><P>Cheers,</P><P></P><P>Kelly</P></BODY></HTML> Tue, 12 Jul 2011 05:42:56 GMT https://live.paloaltonetworks.com/t5/general-topics/cannot-browse-nat-webpage-internally-in-lan/m-p/39990#M29321 kbrazil 2011-07-12T05:42:56Z https://live.paloaltonetworks.com/t5/general-topics/cannot-browse-nat-webpage-internally-in-lan/m-p/39991#M29322 <HTML><HEAD></HEAD><BODY><P>I just posted a somewhat similar issue.&nbsp; Explicitly allowing the traffic (even though the logs were not showing anything was blocked) resolved the problem.&nbsp; My post asked why this behavior is occuring.</P></BODY></HTML> Tue, 12 Jul 2011 18:05:44 GMT https://live.paloaltonetworks.com/t5/general-topics/cannot-browse-nat-webpage-internally-in-lan/m-p/39991#M29322 bhelman 2011-07-12T18:05:44Z