https://live.paloaltonetworks.com/t5/general-topics/zone-assignment/m-p/46193#M33946 <HTML><HEAD></HEAD><BODY><P>Hi jeff,</P><P>For NAT rules, zone matching is based on ingress interface and egress interface after PBF policy or route table lookup.<BR />Zone matching for Security rules is a post nat process; so a second lookup will occur after applying destination NAT rule (if there was a Nat policy match).<BR />on the other side, for ip matching, in security policy, you always have to keep pre-NAT IP address.</P><P></P><P>When using Static SNAT bi-directional, an implied DNAT rule will be derived from your SNAT one (szone [any],sip [any] - dzone [same],dip [snated ip]).<BR />You can see it with # show running nat-policy.</P><P></P><P>In you case, I think something is wrong with routing (maybe a wrong mask), your source IP from DMZ zone seems to be routed back in trust zone...<BR />furthermore, don't forget to keep your pre-NAT IP address in your security policy to allow the traffic..</P><P>Hope this will help you.</P><P></P><P>Regards</P><P>-Nicolas</P></BODY></HTML> Wed, 09 Jan 2013 16:14:37 GMT nbilly 2013-01-09T16:14:37Z https://live.paloaltonetworks.com/t5/general-topics/zone-assignment/m-p/46192#M33945 <HTML><HEAD></HEAD><BODY><P>In PanOS, how are the zones established for inbound rules?&nbsp; I have a bi-directional NAT created for a device located in a DMZ.&nbsp; I also have a security policy allowing traffic to the NAT address from the untrusted zone (Internet).&nbsp; When traffic comes in, it is marked as source zone =&gt; untrusted, destination zone =&gt; trusted and denied because there is no policy for untrusted to trusted.&nbsp; Shouldn't the destination zone be my DMZ?&nbsp; See attached file for the log.</P></BODY></HTML> Wed, 09 Jan 2013 14:59:38 GMT https://live.paloaltonetworks.com/t5/general-topics/zone-assignment/m-p/46192#M33945 jpvh1234 2013-01-09T14:59:38Z https://live.paloaltonetworks.com/t5/general-topics/zone-assignment/m-p/46193#M33946 <HTML><HEAD></HEAD><BODY><P>Hi jeff,</P><P>For NAT rules, zone matching is based on ingress interface and egress interface after PBF policy or route table lookup.<BR />Zone matching for Security rules is a post nat process; so a second lookup will occur after applying destination NAT rule (if there was a Nat policy match).<BR />on the other side, for ip matching, in security policy, you always have to keep pre-NAT IP address.</P><P></P><P>When using Static SNAT bi-directional, an implied DNAT rule will be derived from your SNAT one (szone [any],sip [any] - dzone [same],dip [snated ip]).<BR />You can see it with # show running nat-policy.</P><P></P><P>In you case, I think something is wrong with routing (maybe a wrong mask), your source IP from DMZ zone seems to be routed back in trust zone...<BR />furthermore, don't forget to keep your pre-NAT IP address in your security policy to allow the traffic..</P><P>Hope this will help you.</P><P></P><P>Regards</P><P>-Nicolas</P></BODY></HTML> Wed, 09 Jan 2013 16:14:37 GMT https://live.paloaltonetworks.com/t5/general-topics/zone-assignment/m-p/46193#M33946 nbilly 2013-01-09T16:14:37Z