https://live.paloaltonetworks.com/t5/general-topics/nat-rule-being-applied-wrong/m-p/65350#M39029 <P>Hi,</P><P>&nbsp;</P><P>we have a static NAT from this ip <SPAN>192.168.200.8</SPAN> (zone DMZ) &nbsp;to 195.57. (zone VPN). But we&nbsp;realised that the NAT rule which is matching is wrong.</P><P>Its matching the NAT rule (ftp.arag.es) but this rule has a filter by "Destination zone" Externa. And the real traffic is VPN&lt;-&gt;DMZ</P><P>&nbsp;</P><P>Why PA is applying this rule if not being include the destiantion zone in the filter???&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>regards</P> Fri, 02 Oct 2015 09:12:18 GMT SOC_CSG 2015-10-02T09:12:18Z https://live.paloaltonetworks.com/t5/general-topics/nat-rule-being-applied-wrong/m-p/65350#M39029 <P>Hi,</P><P>&nbsp;</P><P>we have a static NAT from this ip <SPAN>192.168.200.8</SPAN> (zone DMZ) &nbsp;to 195.57. (zone VPN). But we&nbsp;realised that the NAT rule which is matching is wrong.</P><P>Its matching the NAT rule (ftp.arag.es) but this rule has a filter by "Destination zone" Externa. And the real traffic is VPN&lt;-&gt;DMZ</P><P>&nbsp;</P><P>Why PA is applying this rule if not being include the destiantion zone in the filter???&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>regards</P> Fri, 02 Oct 2015 09:12:18 GMT https://live.paloaltonetworks.com/t5/general-topics/nat-rule-being-applied-wrong/m-p/65350#M39029 SOC_CSG 2015-10-02T09:12:18Z https://live.paloaltonetworks.com/t5/general-topics/nat-rule-being-applied-wrong/m-p/65356#M39034 <P>Hello,</P><P>I'm guessing you need a U-Turn NAT rule so the VPN clients can communicate properly to the external FTP site.</P><P>&nbsp;</P><P><A href="https://live.paloaltonetworks.com/t5/Documentation-Articles/Understanding-PAN-OS-NAT/ta-p/60965" target="_blank">https://live.paloaltonetworks.com/t5/Documentation-Articles/Understanding-PAN-OS-NAT/ta-p/60965</A></P><P>&nbsp;</P><P>This is a good article and covers all the NAT types.</P><P>&nbsp;</P><P>Hope this helps!</P> Thu, 01 Oct 2015 14:13:27 GMT https://live.paloaltonetworks.com/t5/general-topics/nat-rule-being-applied-wrong/m-p/65356#M39034 OtakarKlier 2015-10-01T14:13:27Z https://live.paloaltonetworks.com/t5/general-topics/nat-rule-being-applied-wrong/m-p/65374#M39046 <P>when you create a bidirectional policy, a return policy is created in the background. You can see it just using the CLI&nbsp;</P><P>&gt; show running nat-policy</P><P>The return policy changes the&nbsp;destination zone to any and put it as source. so In your case the return policy is going to be</P><P>From zone: any</P><P>To zone: DMZ</P><P>To: 192.57.58.218</P><P>Translate to: 192.168.200.8</P><P>&nbsp;</P><P>Regards,</P><P>Gerardo&nbsp;</P> Thu, 01 Oct 2015 19:30:19 GMT https://live.paloaltonetworks.com/t5/general-topics/nat-rule-being-applied-wrong/m-p/65374#M39046 glastra1 2015-10-01T19:30:19Z