https://live.paloaltonetworks.com/t5/general-topics/public-wifi-clients-unable-to-access-our-public-web-servers/m-p/111834#M45127 <P>Hello,</P><P>I would check the order of your NAT rules. I suspect that another one is being used prior to this one. Try moving it up higher in the list.</P><P>&nbsp;</P><P>Cheers!</P> Thu, 08 Sep 2016 22:17:17 GMT OtakarKlier 2016-09-08T22:17:17Z https://live.paloaltonetworks.com/t5/general-topics/public-wifi-clients-unable-to-access-our-public-web-servers/m-p/111755#M45126 <P>Our public wifi traffic is unable to reach our external web servers that have public IPs (like webmail). The public wifi network is in the same zone, but it is assigned 172.30.0.0 IP, and we have ACLs to prevent the 172.30.0.0 network&nbsp;from talking to&nbsp;192.168.0.0. &nbsp;It is also being outbound NAT so it gets assigned a different public IP address than our regular traffic.</P><P>&nbsp;</P><P>When I do an nslookup on public wifi, it gets the public IP address of the web server.</P><P>&nbsp;</P><P>This is the&nbsp;U-Turn NAT I have tried, but I haven't gotten it to work:&nbsp;</P><P>source: trusted, dest: untrusted, dest int: any, source addr: 172.30.0.0/16, dest addr: [external IP of webserver], no source NAT, dest NAT: 192.168.254.100 (internal IP of webserver)</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 08 Sep 2016 17:15:14 GMT https://live.paloaltonetworks.com/t5/general-topics/public-wifi-clients-unable-to-access-our-public-web-servers/m-p/111755#M45126 Maxstr 2016-09-08T17:15:14Z https://live.paloaltonetworks.com/t5/general-topics/public-wifi-clients-unable-to-access-our-public-web-servers/m-p/111834#M45127 <P>Hello,</P><P>I would check the order of your NAT rules. I suspect that another one is being used prior to this one. Try moving it up higher in the list.</P><P>&nbsp;</P><P>Cheers!</P> Thu, 08 Sep 2016 22:17:17 GMT https://live.paloaltonetworks.com/t5/general-topics/public-wifi-clients-unable-to-access-our-public-web-servers/m-p/111834#M45127 OtakarKlier 2016-09-08T22:17:17Z https://live.paloaltonetworks.com/t5/general-topics/public-wifi-clients-unable-to-access-our-public-web-servers/m-p/113998#M45271 <P>Do you have a matching security policy that allows the traffic from the public wifi zone to the dmz server zone.</P> Sat, 17 Sep 2016 15:04:28 GMT https://live.paloaltonetworks.com/t5/general-topics/public-wifi-clients-unable-to-access-our-public-web-servers/m-p/113998#M45271 pulukas 2016-09-17T15:04:28Z https://live.paloaltonetworks.com/t5/general-topics/public-wifi-clients-unable-to-access-our-public-web-servers/m-p/114127#M45286 <P>is the 192.168.254.100&nbsp; aware of the 172 network (does it have routes or will it bounce sessions back to it's default gateway)?</P> <P>&nbsp;</P> <P>if the 192 host is aware of the 172 network it may create asymmetric routing, in which case you'll need to either remove the routes from the host or apply source NAT on the firewall so returning packets go to the firewall</P> <P>&nbsp;</P> <P>the security policy should be implied, as it is trust to trust, but it may not be a bad idea to create one specifically for this traffic anyway, so you have <EM>accountability</EM> (make sure to set the destination IP to the public IP)</P> <P>&nbsp;</P> <P>then make sure your u-turn policy is all the way at the top</P> <P>&nbsp;</P> Mon, 19 Sep 2016 10:26:24 GMT https://live.paloaltonetworks.com/t5/general-topics/public-wifi-clients-unable-to-access-our-public-web-servers/m-p/114127#M45286 reaper 2016-09-19T10:26:24Z