https://live.paloaltonetworks.com/t5/general-topics/dmz-to-inside-lan/m-p/148531#M49591 <P>As everyone has mentioned, if the hosts are communicating on their connected internal addresses all is good.</P><P>&nbsp;</P><P>But I suspect you may be referring the the case where internal hosts get DNS entries with the external address of the servers in your DMZ. &nbsp;Then you do need to use what is called "U turn" NAT for the connections to work.</P><P>&nbsp;</P><P>See this documentation.</P><P><A href="https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Configure-U-Turn-NAT/ta-p/65081" target="_blank">https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Configure-U-Turn-NAT/ta-p/65081</A></P> Tue, 21 Mar 2017 00:00:18 GMT pulukas 2017-03-21T00:00:18Z https://live.paloaltonetworks.com/t5/general-topics/dmz-to-inside-lan/m-p/148412#M49578 <P>I know you need a security policy to go from dmz to Lan but do you need a nat statement. &nbsp;On all the Palo Alto documents that I have seen no nat rule is used. &nbsp;If I am wrong could some one send me a link. &nbsp;</P><P>&nbsp;</P><P>Thank you&nbsp;</P> Mon, 20 Mar 2017 16:26:35 GMT https://live.paloaltonetworks.com/t5/general-topics/dmz-to-inside-lan/m-p/148412#M49578 Andy_Hoeller 2017-03-20T16:26:35Z https://live.paloaltonetworks.com/t5/general-topics/dmz-to-inside-lan/m-p/148420#M49579 <P>Hi,</P><P>&nbsp;</P><P>It all depends if you want to "hide" the source ip&nbsp;or/and &nbsp;if you coming&nbsp;from the private ip address to the&nbsp;public or vice versa. from DMZ to LAN (assuming you do have a private ip address range), if you want to "hide" the DMZ server source &nbsp;ip address then you can NATed to the PA LAN interface so all request will appear for the LAN users as PA source ip.&nbsp;NAT is not a requirement&nbsp;between the&nbsp;rfc 1918 ip addresses but it is between&nbsp;the public ip&nbsp;as private ip are not allowed on Internet.</P> Mon, 20 Mar 2017 17:21:48 GMT https://live.paloaltonetworks.com/t5/general-topics/dmz-to-inside-lan/m-p/148420#M49579 TranceforLife 2017-03-20T17:21:48Z https://live.paloaltonetworks.com/t5/general-topics/dmz-to-inside-lan/m-p/148428#M49580 <P>Can you explain what you are trying to do a little bit more, and what your current infrastructure looks like. You may be thinking about a u-turn NAT or hairpinning but without knowing what your setup looks like we can't give you an answer for your enviroment.</P><P>Generally the respective zones would just need security policies put into place to allow the traffic.&nbsp;</P> Mon, 20 Mar 2017 17:31:13 GMT https://live.paloaltonetworks.com/t5/general-topics/dmz-to-inside-lan/m-p/148428#M49580 BPry 2017-03-20T17:31:13Z https://live.paloaltonetworks.com/t5/general-topics/dmz-to-inside-lan/m-p/148434#M49581 <P>no, DMZ &lt;-&gt; Trust should not require a NAT.</P><P>&nbsp;</P><P>As long as the routing is all square, you won't need anything beyond the security policy. With or without the policy in place, the traffic logs should confirm that.</P><P>&nbsp;</P> Mon, 20 Mar 2017 18:19:28 GMT https://live.paloaltonetworks.com/t5/general-topics/dmz-to-inside-lan/m-p/148434#M49581 bradk14 2017-03-20T18:19:28Z https://live.paloaltonetworks.com/t5/general-topics/dmz-to-inside-lan/m-p/148443#M49582 <P>Thank you&nbsp;</P> Mon, 20 Mar 2017 18:57:24 GMT https://live.paloaltonetworks.com/t5/general-topics/dmz-to-inside-lan/m-p/148443#M49582 Andy_Hoeller 2017-03-20T18:57:24Z https://live.paloaltonetworks.com/t5/general-topics/dmz-to-inside-lan/m-p/148531#M49591 <P>As everyone has mentioned, if the hosts are communicating on their connected internal addresses all is good.</P><P>&nbsp;</P><P>But I suspect you may be referring the the case where internal hosts get DNS entries with the external address of the servers in your DMZ. &nbsp;Then you do need to use what is called "U turn" NAT for the connections to work.</P><P>&nbsp;</P><P>See this documentation.</P><P><A href="https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Configure-U-Turn-NAT/ta-p/65081" target="_blank">https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Configure-U-Turn-NAT/ta-p/65081</A></P> Tue, 21 Mar 2017 00:00:18 GMT https://live.paloaltonetworks.com/t5/general-topics/dmz-to-inside-lan/m-p/148531#M49591 pulukas 2017-03-21T00:00:18Z https://live.paloaltonetworks.com/t5/general-topics/dmz-to-inside-lan/m-p/149967#M49858 <P>thank you&nbsp;</P> Tue, 28 Mar 2017 16:40:37 GMT https://live.paloaltonetworks.com/t5/general-topics/dmz-to-inside-lan/m-p/149967#M49858 Andy_Hoeller 2017-03-28T16:40:37Z