How to Configure U-Turn NAT

by nrice on ‎11-30-2010 04:10 PM - edited on ‎08-23-2017 11:54 PM by Community Manager (99,776 Views)

Overview

“U-turn” refers to the logical path traffic appears to travel when accessing an internal resource when the external address are resolved. U-turn NAT refers to a network where internal users need to access an internal server using the server’s external public IP address.

 

 

Details

For this example, an internal web server uses a DNS record pointing to the server’s external public Internet address.

 

External users resolve the address, connect to the external interface of the firewall and their session is translated and handled by the firewall. An internal user connecting to this same FQDN connects to the external address, though the physical server may be located on that user’s internal subnet or a DMZ with internal addressing.

 

When setting up NAT rules, the source and destination zones need to be configured to correspond to the zones to which the source and destination IP addresses belong. In contrast, security rule zones are determined by the actual source and destination but list the original packet destination IP addresses.

 

  • For normal inbound traffic from the Internet to the Web server, the rules look like this:
    The normal inbound NAT and Security rule that allows external users to access a web-server from the Internet is as follows:
    Inbound.PNG.png
    Security Inbound.PNG.png

Note: Set services to "any" if the user does not want to limit the security policy to ports 80 or 443, or to application default if the user wants it to be used for port 80 only, according to the application web-browsing.

 

  • Following is an example of the U-turn NAT rules and Security for Hosts and Web Servers in the Same Zone as host on the LAN:

dai2.jpg

    • NAT rule for same zone U-turn NAT.
    • No Security Rule is necessary since the traffic's source zone is ultimately destined for the same zone.

Screen Shot 2015-05-12 at 1.08.35 PM.png

 

  • This is an example of the U-turn NAT and Security for Hosts and Web Servers in a Different Zone:

dai.JPG

    • The NAT rule for Different zone U-Turn NAT is different from the same zone NAT, as there is no need for source nat (there will not be assymetry in the flow of packets), but this rule does need to be placed above the generic outbound hide-NAT:

2015-10-22_10-00-12.png

    • Security Rules for U-Turn NAT:

12568_Security Different Zone.PNG.png

 

Additional NAT resources:

Getting Started: Network Address Translation (NAT)

 

owner: tpiens

Comments
by oschuler
on ‎07-15-2012 01:49 AM

Thank you. That was very helpful. For the ex-WatchGuard users: this "NAT U-Turn"-Feature was called "NAT-Loopback" in the WatchGuard world. Just for the sake of easier searching in the KB.

by LRabon
on ‎10-06-2012 09:55 PM

Thank you...you've explained this better than in the "Understanding NAT" PDF...saved me a ton of time...

by mikealanni
on ‎11-25-2015 09:49 AM

Question, do I need to source NAT when the server and users are on the same zone? 

by Community Manager
on ‎03-08-2016 02:43 AM

@mikealanni : yes, if the users connect to the server on the 'external' IP address it is important to source nat as else the packets will have an asymmetric flow: https://www.youtube.com/watch?v=Bdbn1pbe74o

by TheRealDiz
on ‎04-27-2016 04:07 AM

Hi @reaper,

 

I'm asking to you this one, cause you're always on point.

I'm trying to configure U-turn NAT in this kind of situation:

---------------------------------------------------------------------

 

- Different source zone ( so I've tried to configure as mentioned on example n2) 

   Guest zone and Lan zone (where srv is located)

- Different outbound zone

   wan zone (where server's IP public address is published) and wan2 zone (this one used by guest in order to surf internet)

- PBF rule that forces guest user to surf internet through interface where wan2 zone is assigned

 

---------------------------------------------------------------------

 

Check draw:

 

Uturn_with two different outbound zone.JPG

 

How I can configure U-turn in this situation?

 

Best Regards

Luca

by Community Manager
on ‎04-27-2016 04:16 AM

Hi @TheRealDiz !

 

i'm assuming there is 1 VR and no VSYS ?

 

you'd need to start by creating a NoPBF rule sourced from the guest zone to the public IP and put that at the top of the PBF policy

then you would need a 'regular' NAT rule from guest zone to WAN1 zone and public IP, translate to server internal address

by TheRealDiz
on ‎04-27-2016 05:18 AM

Hi @reaper,

 

Yeap sure 1 VR.

For no pbf rule I'm agree with you but what about regular NAT rule?

I need to translate guest IP addresses behind wan2 interfaces so that's why there is PBF for guest.

 

If I put NoPBF rule, which IP address should I use in order to translate guest traffic?

You mean I don't need U-turn NAT in this kind of situation?

 

BR

Luca

by Community Manager
on ‎04-27-2016 05:32 AM

since the guest and server are in different zones, you don't need U-turn NAT as you simply traverse through the firewall

 

only if it is mandatory (by company policy) that all guest traffic is sourced from the WAN2 public IP would you need to do double NAT (source and destination NAT in 1 rule). if this is not mandatory, you can simply do a destination translation like you would do normally, without source nat, since this is not required.

 

If you consider the guest vlan a DMZ, the VR is going to be aware of the attached ip subnets and can simply route between the 2 zones

Since there is pbf for all traffic,  that routing would be overruled, so you'll need a no-pbf rule to prevent sessions destined for the server to be sent out vie pbf and instead get handled by the VR routing table.

once routing follows the 'normal' path, the only thing you'd need to take care of is performing NAT for the server public ip to the server private IP. the guest subnet would not need to be source natted as it is a connected network and the VR can simply route returning packets back

by TheRealDiz
on ‎04-27-2016 07:13 AM

Hi @reaper,

 

Thanks again for your explanation.

Phoenix is wan2 in my example before.

But this is situation right now:

 

Nat_rule.JPGSecurity_rule.JPGLogs_From_Monitor.JPG

 

There is something missing I suppose.

I have followed your suggestions .. still not working properly.

by Community Manager
on ‎04-27-2016 07:49 AM

either the PBF is still active and your connections are being forced out through phoenix (you can check this with a 'show session id xxx' in the CLI, it will highlight which pbf rule is used, if any)

 

other than that.. the public IP address in the destination is configured on the interface used for WAN1, right ? (if it is simply used in NAT policy but not attached to the interface, the VR will not be aware of it and this could lead to the above behavior)

 

> show routing route

should show that ip or the subnet as attached to an interface

by TheRealDiz
on ‎04-28-2016 01:29 AM

Hi @reaper,

 

Yeap sure, public IP is declared on interface 1/1 that is assigned to wan1 zone.

 

I am trying to understand why this happen.. Maybe a static route is needed?

Let me know.

 

Luca

 

by Community Manager
on ‎04-28-2016 01:44 AM

If all the subnets are directly connected no additional static routes would be needed

Did you make sure to move the new NAT rule all the way to the top, above the hide-nat towards the internet ?

 

what is needed:

1. show routing route returns the server subnet, the guest subnet , the public ip of the server as connected networks (or static/dynamic routes)

2. no-pbf rule at the top of the rulebase from guest network to the server public ip, above the outbound pbf for guest network

3. nat rule at the top of the rulebase from guest to server-public destination nat to server private

4. security policy that allows guest network to server public ip in server zone for a set of applications

by TheRealDiz
on ‎04-29-2016 02:15 AM

Hi @reaper,

 

Many many thanks for your explanation regarding this.

I've tried to configure as you suggested without success.

 

For now, I made workaround assigning on DHCP server internal DNS server for guest.

I will replicate this configuration on test-enviroment.

 

I hope I can do this asap (simply I'm busy with other issue).

I will update you with any progress made with this kind of configuration.

 

As usual, you're always on point!

Thanks a lot again!!

 

Best Regards

Luca

 

by tsrivastav
‎05-05-2016 12:18 PM - edited ‎05-05-2016 12:22 PM

*******************************************************************************

 

Make Sure that you have negated the Private  ip addresses in the PBF rule else after a DNAT traffic will  be sent out  by the PBF rule to the ISP ( even for the private ip address )

 

post.PNG

Solution 2 if its still now working

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

 

OR

If your network has many pbf rules

 

Make a no PBF rule on the top  Negating both Public and private ip address of the server also ( taking about U-turn nat rule )translate the source  ip address in the translated packet to the gateway ip address of the Server.

 

by TheRealDiz
on ‎05-20-2016 06:45 AM

Hi @tsrivastav,

 

Thanks also to you for your suggestion.

I know this is a "Configuration Article" and it's really important to provide a consistent solution on this one.

 

I confirm that I've already tried to put a No-pbf on top, unfortunately this doesn't solve our issue.

So I have implemented a work-around on customer enviroment.

 

Best Regards

Luca

 

by tsrivastav
on ‎05-20-2016 07:42 AM

Thanks for the update Luca,

I have seen cases like this which are working without any issues

there is something different in the customers network which is making this issue unique.

I am glad that you implemented a work around.

 

Again thanks a lot for updating me on this

by mdouglas
on ‎08-03-2016 09:58 AM

The second example for the multi-zone configuration omits source nat for some reason. I don't know if it depends on your environment, but in my scenario I couldn't make this work without source nat in that rule.

 

Furthermore, the second screenshot for that example that shows the security rules lists an any/any outbound rule. This is probably unnecessary as your existing outbound rule for the server should be sufficient. In any case, you'll likely want to have the rule be more specific than allowing any out.

by Community Manager
on ‎08-04-2016 01:17 AM

Hi @mdouglas : yes, this will depend slightly where the destination server is, if it is in the same subnet as your client, you will need source translation so the returning traffic is symmetrical. If the server and client are separated with the PANW in the middle, or at least in the routing path, source translation is optional. it also needs to be above the hide-nat outbound rule for generic internet access.

 

I'll crop the second security policy as it is merely informational to illustrate regular outbound traffic

by traymondchia
‎05-13-2017 04:02 AM - edited ‎05-13-2017 04:23 AM

Remark 1) A two zone U-turn NAT requires a security policy if a deny all policy rule preceed the default intra-zone security policy rule.

In panos version that do not have the default intra-zone policy rule, the security is mandatory.

Remark 2) NAT rules use pre-NAT IP addresses and zones, while their associated security policy rules use post-NAT zones and pre-NAT IP addresses.

 

 

by FaniKhatakaar
on ‎08-23-2017 08:11 PM

what if case is intra zone traffic requiring source dynamic NAT? for example, guest in outside zone having private ip address schema browsing internet via link in same (outside) zone but different interface/network. Traffic needs source address to be translated to public ip address that can be firewall interface or a dedicated public ip (pool)??? is it possible?

by Community Manager
on ‎08-23-2017 11:52 PM

yes this is perfectly possible.

first, if the users are on a diffferent interface, why would you want them in the same zone as the internet interface? I'd recommend giving them their own zone for more control over the security policies

 

in this scenario, the source and destination zone would be the same, but the rest of the NAT rule would look exactly the same as a normal outbound nat policy

 odd nat.png

by JustinChen
on ‎01-25-2018 06:20 PM

Hi All,

 


May I apply the u turn Nat on load sharing method? And, will it cause the destination Nat and source Nat fail to work?

 

 

Justin

by Community Manager
on ‎01-26-2018 05:13 AM

hi @JustinChen

 

could you explain a little more what you're trying to accomplish ?

by Navigator
on ‎07-24-2018 02:21 PM

Hi Reaper,

I have another Case .. Two Zones on PA with the Below design:

  SVR1-----(Inside)-PA-(DMZ)----(Router that do NAT)----------   SVR2

10.1.1.5---10.1.1.1(PA)10.2.2.1----10.2.2.2(Router)10.3.3.2---10.3.3.3

 

as per above topolgy PA has ( Inside and DMZ) zones

We need to configure PA to make Source and Destination NAT so that when SVR1 communicate with SVR2 both needed to be NATTed like that

From 10.1.1.5 to 10.3.3.3 becomes

          10.2.2.5 to 10.4.4.3 and vice versa when SVR2 talks to SVR1

How can i achieve that using U-NAT in terms of Routing , Policy and NAT Rules

by Community Manager
on ‎07-25-2018 02:59 AM

Hi @Navigator

 

You don't, this is straight forward NAT that does not require U-turn. U-turn is only used when source and destination are ultimately in the same broadcast domain but use 'external' IP addresses to communicate (eg 10.0.0.1 talks to 10.0.0.2 via 198.51.100.1 public IP)

 

in this scenario you would need to apply source + destination translation on both devices, depending on if your client needs to use the real destination IP but the 'middle' is unaware, or the translated destination

 

 

hide-middle

PA:

from 10.1.1.5 to 10.3.3.3

Xlate: 10.2.2.5 to 10.4.4.3

rtr:

from 10.2.2.5 to 10.4.4.3

Xlate none to 10.3.3.3

 

returning traffic will normally be taken care of by the state table

if bidirectionally initiated traffic is required, the reverse policies would be:

 

rtr:

from 10.3.3.3 to 10.2.2.5

Xlate 10.4.4.3 to none

PA

from  10.4.4.3 to 10.2.2.5

Xlate none to 10.1.1.5

by Navigator
on ‎07-25-2018 03:32 AM

 Hi Reaper,

In the Old FW , We used DNS Doctoring Feature to Resolve SVR2 from SVR1 with it's Real Address (10.3.3.3) not NATTed One So we try to do the same with PA using U-NAT as per below Doc

https://live.paloaltonetworks.com/t5/Management-Articles/DNS-rewrite-on-a-Palo-Alto-Networks-firewal...

So how can we achieve that for my above scenario.

Another Thing, For Traffic initiated from SVR2--- to-----SVR1  Does we need to make NAT Rule Zone from DMZ to DMZ as both Source and destination in this Case  are considered originated from DMZ Zone . 

by Community Manager
on ‎07-25-2018 05:23 AM

hi @Navigator

 

use DNS proxy to provide SRV2 with A record 10.4.4.3, enable dns proxy on inside interface and set srv1 dns server to 10.1.1.1

SRV2 you may need to set a hosts record so srv1 resolves to 10.2.2.1

 

in PA:

from (inside)10.1.1.5 to (dmz)10.4.4.3 xlate src 10.2.2.1

from (dmz)10.2.2.2 to (dmz) 10.2.2.1 xlate src 10.4.4.3 dst 10.1.1.5

 

in rtr

from 10.2.2.1 dst 10.4.4.3 xlate  dst 10.3.3.3

from 10.3.3.3 dst 10.2.2.1 xlate src 10.4.4.3

 

Ignite 2018, Amsterdam, Netherlands
Ask Questions Get Answers Join the Live Community
Contributors