Can only access DMZ server using private address, U-turn NAT not working

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Can only access DMZ server using private address, U-turn NAT not working

L1 Bithead

Configuring a new PA-850, new to this so go easy on me.

 

I have three zones, internal, outside, DMZ.

 

DMZ webserver

Private IP = 192.168.2.16

Public IP = 212.12.34.56

 

I have created two NAT rules as follows:

 

internal u-turn to DMZ

source zone = internal

dest zone = outside

dest address = 212.12.34.56

dest translated address = 192.168.2.16

 

external to DMZ

source zone = any

dest one = outside

dest address = 212.12.34.56

dest translated address = 192.168.2.16

 

For purposes of testing this is working I have created a security rule of ANY ANY.

 

I can only view the webserver from the internal network using the internal IP address of 192.168.2.16, using the FQDN or public IP I only get timeouts.  Wireshark on the internal clients show outbound HTTP but Wireshark on the server shows no traffic inbound except when using 192.168.2.16.

 

The u-turn NAT rule is above the public NAT rule and the hide-NAT rule is last in the list.  I am sure I am missing something simple but I have been through the how to u-turn video and guide here: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEiCAK

 

The only thing I can see is there is also some source translation in the video which is not shown in the document but I think that is a red herring.

 

Any ideas?

1 accepted solution

Accepted Solutions

L1 Bithead

Plugging in the Outside interface into a small switch brought the interface up and the translation between internal and DMZ then occurred as expected.  I don't remember seeing anything about this in the documentation but I guess a one-liner I may have missed.

 

Thanks for posting back OtakarKlier I did learn how to use the monitor a little so it wasn't a waste of time.

View solution in original post

2 REPLIES 2

Cyber Elite
Cyber Elite

Hello,

Make sure you have logging enabled on your policies and see where the traffic is flowing. I know you have your any any policy, but it might not be setup correctly. The thought I had was possible asymmetric routing. So check your virtual router and make sure everything is getting routed correctly.

Regards,

L1 Bithead

Plugging in the Outside interface into a small switch brought the interface up and the translation between internal and DMZ then occurred as expected.  I don't remember seeing anything about this in the documentation but I guess a one-liner I may have missed.

 

Thanks for posting back OtakarKlier I did learn how to use the monitor a little so it wasn't a waste of time.

  • 1 accepted solution
  • 1647 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!