Destination: Public IP that NATs to DMZ private IP

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Destination: Public IP that NATs to DMZ private IP

L3 Networker

Hi all,

I'm trying to get a better understanding of how a specific request is completed. If an internal private IP, say 10.10.10.20 leaves the provate network behind an IP of 2.2.2.2 and heads to the Internet fine then tries to go to an IP which the firewall NATs, such as 2.2.2.3 to a DMZ IP of 10.10.50.20. What is the source for the packet?

Does the firewall consider the packet from 10.10.10.20 as having really gone straight to 10.10.50.20 and do no address translation? If it's really gone out and back in, then surely 10.10.50.20 would get a source address for the inbound packet as 2.2.2.2 (the IP that the general inside traffic goes out behind).

Any clarification of all this would be very useful to me in troubleshooting an ongoing issue I have with inside devices contacting a DMZ device by it's external IP, and currently failing.

Thanks in advance

UKRB.

2 REPLIES 2

L5 Sessionator

Hello,

What you're describing is what we call "U-Turn NAT". There is a great document called understanding NAT and it seems to cover your questions and should help you in creating your security policies and NAT policies for this particular type of NAT.

Here is the link:

https://support.paloaltonetworks.com/index.php?option=com_pan&task=dl_tech_doc&filename=Understandin...

Page 27 begins the U-Turn NAT discussion and examples. (With Screenshots)

If for some reason the link above doesn't work, the document can be found on the support portal under technical documentation.

Let us know if this helps.

Thanks,

Jason Seals

Retired Member
Not applicable

You are basically describing a u-turn NAT scenario. Have a look at below article as it could help to understand how this scenario works.

https://live.paloaltonetworks.com/docs/DOC-1678

You may also find below Tech Note useful as well.

https://support.paloaltonetworks.com/index.php?option=com_pan&task=dl_tech_doc&filename=Understandin...

-Richard

  • 2784 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!