- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Content translations are temporarily unavailable due to site maintenance. We apologize for any inconvenience.
03-21-2012 05:12 PM
Hi all,
I'm trying to get a better understanding of how a specific request is completed. If an internal private IP, say 10.10.10.20 leaves the provate network behind an IP of 2.2.2.2 and heads to the Internet fine then tries to go to an IP which the firewall NATs, such as 2.2.2.3 to a DMZ IP of 10.10.50.20. What is the source for the packet?
Does the firewall consider the packet from 10.10.10.20 as having really gone straight to 10.10.50.20 and do no address translation? If it's really gone out and back in, then surely 10.10.50.20 would get a source address for the inbound packet as 2.2.2.2 (the IP that the general inside traffic goes out behind).
Any clarification of all this would be very useful to me in troubleshooting an ongoing issue I have with inside devices contacting a DMZ device by it's external IP, and currently failing.
Thanks in advance
UKRB.
03-21-2012 09:47 PM
Hello,
What you're describing is what we call "U-Turn NAT". There is a great document called understanding NAT and it seems to cover your questions and should help you in creating your security policies and NAT policies for this particular type of NAT.
Here is the link:
Page 27 begins the U-Turn NAT discussion and examples. (With Screenshots)
If for some reason the link above doesn't work, the document can be found on the support portal under technical documentation.
Let us know if this helps.
Thanks,
Jason Seals
03-21-2012 09:53 PM
You are basically describing a u-turn NAT scenario. Have a look at below article as it could help to understand how this scenario works.
https://live.paloaltonetworks.com/docs/DOC-1678
You may also find below Tech Note useful as well.
-Richard
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!