This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

DMZ to inside LAN

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

DMZ to inside LAN

Go to solution
Andy_Hoeller
L1 Bithead

‎03-20-2017 09:26 AM

I know you need a security policy to go from dmz to Lan but do you need a nat statement.  On all the Palo Alto documents that I have seen no nat rule is used.  If I am wrong could some one send me a link.  

 

Thank you 

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
bradk14
L3 Networker

‎03-20-2017 11:19 AM

no, DMZ <-> Trust should not require a NAT.

 

As long as the routing is all square, you won't need anything beyond the security policy. With or without the policy in place, the traffic logs should confirm that.

 

View solution in original post

1 person found this solution to be helpful.
0 Likes Likes
6 REPLIES 6

Go to solution
TranceforLife
L6 Presenter

‎03-20-2017 09:38 AM - edited ‎03-20-2017 10:21 AM

Hi,

 

It all depends if you want to "hide" the source ip or/and  if you coming from the private ip address to the public or vice versa. from DMZ to LAN (assuming you do have a private ip address range), if you want to "hide" the DMZ server source  ip address then you can NATed to the PA LAN interface so all request will appear for the LAN users as PA source ip. NAT is not a requirement between the rfc 1918 ip addresses but it is between the public ip as private ip are not allowed on Internet.

0 Likes Likes

Go to solution
BPry
Cyber Elite
Cyber Elite

‎03-20-2017 10:31 AM

Can you explain what you are trying to do a little bit more, and what your current infrastructure looks like. You may be thinking about a u-turn NAT or hairpinning but without knowing what your setup looks like we can't give you an answer for your enviroment.

Generally the respective zones would just need security policies put into place to allow the traffic. 

0 Likes Likes

Go to solution
bradk14
L3 Networker

‎03-20-2017 11:19 AM

no, DMZ <-> Trust should not require a NAT.

 

As long as the routing is all square, you won't need anything beyond the security policy. With or without the policy in place, the traffic logs should confirm that.

 

1 person found this solution to be helpful.
0 Likes Likes

Go to solution
Andy_Hoeller
L1 Bithead
In response to bradk14

‎03-20-2017 11:57 AM

Thank you 

0 Likes Likes

Go to solution
pulukas
L7 Applicator

‎03-20-2017 05:00 PM

As everyone has mentioned, if the hosts are communicating on their connected internal addresses all is good.

 

But I suspect you may be referring the the case where internal hosts get DNS entries with the external address of the servers in your DMZ.  Then you do need to use what is called "U turn" NAT for the connections to work.

 

See this documentation.

https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Configure-U-Turn-NAT/ta-p/65081

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Go to solution
Andy_Hoeller
L1 Bithead
In response to pulukas

‎03-28-2017 09:40 AM

thank you 

0 Likes Likes
  • 1 accepted solution
  • 6120 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks