03-20-2017 09:26 AM
I know you need a security policy to go from dmz to Lan but do you need a nat statement. On all the Palo Alto documents that I have seen no nat rule is used. If I am wrong could some one send me a link.
Thank you
03-20-2017 11:19 AM
no, DMZ <-> Trust should not require a NAT.
As long as the routing is all square, you won't need anything beyond the security policy. With or without the policy in place, the traffic logs should confirm that.
03-20-2017 09:38 AM - edited 03-20-2017 10:21 AM
Hi,
It all depends if you want to "hide" the source ip or/and if you coming from the private ip address to the public or vice versa. from DMZ to LAN (assuming you do have a private ip address range), if you want to "hide" the DMZ server source ip address then you can NATed to the PA LAN interface so all request will appear for the LAN users as PA source ip. NAT is not a requirement between the rfc 1918 ip addresses but it is between the public ip as private ip are not allowed on Internet.
03-20-2017 10:31 AM
Can you explain what you are trying to do a little bit more, and what your current infrastructure looks like. You may be thinking about a u-turn NAT or hairpinning but without knowing what your setup looks like we can't give you an answer for your enviroment.
Generally the respective zones would just need security policies put into place to allow the traffic.
03-20-2017 11:19 AM
no, DMZ <-> Trust should not require a NAT.
As long as the routing is all square, you won't need anything beyond the security policy. With or without the policy in place, the traffic logs should confirm that.
03-20-2017 05:00 PM
As everyone has mentioned, if the hosts are communicating on their connected internal addresses all is good.
But I suspect you may be referring the the case where internal hosts get DNS entries with the external address of the servers in your DMZ. Then you do need to use what is called "U turn" NAT for the connections to work.
See this documentation.
https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Configure-U-Turn-NAT/ta-p/65081
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
