DMZ to inside LAN

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

DMZ to inside LAN

L1 Bithead

I know you need a security policy to go from dmz to Lan but do you need a nat statement.  On all the Palo Alto documents that I have seen no nat rule is used.  If I am wrong could some one send me a link.  

 

Thank you 

1 accepted solution

Accepted Solutions

L3 Networker

no, DMZ <-> Trust should not require a NAT.

 

As long as the routing is all square, you won't need anything beyond the security policy. With or without the policy in place, the traffic logs should confirm that.

 

View solution in original post

6 REPLIES 6

L6 Presenter

Hi,

 

It all depends if you want to "hide" the source ip or/and  if you coming from the private ip address to the public or vice versa. from DMZ to LAN (assuming you do have a private ip address range), if you want to "hide" the DMZ server source  ip address then you can NATed to the PA LAN interface so all request will appear for the LAN users as PA source ip. NAT is not a requirement between the rfc 1918 ip addresses but it is between the public ip as private ip are not allowed on Internet.

Cyber Elite
Cyber Elite

Can you explain what you are trying to do a little bit more, and what your current infrastructure looks like. You may be thinking about a u-turn NAT or hairpinning but without knowing what your setup looks like we can't give you an answer for your enviroment.

Generally the respective zones would just need security policies put into place to allow the traffic. 

L3 Networker

no, DMZ <-> Trust should not require a NAT.

 

As long as the routing is all square, you won't need anything beyond the security policy. With or without the policy in place, the traffic logs should confirm that.

 

Thank you 

L7 Applicator

As everyone has mentioned, if the hosts are communicating on their connected internal addresses all is good.

 

But I suspect you may be referring the the case where internal hosts get DNS entries with the external address of the servers in your DMZ.  Then you do need to use what is called "U turn" NAT for the connections to work.

 

See this documentation.

https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Configure-U-Turn-NAT/ta-p/65081

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

thank you 

  • 1 accepted solution
  • 6117 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!