04-03-2011 12:00 PM
We are hoping that someone can suggest a simpler way to resolve the issue of allowing internal hosts (in the Trust zone) to access servers sitting on the Trust zone via their external IP address (what PAN calls a UTurn or Hairpin rule). We have nearly 70 Static IP NAT rules, most of which are bidirectional, and are not looking forward to defining a second NAT rule fo each.
One might assume that given the fact that bidirectional Static IP NAT rules have already been defined that it would (should) be possible to create one NAT rule that instructs the appliance to apply source NAT translation from any host in the Trust zone that hits the external static NAT address.
Suggestions please!
Thanks,
Stuart Brainerd
04-05-2011 09:56 AM
Hi Stuart
if you have that many hosts sitting on the inside of the network, it might be interesting to consider having internal DNS records pointing your LAN hosts to an internal IP's for the servers.
the existing rules set up for your static nat are geared differently (no source translation for inbound connections, which is required for u-turn and different zones etc) so unfortunately there's probably no clean way to do that using NAT rules
regards
Tom
04-05-2011 10:48 AM
Hi Stuart,
It might be possible to consolidate rules if your public and private addresses match up contiguously. Then you can create a single dst-nat rule for the entire subnet and match that up with a single UTurn NAT rule for the subnet.
e.g.
1.1.1.1 --> 10.5.5.1
1.1.1.2 --> 10.5.5.2
1.1.1.3 --> 10.5.5.3
1.1.1.4 --> 10.5.5.4
etc...
Cheers,
Kelly
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
