NAT traffic from DMZ to another zone

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

NAT traffic from DMZ to another zone

L0 Member

Hallo Everyone,

I am using PA-220

let’s call PaloAlto-Firewall “X”

Office Firewall “Y”

Other firewall “Z”

Firewall X has 8 Interfaces.

Interface 1/1: has the IP-Addressee we assigned this Interface to a Zone Called "DMZ". When this firewall and this Interfaces want to communicate with our office Network it send the traffic to firewall Y with the IP: "Works fine as intended"

Interface 1/2: This interface is physically connected another firewall Z and this interface has the IP:, this Interface is also assign to a Zone named “InterConnectedNetwork”. The firewall IP of Z

The firewall Z has three V-LAN 192.168.11/13/15. All the participant of this V-LAN can talk to each through firewall Z other without any problem. Internal routing is configured as like following: Any Traffic come to firewall Z but it’s intend to forwarded to its V-LAN-participant. Firewall Z forward this traffic to the right machine.

Now let’s say a machine with IP traying to talk to one of V-LAN of firewall Z though the firewall Y (have static route to firewall X, it’s work fine) and DMZ of firewall X. Since i do not want to expose the IP from the V-LAN in firewall Z. I created a S-NAT in Palo alto. It's work fine. The traffic in this case looks like following: (V-LAN-Participant: send packet to its gateway> From this point firewall Z forward this packet through the paloalto interface 1/5 --> than the DMZ of firewall X send the packet to firewall Y > Firewall Y send the Packet to

Again the packet flow: -> ->>>, so Outbound NAT work perfectly

What is not working is Inbound. I have tried everything that i could, but it is not working. By Inbound the traffic reach the DMZ of Palo alto but it does not forward further. The traffic stop in following point: ->>

what i already tried:

  1. Static Routing Tabell
  2. D-NAT (along with a security poilicy)
  3. U-NAT (along with a security poilicy)
  4. Policy Based Forwarding.

Of Course there is always the possibility that i implemented all this in a wrong way.

Can anyone help? Any kind of suggestion regarding to this problem would be nice!

Best regards,



Community Team Member

Hi @MRahaman ,


Can you share a screenshot of your DNAT and security policy? If you don't feel comfortable sharing here, you can send a PM to myself. 

LIVEcommunity team member
Stay Secure,
Don't forget to Like items if a post is helpful to you!

Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.
  • 1 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!