need help with u-turn nat between zones

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

need help with u-turn nat between zones

Not applicable

Hi all

I have read through the NAT tech notes and manuals from this site but canot seam to get this feature to work, i have u-turn nat enabled and working brilliantly in the same zone but i cant get the u-turn feature to work between zones/seperate networks. Let me explain our setup and any help would be very appreciated.

Guest Client Network

Source - Guest Laptop: 192.180.0.10

Dest - External webmail IP address: 89.248.148.200

Internal Corporate Network

Internal webmail server: 172.16.0.10

I need users to be able to access the external address of the webmail server from the guest client network. What i would like is so when users on the guest network access the webmail external ip it is routed through the PA and is then routed to the internal network zone. I have setup the u-turn feature in the same zone and that works great, its just when i am trying to do u-turns with different zones that i cant get it to work. I have followed the guide NAT Tech Notes to set the NAT and security rules for the u-turn between zones but they dont seam to be working. Any help would be great!!

Matt

6 REPLIES 6

L6 Presenter

Can you post a screenshot of the NAT rules you configured and a sketch of the network? Seeing this would probably allow us armchair quarterbacks to help figure this out.

-Benjamin

L4 Transporter

From your text I would say the configuration should look like:

NAT: Source Zone; Guestnetwork, Destination Zone; External, Destination; 89.248.148.200, trans dest; 172.16.0.10

Security: Source Zone; Guestnetwork, Destination Zone; Internal, Source IP; guest subnet, Dest IP; 89.248.148.200

But indeed a snapshot from what you configured could help.

Marcel

L4 Transporter

Did you find a solution on this problem? Seems like i'm stuck on a similiar problem.

Jo Christian

/Jo Christian

Not applicable

The DNS-proxy feature of PAN 4.x can be useful without using U-turn nat.

Hi,

Thanks for this.  I had the same problem for our guest wireless, needing to access out internal web servers.  Using the above NAT and Security policies got this to work!!

L5 Sessionator

The following doc has a good use case example of U-Turn on page 22

https://live.paloaltonetworks.com/docs/DOC-1517

Let us know if this helps.

Thanks

Numan

  • 3442 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!