Originally on our PA-3250's we used Source with Bi-Directional NAT and just added in the trusted zone(s) to the security policy for U-Turn NAT to work, and this worked flawlessly. Now we upgraded to 10.1.6 from 10.0.10 and it stopped working. We were able to get some sites working with a new U-Turn NAT statement as mentioned in the article: How to Configure U-Turn NAT - Knowledge Base - Palo Alto Networks and changing the Source with Bi-Directional NAT to a Destination NAT. However, we have servers that need to go to the Internet as a specific IP so Source NAT with dedicated IP will work, but the U-Turn NAT will not work. I have gone through so many configurations for U-Turn, Source and Destination. In fact, using three separate NAT statements: Destination, Source with static source IP and U-Turn completely broke access to the server, even from other trusted zones.
I've been working with Support for a few weeks now, and no answer. Was hoping someone else had the same or similar issue and could point me in the right direction.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!