Security Policy's and NAT

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Security Policy's and NAT

Not applicable


I Have configured a BYOD wireless ssid that is being forced to the internet via a port on our 2050. I am trying to get the network to be able to contact our mail server for exchange on mobile devices and also to have access to our content server redirect page. Our internal IP address for the BYOD is in the 172.x.x.x range. I am NATing these ip's to a public 204.x.x.x address.

The two servers I need to have these devices access both have NATed public IP addresses and are located on our internal network. I have tried setting up policies that utilize the source zone as the BYOD zone I created and the source address is the IP range of the BYOD internal network. For the destination I have tried both the internal IP of the servers and the Public NAT ip of the servers but cannot get commuinction between clients on the internal BYOD network and the two servers with the public NAT. I am having trouble determing the flow of things. Any Suggestions.




L7 Applicator

It sounds like you need to configure U-Turn NAT. This does NAT on the firewall but changes some parameters so that it hits the internal server directly rather than sending the traffic out to the Internet first.

Check this document out to see if it describes the issue and solves the problem:

How to Configure U-Turn NAT

Hope this helps!



i have configured a one web server NAT (one-to-one, server in the same zone as the clients) end Security Policies

NAT Pol.jpg

Sec Pol.jpg

this configuration enables functions of the web service, but prevents it from connecting to the internet/I mean disconnects the server. Is there a need of an additional configurations in order to solve this problem?

your second NAT rule(U turn) has to be seperate 2 rules.

1 for DMZ

1 for LAN

for DMZ you have to use source and destination NAT both

for LAN you only need destination NAT

also there should be a NAT rule downwards from these for internet with any destination address with source NAT

Thank you for feedback. But i can't understand please reply example

1- Clone inforep2 rule

2- Make rules source zone as DMZ for one, LAN for second rule

3- Source DMZ rule will have both source and destination NAT so do not touch it

4- Source LAN rule will have only destination NAT so clear source Nat

5- Write a third rule if there is not, for internet access Source zone DMZ and LAN destination address any source NAT with WAN interface.

is that clear ?

also try to monitor the logs for server look for source Nat and destination address from logs if there is anything missing

filter the logs for server upload a picture so that we can also look for.

sorry. its correct or... please check


rule2 destination zone make it WAN

also is there other rule for LAN to access internet

there should be from LAN to WAN a NAT rule also

there is also LAN rule to access to internet. this rule has in NAT Pol


The Problem is ....

Server is not working internet. (DMZ to internet  www.*)

But webservice is working.(WAN from DMZ) 

add source zone DMZ to your last NAT rule

Thank you for your great support.


Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!