You're confusing double-NAT with U-Turn NAT. Double-NAT means you translate the source IP address *and* the destination IP addres. This is needed for crossing zones and subnets where you don't have direct routing for private IP addresses enabled. Client has 192.168.0.0/24 subnet. Server has 10.0.0.2 IP. You have public IP 1.2.3.4 for your outgoing client NAT for Internet access. You have 1.2.3.5 for your server's public IP. So you need to create a NAT Policy that takes traffic from 192.168.0.0/24 to 1.2.3.5 and translates the source IP to 1.2.3.4. *AND*, in the same policy, also translates the destination IP to 10.10.10.2. And there's a few other NAT/Security Policies needed to make that work. But the above double-NAT rule is the important one. This way, the clients only every connect to the public IP, and the server only ever sees the public IP of the clients, and everything is handled nicely through the normal routing tables. U-Turn NAT also means you translate the source IP and the destination IP, but is used for sending traffic back to the source zone and to the same subnet as the client. Client has 192.168.0.0/24 subnet. Server has 192.168.0.2 IP. You have public IP 1.2.3.4 for your outgoing client NAT for Internet access. You have 1.2.3.5 for your server's public IP. So you need to create a NAT policy that takes traffic from 192.168.0.0/24 to 1.2.3.5 and translatest the source IP to 1.2.3.4 *AND* translates the destination IP to 192.168.0.2. And there's a few other NAT/Security Policies needed to make the traffic work. This way, the clients only ever connect to the server's public IP, and the server only ever sees the public IP for the clients, and all the traffic is handled via the normal routing tables on the server. However, a much nicer solution to the U-Turn NAT is split-DNS, or DNS Views (in BIND). When a client on the private network does a DNS query for my.server.com, it gets the private IP of the server returned. If a device on the Internet does a DNS query for my.server.com, it gets the public IP of the server returned. That way, local traffic never goes through the firewall at all.
... View more