To enable clients on the internal network to access the public
web server in the DMZ zone, we must configure a NAT rule that redirects
the packet from the external network, where the original routing
table lookup will determine it should go based on the destination
address of 203.0.113.11 within the packet, to the actual address
of the web server on the DMZ network of 10.1.1.11. To do this you
must create a NAT rule from the trust zone (where the source address
in the packet is) to the untrust zone (where the original destination
address is) to translate the destination address to an address in
the DMZ zone. This type of destination NAT is called
U-Turn
NAT (the yellow enclosure and arrow above). See
Enable
Clients on the Internal Network to Access your Public Servers (Destination
U-Turn NAT) for instructions.