When your public-facing servers have private
IP addresses assigned on the network segment where they are physically
located, you need a source NAT rule to translate the source address
of the server to the external address upon egress. You create a
static NAT rule to translate the internal source address, 10.1.1.11,
to the external web server address, 203.0.113.11 in our example.
However,
a public-facing server must be able to both send and receive packets.
You need a reciprocal policy that translates the public address
(the destination IP address in incoming packets from Internet users)
into the private address so that the firewall can route the packet
to your DMZ network. You create a bi-directional static NAT rule,
as described in the following procedure. Bi-directional translation
is an option for static NAT only.