Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
Table of Contents
10.1
Expand all | Collapse all
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
Enable Clients on the Internal Network to Access your Public
Servers (Destination U-Turn NAT)
When a user on the internal network sends
a request for access to the corporate web server in the DMZ, the
DNS server will resolve it to the public IP address. When processing
the request, the firewall will use the original destination in the
packet (the public IP address) and route the packet to the egress
interface for the untrust zone. In order for the firewall to know
that it must translate the public IP address of the web server to
an address on the DMZ network when it receives requests from users
on the trust zone, you must create a destination NAT rule that will
enable the firewall to send the request to the egress interface
for the DMZ zone as follows.
- Create an address object for the web server.
- SelectandObjectsAddressesAddaNameand optionalDescriptionfor the address object.
- ForType, selectIP Netmaskand enter the public IP address of the web server, 203.0.113.11 in this example.You can switch the address object type fromIP NetmasktoFQDNby clickingResolve, and when the FQDN appears, clickUse this FQDN. Alternatively, forType, selectFQDNand enter the FQDN to use for the address object. If you enter an FQDN and clickResolve, the IP address to which the FQDN resolves appears in the field. To switch the address objectTypefrom an FQDN to an IP Netmask using this IP address, clickUse this addressand theTypewill switch toIP Netmaskwith the IP address appearing in the field.
- ClickOK.
- Create the NAT policy.
- Selectand clickPoliciesNATAdd.
- On theGeneraltab, enter a descriptiveNamefor the NAT rule.
- On theOriginal Packettab, select the zone you created for your internal network in theSource Zonesection (clickAddand then select the zone) and the zone you created for the external network from theDestination Zonelist.
- In theDestination Addresssection,Addthe address object you created for your public web server.
- On theTranslated Packettab, for Destination Address Translation, forTranslation Type, selectStatic IPand then enter the IP address that is assigned to the web server interface on the DMZ network, 10.1.1.11 in this example. Alternatively, you can selectTranslation Typeto beDynamic IP (with session distribution)and enter theTranslated Addressto be an address object or address group that uses an IP netmask, IP range, or FQDN. Any of these can return multiple addresses from DNS. If the translated destination address resolves to more than one address, the firewall distributes incoming NAT sessions among the multiple addresses based on one of several methods you can select:Round Robin(the default method),Source IP Hash,IP Modulo,IP Hash, orLeast Sessions.
- ClickOK.
- ClickCommit.