Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)

When a user on the internal network sends a request for access to the corporate web server in the DMZ, the DNS server will resolve it to the public IP address. When processing the request, the firewall will use the original destination in the packet (the public IP address) and route the packet to the egress interface for the untrust zone. In order for the firewall to know that it must translate the public IP address of the web server to an address on the DMZ network when it receives requests from users on the trust zone, you must create a destination NAT rule that will enable the firewall to send the request to the egress interface for the DMZ zone as follows.
  1. Create an address object for the web server.
    1. Select ObjectsAddresses and Add a Name and optional Description for the object.
    2. Select IP Netmask from the Type drop-down and enter the public IP address of the web server, 203.0.113.11 in this example.
    3. Click OK.
  2. Create the NAT policy.
    1. Select PoliciesNAT and click Add.
    2. On the General tab, enter a descriptive Name for the NAT rule.
    3. On the Original Packet tab, select the zone you created for your internal network in the Source Zone section (click Add and then select the zone) and the zone you created for the external network from the Destination Zone drop-down.
    4. In the Destination Address section, Add the address object you created for your public web server.
    5. On the Translated Packet tab, select Destination Address Translation and then enter the IP address that is assigned to the web server interface on the DMZ network, 10.1.1.11 in this example.
    6. Click OK.
  3. Commit.
    Click Commit.

Related Documentation