Enable Clients on the Internal Network to Access your Public
Servers (Destination U-Turn NAT)
When a user on the internal network sends
a request for access to the corporate web server in the DMZ, the
DNS server will resolve it to the public IP address. When processing
the request, the firewall will use the original destination in the
packet (the public IP address) and route the packet to the egress
interface for the untrust zone. In order for the firewall to know
that it must translate the public IP address of the web server to
an address on the DMZ network when it receives requests from users
on the trust zone, you must create a destination NAT rule that will
enable the firewall to send the request to the egress interface
for the DMZ zone as follows.
Create an address object for the web server.
for the object.
and enter the public IP address of the web server, 203.0.113.11
in this example.
Create the NAT policy.
tab, enter a
for the NAT rule.
select the zone you created for your internal network in the
select the zone) and the zone you created for the external network
address object you created for your public web server.
Destination Address Translation
then enter the IP address that is assigned to the web server interface
on the DMZ network, 10.1.1.11 in this example.