Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)

When a user on the internal network sends a request for access to the corporate web server in the DMZ, the DNS server will resolve it to the public IP address. When processing the request, the firewall will use the original destination in the packet (the public IP address) and route the packet to the egress interface for the untrust zone. In order for the firewall to know that it must translate the public IP address of the web server to an address on the DMZ network when it receives requests from users on the trust zone, you must create a destination NAT rule that will enable the firewall to send the request to the egress interface for the DMZ zone as follows.
  1. Create an address object for the web server.
    1. Select
      Objects
      Addresses
      and
      Add
      a
      Name
      and optional
      Description
      for the object.
    2. Select
      IP Netmask
      from the
      Type
      drop-down and enter the public IP address of the web server, 203.0.113.11 in this example.
    3. Click
      OK
      .
  2. Create the NAT policy.
    1. Select
      Policies
      NAT
      and click
      Add
      .
    2. On the
      General
      tab, enter a descriptive
      Name
      for the NAT rule.
    3. On the
      Original Packet
      tab, select the zone you created for your internal network in the
      Source Zone
      section (click
      Add
      and then select the zone) and the zone you created for the external network from the
      Destination Zone
      drop-down.
    4. In the
      Destination Address
      section,
      Add
      the address object you created for your public web server.
    5. On the
      Translated Packet
      tab, select
      Destination Address Translation
      and then enter the IP address that is assigned to the web server interface on the DMZ network, 10.1.1.11 in this example.
    6. Click
      OK
      .
  3. Commit.
    Click
    Commit
    .

Related Documentation