Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)

When a user on the internal network sends a request for access to the corporate web server in the DMZ, the DNS server will resolve it to the public IP address. When processing the request, the firewall will use the original destination in the packet (the public IP address) and route the packet to the egress interface for the untrust zone. In order for the firewall to know that it must translate the public IP address of the web server to an address on the DMZ network when it receives requests from users on the trust zone, you must create a destination NAT rule that will enable the firewall to send the request to the egress interface for the DMZ zone as follows.
  1. Create an address object for the web server.
    1. Select
      Objects
      Addresses
      and
      Add
      a
      Name
      and optional
      Description
      for the address object.
    2. For
      Type
      , select
      IP Netmask
      and enter the public IP address of the web server, 203.0.113.11 in this example.
      You can switch the address object type from
      IP Netmask
      to
      FQDN
      by clicking
      Resolve
      , and when the FQDN appears, click
      Use this FQDN
      . Alternatively, for
      Type
      , select
      FQDN
      and enter the FQDN to use for the address object. If you enter an FQDN and click
      Resolve
      , the IP address to which the FQDN resolves appears in the field. To switch the address object
      Type
      from an FQDN to an IP Netmask using this IP address, click
      Use this address
      and the
      Type
      will switch to
      IP Netmask
      with the IP address appearing in the field.
    3. Click
      OK
      .
  2. Create the NAT policy.
    1. Select
      Policies
      NAT
      and click
      Add
      .
    2. On the
      General
      tab, enter a descriptive
      Name
      for the NAT rule.
    3. On the
      Original Packet
      tab, select the zone you created for your internal network in the
      Source Zone
      section (click
      Add
      and then select the zone) and the zone you created for the external network from the
      Destination Zone
      list.
    4. In the
      Destination Address
      section,
      Add
      the address object you created for your public web server.
    5. On the
      Translated Packet
      tab, for Destination Address Translation, for
      Translation Type
      , select
      Static IP
      and then enter the IP address that is assigned to the web server interface on the DMZ network, 10.1.1.11 in this example. Alternatively, you can select
      Translation Type
      to be
      Dynamic IP (with session distribution)
      and enter the
      Translated Address
      to be an address object or address group that uses an IP netmask, IP range, or FQDN. Any of these can return multiple addresses from DNS. If the translated destination address resolves to more than one address, the firewall distributes incoming NAT sessions among the multiple addresses based on one of several methods you can select:
      Round Robin
      (the default method),
      Source IP Hash
      ,
      IP Modulo
      ,
      IP Hash
      , or
      Least Sessions
      .
    6. Click
      OK
      .
  3. Click
    Commit
    .

Related Documentation