Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)

When a user on the internal network sends a request for access to the corporate web server in the DMZ, the DNS server will resolve it to the public IP address. When processing the request, the firewall will use the original destination in the packet (the public IP address) and route the packet to the egress interface for the untrust zone. In order for the firewall to know that it must translate the public IP address of the web server to an address on the DMZ network when it receives requests from users on the trust zone, you must create a destination NAT rule that will enable the firewall to send the request to the egress interface for the DMZ zone as follows.
  1. Create an address object for the web server.
    1. Select ObjectsAddresses and Add a Name and optional Description for the address object.
    2. For Type, select IP Netmask and enter the public IP address of the web server, in this example.
      You can switch the address object type from IP Netmask to FQDN by clicking Resolve, and when the FQDN appears, click Use this FQDN. Alternatively, for Type, select FQDN and enter the FQDN to use for the address object. If you enter an FQDN and click Resolve, the IP address to which the FQDN resolves appears in the field. To switch the address object Type from an FQDN to an IP Netmask using this IP address, click Use this address and the Type will switch to IP Netmask with the IP address appearing in the field.
    3. Click OK.
  2. Create the NAT policy.
    1. Select PoliciesNAT and click Add.
    2. On the General tab, enter a descriptive Name for the NAT rule.
    3. On the Original Packet tab, select the zone you created for your internal network in the Source Zone section (click Add and then select the zone) and the zone you created for the external network from the Destination Zone list.
    4. In the Destination Address section, Add the address object you created for your public web server.
    5. On the Translated Packet tab, for Destination Address Translation, for Translation Type, select Static IP and then enter the IP address that is assigned to the web server interface on the DMZ network, in this example. Alternatively, you can select Translation Type to be Dynamic IP (with session distribution) and enter the Translated Address to be an address object or address group that uses an IP netmask, IP range, or FQDN. Any of these can return multiple addresses from DNS. If the translated destination address resolves to more than one address, the firewall distributes incoming NAT sessions among the multiple addresses based on one of several methods you can select: Round Robin (the default method), Source IP Hash, IP Modulo, IP Hash, or Least Sessions.
    6. Click OK.
  3. Click Commit.

Related Documentation