Enable Clients on the Internal Network to Access your Public
Servers (Destination U-Turn NAT)
When a user on the internal network sends
a request for access to the corporate web server in the DMZ, the
DNS server will resolve it to the public IP address. When processing
the request, the firewall will use the original destination in the
packet (the public IP address) and route the packet to the egress
interface for the untrust zone. In order for the firewall to know
that it must translate the public IP address of the web server to
an address on the DMZ network when it receives requests from users
on the trust zone, you must create a destination NAT rule that will
enable the firewall to send the request to the egress interface
for the DMZ zone as follows.
Create an address object for the web server.
for the address object.
and enter the public IP address of the web server,
203.0.113.11 in this example.
You can switch the address object type from
and when the FQDN appears, click
Use this FQDN
enter the FQDN to use for the address object. If you enter an FQDN
, the IP address to which
the FQDN resolves appears in the field. To switch the address object
an FQDN to an IP Netmask using this IP address, click
with the IP address
appearing in the field.
Create the NAT policy.
tab, enter a
for the NAT rule.
select the zone you created for your internal network in the
select the zone) and the zone you created for the external network
address object you created for your public web server.
for Destination Address Translation, for
enter the IP address that is assigned to the web server interface
on the DMZ network, 10.1.1.11 in this example. Alternatively, you
IP (with session distribution)
and enter the
to be an address object or address group that
uses an IP netmask, IP range, or FQDN. Any of these can return multiple addresses
from DNS. If the translated destination address resolves to more
than one address, the firewall distributes incoming NAT sessions
among the multiple addresses based on one of several methods you