When a user on the internal network sends
a request for access to the corporate web server in the DMZ, the
DNS server will resolve it to the public IP address. When processing
the request, the firewall will use the original destination in the
packet (the public IP address) and route the packet to the egress
interface for the untrust zone. In order for the firewall to know
that it must translate the public IP address of the web server to
an address on the DMZ network when it receives requests from users
on the trust zone, you must create a destination NAT rule that will
enable the firewall to send the request to the egress interface
for the DMZ zone as follows.