Palo Alto Networks Knowledgebase: How to Configure U-Turn NAT

How to Configure U-Turn NAT

(5672 Views)
Created On 09/25/18 17:19 PM - Last Updated 09/25/18 23:10 PM
Categories: 

Issue:


Solution:


Overview

“U-turn” refers to the logical path traffic appears to travel when accessing an internal resource when the external address are resolved. U-turn NAT refers to a network where internal users need to access an internal server using the server’s external public IP address.

 

 

Details

For this example, an internal web server uses a DNS record pointing to the server’s external public Internet address.

 

External users resolve the address, connect to the external interface of the firewall and their session is translated and handled by the firewall. An internal user connecting to this same FQDN connects to the external address, though the physical server may be located on that user’s internal subnet or a DMZ with internal addressing.

 

When setting up NAT rules, the source and destination zones need to be configured to correspond to the zones to which the source and destination IP addresses belong. In contrast, security rule zones are determined by the actual source and destination but list the original packet destination IP addresses.

 

  • For normal inbound traffic from the Internet to the Web server, the rules look like this:
    The normal inbound NAT and Security rule that allows external users to access a web-server from the Internet is as follows:
    Inbound.PNG.png
    Security Inbound.PNG.png

Note: Set services to "any" if the user does not want to limit the security policy to ports 80 or 443, or to application default if the user wants it to be used for port 80 only, according to the application web-browsing.

 

  • Following is an example of the U-turn NAT rules and Security for Hosts and Web Servers in the Same Zone as host on the LAN:

dai2.jpg

    • NAT rule for same zone U-turn NAT.
    • No Security Rule is necessary since the traffic's source zone is ultimately destined for the same zone.

Screen Shot 2015-05-12 at 1.08.35 PM.png

 

  • This is an example of the U-turn NAT and Security for Hosts and Web Servers in a Different Zone:

dai.JPG

    • The NAT rule for Different zone U-Turn NAT is different from the same zone NAT, as there is no need for source nat (there will not be assymetry in the flow of packets), but this rule does need to be placed above the generic outbound hide-NAT:

2015-10-22_10-00-12.png

    • Security Rules for U-Turn NAT:

12568_Security Different Zone.PNG.png

 

Additional NAT resources:

Getting Started: Network Address Translation (NAT)

 

owner: tpiens

Attachments:

Actions:
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEiCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Change Language: