Palo Alto Networks Knowledgebase: How to Configure U-Turn NAT
How to Configure U-Turn NAT
Created On 09/25/18 17:19 PM - Last Updated 02/07/19 23:54 PM
“U-turn” refers to the logical path traffic appears to travel when accessing an internal resource when the external address are resolved. U-turn NAT refers to a network where internal users need to access an internal server using the server’s external public IP address.
For this example, an internal web server uses a DNS record pointing to the server’s external public Internet address.
External users resolve the address, connect to the external interface of the firewall and their session is translated and handled by the firewall. An internal user connecting to this same FQDN connects to the external address, though the physical server may be located on that user’s internal subnet or a DMZ with internal addressing.
When setting up NAT rules, the source and destination zones need to be configured to correspond to the zones to which the source and destination IP addresses belong. In contrast, security rule zones are determined by the actual source and destination but list the original packet destination IP addresses.
For normal inbound traffic from the Internet to the Web server, the rules look like this: The normal inbound NAT and Security rule that allows external users to access a web-server from the Internet is as follows:
Note: Set services to "any" if the user does not want to limit the security policy to ports 80 or 443, or to application default if the user wants it to be used for port 80 only, according to the application web-browsing.
Following is an example of the U-turn NAT rules and Security for Hosts and Web Servers in the Same Zone as host on the LAN:
NAT rule for same zone U-turn NAT.
No Security Rule is necessary since the traffic's source zone is ultimately destined for the same zone.
This is an example of the U-turn NAT and Security for Hosts and Web Servers in a Different Zone:
The NAT rule for Different zone U-Turn NAT is different from the same zone NAT, as there is no need for source nat (there will not be assymetry in the flow of packets), but this rule does need to be placed above the generic outbound hide-NAT: