Palo Alto Networks Knowledgebase: Unable to reach server's public IP address

Unable to reach server's public IP address

Created On 09/26/18 13:55 PM - Last Updated 02/07/19 23:39 PM
Content Release Deployment


  • Unable to reach the server's public IP address.


  • a second public range is configured on interface e1/2 while physical host is located on e1/3
  • NAT rules are configured from untrust to untrust.


  • The server's public IP address is in the same address space as the IP address of another interface on the Palo Alto Networks firewall.
    e1/1, zone untrust, public IP
    e1/2, zone DMZ-Public, IP
    e1/3, zone DMZ-Private, IP (server is connected to e1/3, public IP, private IP
    NAT policy set for "untrust zone to untrust zone".
  • The firewall sees the ingress traffic's destination IP address ( as destined for the "DMZ-Public" zone.
  • This is because a route lookup returns DMZ-Public as the destination zone for


However, the policy specifies that traffic from "untrust to untrust" is allowed.  Therefore, the traffic is dropped.


  • Edit the NAT policy.
  • Change the destination zone to "DMZ-Public".
    Changing the destination zone from "untrust" to "DMZ-Public" causes the ingress traffic to properly match source and destination zone, based on route lookups


owner: jdavis

  • Print
  • Copy Link

Choose Language