Last week I was asked to configure access to a web app that sits within an isolated training environment. The first part of the ticket was to configure standard static NAT access to this web app. Simple one to one IP static NAT, no problems with that.

The issue I faced arised when the web app needed to be accessed by its public (in this case WAN routeable) IP address from the same source zone. Student labs sit in the same zone as the server, although behind another L3 router (with its own ACLs).

Below is a diagram of the issue:
u turn nat

Essentially what we want to acheive here is to allow anything that is within the ISOLAB Zone access to the web server ( using its “DMZ” address To do that we have to create a destination nat policy rule on the Palo Alto:

So once the packet hits the default gateway of the DMZ zone ( it is translated back to the web server ( in the ISOLAB zone. Now access to the web app from the ISOLAB zone is via from within the ISOLAB zone.

There is no need for a security policy rule as the traffic is all within the same zone. NAT concepts can get very confusing, one of my tricks is to always think about the ‘original’ source packet as that is what NAT translates. the PA NAT policy screen on the Web GUI depicts this in a very clear manner.