U-Turn NAT is required if user from Trust zone accessing the webserver who's public IP is part of Public DNS and it resolves to Public IP , so traffic goes to outside/untrust zone from Trust zone for this we need one NAT rule from Trust to Untrust and Already existing NAT rule from Untrust to DMZ for Destination NAT will be used to get to Actual DMZ server.
Hi There, I still dont get it. If the user from trust zone access to DMZ zone then we need NAT. We can route the traffic by simply assigning policy right? In what scenario organization hosting web servers on DMZ but registered publicly so that internal users access it via public IP? Dont the internal users access it on private IP itself? Thanks
Dont the internal users access it on private IP itself? Yes they can but we don't do that. In that case you set up communication from trust to DMZ for that server which is open for public as well. As you are internal user and IP address might be allowed for some other things as well. If any how something goes wrong hackers may misuse this privilege. So whenever one user wants to access a DMZ server hosted for public, that user also get out take a public IP and then goes to access DMZ server. I hope you understand a bit now ?
When DMZ server is having public IP in Public DNS then our ADs will also be in syn with public DNS and when we access from LAN or Trust zone dns name then it will resolve Public IP instead of real DMZ IP. So in this case we need U Turn NAT
Thanks for feedback Avinash I also feel this is creating confusion, i recorded new one for it. Check this out ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-SN0Zp7Atp4Y.html Feel free to reach me if you still have questions 😊
