DMZ / INSIDE Server Access Through PaloAlto via Destination NAT

I have achieved the same result using Static NAT which can be also called Source NAT / One-to-One bidirectional NAT. Please click here to view that post.

This post is about how we can do the same thing using a destination NAT. 

Diagram and IPs are same; 

Imagine 10.1.1.10 and 10.1.1.11 are public IPs and 10.1.1.10 is the IP address of the physical interface.

Users from internet should be able to ping 10.1.1.11 which represents the DMZ server 100.2.2.10

This time, the NAT rule is like the following. (click on the images to view in full size)

Go to Policies > NAT

Both the Source IP and the Destination IP (10.1.1.11) are from OUTSIDE and the Destination IP of the original packet (which the user tries to access) is the public IP for the server which will be translated to the local IP of the server.

The Security Policy is just same as in the Source NAT example.

Go to Policies > Security

Remember that the destination address of the Security Policy here is the public IP, 

because: 

Security Policy Hits first , then NAT Policy & then Routing..