Screen OS

I have a network setup like the diagram below. A user in the DMZ can't see a website hosted in Trust 10.1.10.100, which is a NAT'ed MIP from public 1.2.3.8 by visiting www.example.com, but anyone else on the untrust/Internet can, what policy do I need, and or how do I fix this otherwise?

Suggest try to add a policy from DMZ to Untrust for the MIP IP.

Also let me know is there any source NAT happening at any stage i.e. at policy pf NAT to egress interface.

Venkat

I added a policy:

DMZ -> Untrust of ANY -> MIP(1.2.3.8)

and it still doesn't work.

On my policy DMZ -> Untrust of ANY / ANY I have Advanced -> Source Translation -> None (use egress IP) and in the DMZ I have a public IP on whatismyip.com of the IP of 0/0 Untrust interface.

Should I change any of these?

Confirm that etherent0/1 is changed from mode: nat to mode route on the interface selection.  I believe the default ships with the internface in nat mode which will do source translation to the untrust interface address without a policy. 

Thanks for pointing me in that direction. While I found that

Network -> Interfaces -> 0/1 (edit) shows interface mode = route

I also found while I was there that I still had a legacy secondary IP of 1.2.3.4/28, and once I remove it, my routing works, so thanks for the help!

The reason I had a secondary IP on 0/1 DMZ is that I was trying to use both 192.168.5.0/24 and 1.2.3.4/28 on that same interface, but was also trying to use 1.2.3.4/28 NAT'ed to Trust, which was, um, problematic (possibly due to lack of understanding on my part).

I have since gotten a new separate public subnet of 5.6.7.8/28 from the upstream provider, I have started a separate thread to ask whether it is possible to route without NAT to 0/1 DMZ as a secondary IP/subnet while NAT'ing on 0/1 DMZ to 192.168.5.0 as well, or should I be thinking about this differently?