The current Security Gateway infrastructure performs NAT of "Client Side" or NAT of "Server Side".
When a request to the Security Gateway configured as Proxy is made by a client, the Security Gateway resolves the IP address of the requested domain using the configured DNS server.
If the resolved IP address is an external IP address that is NATed by the Security Gateway, then the connection to that IP address is opened by the Security Gateway. Since there is no NAT on the client's outgoing connection, and the server is NATed by the Security Gateway, the packet leaves the external interface of the Security Gateway and never reaches the NATed destination.
This is expected behavior by design.
Note: The issue is relevant in the following conditions:
- The clients are using the Security Gateway as a Proxy.
- The destination servers are NATed by the Security Gateway.
- The DNS server configured on Security Gateway replies with the NATed IP address of the server.
There are two possible solutions for the issue:
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.