How do you create a loopback/hairpin NAT to an Interface IP?

Question

I am trying to publish multiple services to the Internet. It is working fine using business rules. But, I want to be able to add a loopback/hairpin NAT so that if someone inside the network uses the public IP to access the service they are redirected to the internal network. I would also like this bound to an interface IP and not an IP object because it will not always be a static IP.

This thread was automatically locked due to age.

lferrara · Accepted Answer

Alberto, 
 use the DNAT wizard and you will see that the wizard creates 3 DNAT rules: 
 
 dnat rule 
 loopback 
 reflexive 
 
 If you already have the DNAT rule that matches the same traffic, delete the DNAT rule created by the wizard. Delete the reflexive rule is you do not need it and keep the loopback rule. 
 If you want to create the loopback rule manually, create like this. See the screenshot:

Slawski · Answer

Ok, I made some tests and found definitive answer. 
 Yes it is possible. How to do that. Just create a Business Rule for non-HTTP Policy and specify as follows: 
 Section: Source 
 Host: Any 
 Exceptions: none defined 
 Section: Hosted Server 
 Source Zone: Any 
 Hosted Address: #Port2-a.b.c.d 
 Section: Protected Application Server(s) 
 Protected Zone: LAN (or DMZ) 
 Protected Application Server(s): YourServerHost 
 Forward all ports: no (off) 
 Section: Port Forwarding 
 as required 
 Section: Routing 
 Rewrite source address (Masquerading): Yes (On) 
 Use Outbound Address: MASQ (or any NAT policy if you have more than one public IP address) 
 Other sections: as required. 
 The MOST important is "Hosted Server" section. You MUST select "Any" zone because it defines interface which the traffic will come from (as I understand it). You must also select hosted address from firewall supplied #Port2 (or any other WAN port you use) because this is your public IP. 
 If you select Source Zone as WAN you will limit originating connection to come from any interface marked as WAN and automatically disable access to that rule from LAN side. 
 I have tested this on IMAP and SSH published to the Internet. When I was connecting from LAN side using external public address, the server reported connection from the XG IP not my LAN workstation IP.

Josh Leisk · Answer

This is a pretty good answer and a step in the right direction, but by following your steps, all traffic that appears at the destination host will have a source IP of the firewall, which is pretty dangerous for logging and control. 
 
 What you could do instead is to create 2 rules. A standard WAN->LAN DNAT Business Application rule (NO MASQ), and the same again, using the source zone as LAN (WITH MASQ). 
 This is obviously still not perfect, as the LAN traffic will show up on the destination host as the firewall, but this is arguably a lot safer than all of the WAN traffic, as well.