DNAT Support - FW Palo Alto - Double NAT

DNAT Support - FW Palo Alto - Double NAT

Hello PANgurus! good afternoon, first of all, thanks for the support and collaboration always.

I have received a very strange request, I have tried to configure it by trying many ways and nothing.

What does a client/costumer want:

Dnat with double Nat ie.

Internet ======= Palo Alto Public IP direct to FW ===== DNAT to IP in DMZ range (Ip within the range, but a fictitious IP, that is, DMZ has a range of 192.168.5.0/24 and will be used the IP 192.168.5.100)-----then DNAT again to the IP 10.10.10.100 ( Zone Inside ).

Now if I do it directly to the IP 10.10.10.100 the DNAT works fine. I have done other NAT DNAT source NAT, Source NAT with IP range no...

Internet IP---from FW---DNAT to IP dummy/loopback/ipsecondary IP of the DMZ-Zone interface ----( Not is a Host IP: Is a IP dummy/loopback/ip-secondary Interface DMZ, IP:192.168.5.100 ) ----And when it hits the 192.168.5.100 of the same Fw-PA----DNAT go to IP 10.10.10.100 the final server in the Inside/LAN zone.

For me a madness that does not make any sense, but I must justify well why not and why it cannot be done, it is not feasible or it is not convenient.

But when I do that double DNAT, it doesn't work, I've tried putting a route like /32 to the ip 192.168.3.100/32 and to 10.10.10.100/32. Place a secondary IP in the DMZ Interface/Zone.

The DNAT or NAT itself I have tried anyway.

Source any, destination DMZ 192.168.5.100 DNAT at 10.10.10.100.

Source any, destination Inside 10.10.10.100 DNAT 192.168.5.200.

And all the possible variants and nothing, no hit.

Security policies also all possible variants.

That double nat is feasible, for me it doesn't make much sense to the truth, but technically it is feasible, because no matter how much I move it, nothing happens.

Thank you, I remain attentive to any advice, collaboration, etc.

Kind regards