xpdm0003 last edited by
We want to configure a NAT-Dst from Internet (Untrust zone) to a Trust Zone Ip, but the nat ip to translate belows to DMZ zone. For example:
Src: 220.127.116.11 (Internet - Untrust) - Dst: 18.104.22.168 (Trust Zone)
That packet must be transformed in the next way:
Src: 22.214.171.124 (Internet - Untrust) - Dst: 10.96.16.9 (DMZ Zone)
We have configured a NAT policy based from Untrust to Trust, but this is the result:
[ Dest] 22.route 10.96.16.9->10.96.1.3, to ethernet2/2
routed (10.96.16.9) from ethernet3/1 (ethernet3/1 in 0) to ethernet2/1
packet dropped, routed to different zone
Can you help us?
Two ways to fix this:
1 set a static (host)route specifing the right interface:
set route 10.96.1.3/32 interface ethernet2/2
set in CLI set arp nat-dst and define your policy from untrust to untrust.