NAT-DST Problem



  • Hello.

    We want to configure a NAT-Dst from Internet (Untrust zone) to a Trust Zone Ip, but the nat ip to translate belows to DMZ zone. For example:

    Src: 80.30.128.43 (Internet - Untrust) - Dst: 194.168.16.9 (Trust Zone)

    That packet must be transformed in the next way:

    Src: 80.30.128.43 (Internet - Untrust) - Dst: 10.96.16.9 (DMZ Zone)

    We have configured a NAT policy based from Untrust to Trust, but this is the result:

    [ Dest] 22.route 10.96.16.9->10.96.1.3, to ethernet2/2
      routed (10.96.16.9) from ethernet3/1 (ethernet3/1 in 0) to ethernet2/1
      packet dropped, routed to different zone

    Can you help us?

    Thanks.


  • Global Moderator

    Two ways to fix this:

    1 set a static (host)route specifing the right interface:

    set route 10.96.1.3/32 interface ethernet2/2

    Or:

    set in CLI set arp nat-dst and define your policy from untrust to untrust.


 

32
Online

38.4k
Users

12.7k
Topics

44.5k
Posts