Advanced NAT Example

A client (192.168.69.10) in the VPN Zone needs to access a server on the DMZ with a public IP address (204.68.184.237) not configured on the device. The device should translate the public IP to the private IP of the server (172.25.3.50).  The packet should be seen as sourced from an unknown IP (192.168.222.16), which is not configured on the device. The server should be able to initiate the traffic to the client at IP 192.168.222.16 , which will be translated by the device to the client's original IP, 192.168.69.10. Additionally, the source IP of the server should be changed to the Public IP, 204.68.184.237.

1. Create 2 loopback interfaces:

   loopback.1: 192.168.222.16/32 with zone "VPN" and appropriate VR

   loopback.2: 204.68.184.237/32 with zone "VPN" and appropriate VR

   

2. Create 2 NAT rules:
   • From VPN Client to Server:

     Source Zone: VPN

     Destination Zone: VPN

     Source Address: 192.168.69.10

     Destination Address: 204.68.184.237

     Source Translation: Select "Dynamic IP and Port". Select "Interface Address" . Select "loopback.1", Select IP "192.168.222.16"

     Destination Translation: 172.25.3.50

   • From Server to VPN Client:

     Source Zone: DMZ

     Destination Zone: VPN

     Source Address: 172.25.3.50

     Destination Address: 192.168.222.16

     Source Translation: Select Dynamic IP and Port.  Select Interface Address. Select loopback.2.  Select IP 204.68.184.237.

     Destination Translation: 192.168.69.10

     

3. Create 2 Security Policies:
   • From VPN Client to Server:

     Source Zone: VPN

     Destination Zone: DMZ

     Source Address: 192.168.69.10

     Destination Address: 204.68.184.237

   • From Server to VPN Client:

     Source Zone: DMZ

     Destination Zone: VPN

     Source Address: 172.25.3.50

     Destination Address: 192.168.222.16

     

owner: kalavi