The overlap that you have in the 192.168.0.0/16 network isn't something that can be fixed by using a second virtual router. The first routing lookup decision would work to force the 10.0.0.3 address to the correct zone. Once NAT is matched the second routing lookup will take place and then send the traffic to internal network. If the 192.168.0.0/24 subnet is not used in your network, then you can just a NAT on the firewall and a route to send it to the next hop. If you are using 192.168.0.0/24 in your network, then this could be resolved by using a second virtual system, but the PA-850 does not support multiple virtual systems. A minimum of PA-3200 is needed to get the multi-vsys feature. If you can perform a source NAT on the traffic prior to it being received on the PA-850 (Linux VM with DNAT), then you would then use a PBF rule for the source of the Linux VM to the destination of the 192.168.0.3 server, to use the next hop of 192.168.99.252. The Linux VM just needs to be able to route that traffic to the PA-850 for that address/subnet.
... View more