Here's an example. The direct connection to the isp is a /30, 10.1.1.2/30. Your public IP space is 184.108.40.206/24 (This doesn't have to be BGP advertised. It can just be another subnet that the ISP has assigned to you that they route to 10.1.1.2) Create a static route for 220.127.116.11/24. I usually set the interface to the untrust and the next hop to 'None' By creating this static route, it puts the prefix in the routing table. BGP will only advertise prefixes that exist in the routing table. Also, when NAT statements are created for the public subnet, an entry for this public network must exist in the routing table or the processing of the traffic will fail. Check out page 4 on this doc: https://live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/189/2/DOC-1628.pdf A forwarding lookup is done before NAT is even processed. If the destination doesn't exist, then traffic is discarded before it even gets to the NAT lookup. By having a route to null0, the prefix exists and the flow continues.
... View more