We have exact same scenario, but rather than doing the NAT with the ip address of the interface, we need to nat with 1 of the ip address which is the same range with FW sub interface (untagg).
What we are trying to do is PA firewall running multiple VSYS, each VSYS will share one physical interface with multiple untagg subinterfaces, and each VSYS to get 1 public ip each from the same range. Also some of the extra remaining public IP address we need to perform 1 to 1 NAT.
1 to 1 NAT works fine when public ip address is configured on main interface of fw with untag, NAT doesn't work anymore when we move public ip to sub interface(untagg). However, communication from multiple VSYS with untag sub interface still can communicate with outside world via ip address assigned on untag sub interfaces.
Please could you help ? Thanks
... View more