Sorry what’s a typo, it is:

Source: 172.16.32.0/24, Destination 10.0.0.0/24, Translated Dest: 192.168.10.1/32

Im really glad you asked this question and I will tell you how to do it. I know this is not as easy as it may seem...so what you have to do is instead of using host object create address range and give it starting and ending IP as same address, so in your case 192.168.10.1 and once you save, dont push policy yet, just click the option from the menu to verify, because if it shows all green, then its good to go.

Let me know if any issues. I actually discovered this last year when customer had exactly same problem...

Hi the_rock so here is the list of what i've tried:

- first attempt: SRC NET: 172.16.32.0/24 DST NET 10.0.0.0/24 DST XLATE 192.168.10.1 (as address range) -- not working

- secondattempt: SRC NET: 172.16.32.0/24 DST NET 10.0.0.1-254 (as address range) DST XLATE 192.168.10.1 (as address range) -- not working

The only way to make it works is with a single IP as DST NET 😞

Can you send me a screenshot of the rule you attempted the way I mentioned, as well as how you defined address range?

yes, see the attachments

Make sure you did not inadvertently configured NAT for auto nat on the network objects. Just for my own sanity, I tested this in the lab and worked fine. See attached. Im free around 1.30 pm EST to do remote if you like, just message me privately.

Cheers.

i've checked all the network objects and auto nat is not enabled.

I'm testing it too into a small lab before production. I'm in Italy, so 1.30PM EST should be 7PM here, but i'm not avaliable at this time 😞

Ah Italy, ok :). Im just watching some Italian cartoon movie. Buongiorno...hey, send me your email, lets do remote now, I can send you webex or zoom.

@PhoneBoy ...maybe you can give your CP expert input on this. So I did zoom remote with Gianmarco and he showed me that if you do single IP as destination in original packet, all works fine, BUT, if you do whole network /24, it fails, for some reason nat does not take place...cant say I seen this in a long time. Do you think maybe clearing NAT table might be worth it? We did capture on the firewall for destination IP 192.168.15.19 and all we see are echo requests and no replies and no drops anywhere, but routing definitely seems correct.

This is sounding like a bug which means we’ll need a TAC.

I’ve already opened a SR and explain the current behavior. I let you know when have a feedback. 

thanks all for your support 

Thats what I thought as well...maybe fw tab -t fwx_alloc -x command might help, but not sure if even clearing NAT table would do much, but worth a try.

What I’ve to achieve is this:

each packet received from source NET 172.16.32.x and destinated to any IP of the NET 10.0.0.x (it’s a fake network, not present anywhere) should be natted to IP 192.168.10.1. As I’ve said doing static NAT to specific IP of NET 10.0.0.x to 192.168.10.1 is working as expected.

But that's exactly what I do not understand the reason for.

I mean, if you have a legitimate need to NAT network to network 1:1, I understand that.

If, on the other hand, your incoming traffic is ultimately targeting a single IP, why would the users in NET 172.16.32.x be trying to connect to random IPs in NET 10.0.0.x, to only be NATed to a single IP?

Because on the other side I don’t have a real user but an IoT device that can be configured with various IP of subnet 10.0.0.x, and we are not aware of all IPs, so to avoid doing NAT for each sigle IP we are using this type of configuration on actual firewall (obviously there is a rule that restrict ports on the target machine)

Thank you for explaining your use case, it makes sense now.

Just an idea ... What if you use VIP in combination of Load Balance ? I mean, you will always connect to the same IP (VIP), but the LB will do the job to transfer traffic to real (random) IoT IP. LB will be "man-in-the-middle" configured with static IP (VIP).

I’ve used a similar solution on another firewall using L3 routing of this subnet to an LB, but in this scenario cannot be done because there is no availability of a dedicated LB 😞

@stich86 , did you get anywhere with TAC on this issue? If it is a legitimate hide NAT many to one problem for "phantom networks", I hope it is solved before R81.10 goes GA.

Incidentally, what is the setting for the "allow NAT inside VPN community" for this connection?

Hi Vladimir,

i had a Zoom call yesterday to explain the issue to the TAC. On first attempt they said to me that the many to one is supported only from internal to external (Hide NAT), but i've complained about that cannot be the first customer to have this feature working.

Then we have done some troubleshooting and found a funny behaviour. With the NAT configured as @the_rock suggestion, the NAT rules is engaged but the XLATE DST (where i'm using an address range with start/end a single IP, in my case 192.168.10.1) is translated with the IP into the address range object plus the last octet of the Original DST IP.

Let me explain better:

SRC IP: 172.16.32.10 ---> DST IP: 10.0.0.1 ---> XLATE DST IP: 192.168.10.2

SRC IP: 172.16.32.10 ---> DST IP: 10.0.0.15 ---> XLATE DST IP: 192.168.10.16

And so on.. so it looks like a bug.

I hope they indentify it as an issue and give me a solution

Thank you for the update!

Please update the thread with (hopefully) eventual resolution.