Troubleshooting Tip: SNAT Subnet-to-Subnet with IP Pool Fixed Port

Original source network:

10.20.30.0/24

Translated SNAT network:

172.16.25.0/24

Network original and NAT must have the same netmask in this case /24 and the fourth octet will always match, for example:

Original     -SNAT-> Translated

10.20.30.1   -SNAT-> 172.16.25.1

10.20.30.66  -SNAT-> 172.16.25.66

10.20.30.128 -SNAT-> 172.16.25.128

10.20.30.250 -SNAT-> 172.16.25.250

And so on.

Configure a port-fixed fixed IP-Pool:

config firewall ippool

edit "10.20.30-SNAT-172.16.25"

set type fixed-port-range
set startip 172.16.25.1
set endip 172.16.25.254
set source-startip 10.20.30.1
set source-endip 10.20.30.254

next

end

And apply it in an outbound Firewall Policy.

Results.

• Sniffer to destination with SNAT:

diagnose sniffer packet any 'host 192.168.200.1 and icmp' 4
interfaces=[any]
filters=[host 192.168.200.1 and icmp]
2.222869 SW in 10.20.30.1 -> 192.168.200.1: icmp: echo request
2.222875 to-VPN out 172.16.25.1 -> 192.168.200.1: icmp: echo request
2.246761 to-VPN in 192.168.200.1 -> 172.16.25.1: icmp: echo reply

• Sniffer to destination without SNAT:

diagnose sniffer packet any 'host 192.168.200.1 and icmp' 4
interfaces=[any]
filters=[host 192.168.200.1 and icmp]
9.333162 SW in 10.20.30.1 -> 192.168.200.1: icmp: echo request
9.333209 to-VPN out 10.20.30.1 -> 192.168.200.1: icmp: echo request
9.358343 to-VPN in 192.168.200.1 -> 10.20.30.1: icmp: echo reply