Thanks Muhammed, I' ve read it but it doesn' t expain how to configure the nat 1-to-1 :(

Remote partner requires to access with some clients to the servers on my internal LAN; clients IP addresses must be natted 1-to-1 eg: remote client1 IP 172.22.0.10 must be natted to 10.1.0.10; remote client2 IP 172.20.0.99 natted to 10.1.0.11 and so on;

Can you please explain the quoted area?

I' ve tried to put a schema but it doesn' t work... There are 3 or 4 clients on remote pertner' s side which need to access to Servers on my side. The remote partner requires that ALL clients access to servers using a natted IP address (not the original IP address) and, because of internal policies, every client must have an assigned IP address. In other words: remote client 172.22.0.10 must be always natted to 10.1.0.10 in order to access to server1 and server2. In the same way, remote client 172.22.0.99 must be always natted to 10.1.0.11 and so on... Any suggestion?

If i am wrong please forgive me!! partner side:create a VIP 172.22.0.10 to 10.1.0.10 and same for other IP.. say for: on FG side- set src-subnet 10.1.0.0 255.255.255.252/30 (or create a group for the servers only) set dst-addr-type subnet set dst-subnet 10.1.0.10 255.255.255.255 /32 (partner systems or create a group destination IP) Does it make any sense? ;)

Ehm, I fear that I need a more precise explaination. Keeping in mind that I cannot modify in any way remote partner' s equipment, I' ve tried this way: 1) I' ve configured vpn as usual ( on FG side configured Phase 1 with preshared; remote peer address etc; local interface (=vpn interface) = port2. Phase 2 quick mode selectors configured as source address 10.1.0.0/24 and destination address 172.22.0.0/24 Firewall policy source ifc = port1; source address = 10.1.0.0/24; dest ifc = port2 dest address = 172.22.0.0/24; action = ipsec; allow inbound and outbound ) 2) checked vpn -- OK!! 3) enabled inbound NAT -- all 172.22.0.x address has been natted to FG' s port1 address... this doesn' t meet requirements :-( 4) defined a VIP as External Interface = port2 External IP Address/Range = 172.22.0.99 Mapped IP Address/Range = 10.1.0.11 NOTHING WORKED!! VIP doesn' t seem to be bound to any policy Where am I wrong??

The only way I can see this working as you desire is to create many single 1 to 1 phase 2 relations and force the mappings on a 1 to 1 basis. No way to do this religiously covering a /24 subnet.

Sorry, I can' t understand :-( Do you mean create a phase1 definition and many phase2 definitions (1 for every remote host)? Do you mean instead one phase1 definition, one phase2 definition and one firewall policy for every host? Can you send a configuration example, please? Thanks for your support