Hello ,
So basically , you have 3 IPs in reth0 interface (10.1.49.50, 10.1.49.51, 10.1.49.53) and you need to have NAT then all to Single IP 192.168.101.111 on those same port range . If this is correct , then we cannot achive this if we specify port range and it throws error on Static NAT .
Instead of doing this create destination NAT rule without specifying ports and allow only those ports that need access in Security policies . By this you will achive what you want and can block rest of the ports using Security policies and check against security threats on other ports .
This is an easy and simple fix for out issue . Do not try to block everything using NAT , there is security policy and make use of it also
set security nat destination pool test address 192.168.101.111/32
set security nat destination rule-set test from zone GCI
set security nat destination rule-set test rule 1 match destination-address 10.1.49.50/32
set security nat destination rule-set test rule 1 then destination-nat pool test
set security nat destination rule-set test rule 2 match destination-address 10.1.49.51/32
set security nat destination rule-set test rule 2 then destination-nat pool test
set security nat destination rule-set test rule 3 match destination-address 10.1.49.52/32
set security nat destination rule-set test rule 3 then destination-nat pool test
set security nat destination rule-set test rule 4 match destination-address 10.1.49.53/32
set security nat destination rule-set test rule 4 then destination-nat pool test
root@100-5# show security policies
from-zone GCI to-zone trust {
policy test {
match {
source-address clients ;
destination-address [10.1.49.50 , 10.1.49.51, 10.1.49.52 , 10.1.49.53 ] ;
application [TCP-15000-16000 , TCP-8000-9300 ];
}
then {
permit;
}
}
}