Hello,
Logically speaking, this should work with configuration below:
Part 1) Add a context of zone trust (in addition to untrust) for the static NAT.
root# show security nat static
rule-set test {
from zone [ trust untrust ];
rule for-host-A {
match {
destination-address 1.2.3.1/32;
}
then {
static-nat {
prefix {
192.168.0.1/32;
}
}
}
}
rule to-host-B {
match {
destination-address 1.2.3.2/32;
}
then {
static-nat {
prefix {
192.168.0.2/32;
}
}
}
}
}
[edit]
root#
Part 2) Configure source NAT interface for any source in 192.168.1.0/24 subnet going to public IPs of Host A & Host B so that direct communication between two hosts can be avoided for the reply traffic.
root# show security nat source
rule-set hair-pin-part-1 {
from zone trust;
to zone trust;
rule hostA {
match {
source-address 192.168.1.0/24;
destination-address 1.2.3.1/32;
}
then {
source-nat {
interface;
}
}
}
}
rule-set hair-pin-part-2 {
from zone trust;
to zone trust;
rule hostB {
match {
source-address 192.168.1.0/24;
destination-address 1.2.3.2/32;
}
then {
source-nat {
interface;
}
}
}
}
Let me know if you have any query.
Regards,
Rushi