Hi Abdallah

Have you made a route statement that routes the ip of "redirection" in to the trust-zone.

If you havent' made this route entry the traffic wil not hit the "nat dst ip 1.1.1.1

Hi

What i mean is - When you do policy NAT (nat dst) you have to make a route statement that routes the public ip - in your case the ip of the object you call "redirection - from untrust to the trust-zone.

let's say that the ip of "redirection" is 2.1.1.1, and your trust-interface is ethernet2/1, then you will have to make the following route

set route 2.1.1.1/32 interface ethernet2/1

If this route is not in place you will never get the NAT from 2.1.1.1 to 1.1.1.1 to work.

the address of redirection is 1.1.1.1

Hi

Then the problem is this line:

set policy id 3 from "Untrust" to "Trust"  "Any" "redirection" "HTTP" nat dst ip 1.1.1.1 permit

if the ip of the address object "redirection" is 1.1.1.1 then you cannot use the same as nat dst.

As example if you have

Redirection = 1.1.1.1

And want to reach 192.168.1.10 the your policy have to be:

set policy id 3 from "Untrust" to "Trust"  "Any" "redirection" "HTTP" nat dst ip 192.168.1.10  permit

You still have to make a route statement in this case it could look like this:

set route 1.1.1.1/32 interface ethernet2/1

Always i have same problem.

What can i do?

Hi

I was thinking.

What is ip-adress and subnet mask of your untrust interface.

Hi

I came to think which ScreenOS version are you running on.

Hi Abdallah,

If the public IP you are going to NAT is located in the IP space (primary or secondary) of the Untrust interface the firewall has to reply the ARP requests for this address with its MAC. My preffered method to ensure this is to configure a DIP pool with this single address. More on this: KB10174 (esp. Solution 3).

I'm assuming that you have already configured both routes as explained above.

Kind regards,

Edouard