SSG-550 - 5.1
I'm trying to get source natting working from a series of addresses to a single public IP address. this is to accomodate one of our clients addressing strategy. The traffic will then be sent over a route based tunnel to them, with all the traffic appearing to originate from this single address. I have had to create an extended interface IP to include the public IP address,I have enabled NAT against the interface and set a DIP pool on that interface of a single IP address. I then created a policy with all the real source addresses as sources and the clients destination addresses with a few ports.
if I try and connect with Source Address Translation turned off on that policy the traffic passes (but obviously the tunnel fails to get past phase 2). If I turn it on, nominating the SIP pool I created, I see no logs to indicate any traffic has been passed at all. The tunnel does not attempt to come up so I assume it's not being passed. I've tried turned debug flow all on and debug nat all but still no logs.
Any tips would be gratefully recieved.
Here is the policy detail
name:"none" (id 42), zone Trust -> Untrust,action Permit, status "enabled"
src "my_source", dst "their_dest", serv "Services"
Policies on this vpn tunnel: 0
nat src dip-id 4, url filtering disabled
vpn unknown vpn, policy flag 0820, session backup: on
traffic shapping off, scheduler n/a, serv flag 00
log yes, log count 38, alert no, counter no(0) byte rate(sec/min) 0/0
total octets 7006, counter(session/packet/octet) 0/0/0
priority 7, diffserv marking Off
tadapter: state off, gbw/mbw 0/-1
No Authentication
No User, User Group or Group expression set
And here are the DIP settings
Dip Id Dip Low Dip High Interface Attribute
4 195.*.*.109 195.*.*.109 ethernet0/1 port-xlate
Port-xlated dip stickness off