I configured source and destination NAT rule-sets:
Site A source-nat:
set security nat source pool pool1 address 172.21.8.0/22
set security nat source rule-set rule-set1 from zone Internal
set security nat source rule-set rule-set1 to zone vpn
set security nat source rule-set rule-set1 rule rule1 match source-address 192.168.12.0/22
set security nat source rule-set rule-set1 rule rule1 match destination-address 192.168.20.0/24
set security nat source rule-set rule-set1 rule rule1 then source-nat pool pool1
Site A destination-nat:
set security nat destination pool pool_site_a address 192.168.12.0/22
set security nat destination rule-set rule-set_from_site_b from zone vpn
set security nat destination rule-set rule-set_from_site_b rule rule_from_site_b match source-address 192.168.20.0/24
set security nat destination rule-set rule-set_from_site_b rule rule_from_site_b match destination-address 172.21.8.0/22
set security nat destination rule-set rule-set_from_site_b rule rule_from_site_b then destination-nat pool pool_site_a
Ping from host 192.168.14.31 to 192.168.20.1, 192.168.20.2 etc. successful!
Strange thing though is that each ICMP paket sent from 192.168.14.31 to 192.168.20.1 is NATed with a different source address:
root@site_a> show security flow session destination-prefix 192.168.20.1
Session ID: 6919, Policy name: site_a_to_site_b/4, Timeout: 2, Valid
In: 192.168.14.31/13318 --> 192.168.20.1/1;icmp, Conn Tag: 0x0, If: irb.0, Pkts: 1, Bytes: 60,
Out: 192.168.20.1/1 --> 172.21.9.77/22815;icmp, Conn Tag: 0x0, If: st0.1, Pkts: 1, Bytes: 60,
Session ID: 6921, Policy name: site_a_to_site_b/4, Timeout: 2, Valid
In: 192.168.14.31/13319 --> 192.168.20.1/1;icmp, Conn Tag: 0x0, If: irb.0, Pkts: 1, Bytes: 60,
Out: 192.168.20.1/1 --> 172.21.9.78/6102;icmp, Conn Tag: 0x0, If: st0.1, Pkts: 1, Bytes: 60,
Total sessions: 2
Ping from site b to site a is always the same source address:
Session ID: 7555, Policy name: site_b_to_site_a/5, Timeout: 8, Valid
In: 192.168.8.39/1371 --> 172.21.10.3/1127;icmp, Conn Tag: 0x0, If: st0.1, Pkts: 1, Bytes: 84,
Out: 192.168.14.3/1127 --> 192.168.8.39/1371;icmp, Conn Tag: 0x0, If: irb.0, Pkts: 0, Bytes: 0,
Session ID: 7556, Policy name: site_b_to_site_a/5, Timeout: 8, Valid
In: 192.168.8.39/1372 --> 172.21.10.3/1127;icmp, Conn Tag: 0x0, If: st0.1, Pkts: 1, Bytes: 84,
Out: 192.168.14.3/1127 --> 192.168.8.39/1372;icmp, Conn Tag: 0x0, If: irb.0, Pkts: 0, Bytes: 0,
Session ID: 7557, Policy name: site_b_to_site_a/5, Timeout: 10, Valid
In: 192.168.8.39/1373 --> 172.21.10.3/1127;icmp, Conn Tag: 0x0, If: st0.1, Pkts: 1, Bytes: 84,
Out: 192.168.14.3/1127 --> 192.168.8.39/1373;icmp, Conn Tag: 0x0, If: irb.0, Pkts: 0, Bytes: 0,
Session ID: 7558, Policy name: site_b_to_site_a/5, Timeout: 10, Valid
In: 192.168.8.39/1374 --> 172.21.10.3/1127;icmp, Conn Tag: 0x0, If: st0.1, Pkts: 1, Bytes: 84,
Out: 192.168.14.3/1127 --> 192.168.8.39/1374;icmp, Conn Tag: 0x0, If: irb.0, Pkts: 0, Bytes: 0,
Why's that? Did I something wrong with the source nat rules?
Kind regards
Andy