[j-nsp] Static NAT with IPSEC VPN on one J-router

[Alexander Shikoff]

Hello!

I'm wondering is it possible to configure Static NAT with IPSEC VPN on 
one J-router? I have working IPSEC policy (users connect successfully):
minotaur at br# show security policies 
from-zone External to-zone Internal {
    policy RemoteVPN {
        match {
            source-address any;
            destination-address LAN;
            application any;
        }
        then {
            permit {
                tunnel {
                    ipsec-vpn VPN;
                }
            }
        }
    }
}

I've added static NAT configuration for external IP address that differs from 
address used with IPSEC:

minotaur at br# show security nat static rule-set sNAT 
from zone External;
rule RD {
    match {
        destination-address 194.247.174.29/32;
    }
    then {
        static-nat prefix 192.168.2.34/32;
    }
}

But it fails to work. I see translation hits in show security nat static rule 
all output, but NAT does not work. When I'm deactivating IPSEC policy, 
then static NAT works as expected.

I've tried to make static NAT in separate virtual router but without success.

Any ideas? Thanks in advance!

-- 
MINO-RIPE