Need help on One to One NAT configuration

[elvinmammadov]

Hello,

I need your help on the following case.
We have IPsec VPN connections with our customers and our internal network.
Internal Network: 172.16.210.0/24

Recently we have prepared a new device on DMZ network.
DMZ network: 172.16.220.0/24
Linux OS machine: 172.16.220.1

The customer should communicate with a device on DMZ network through IPSec VPN. Since there a over 50 IPsec VPN connections, we can't add Phase 2 into the current VPN connection.

I have created a Virtual IP: 172.16.210.100/32

That's why we decided to use One to One NAT in IPsec Interface, that should work in this way: 172.16.210.100 <---> 172.16.220.1

I have created a Firewall rules in IPsec and DMZ interfaces to allow traffic.

If I telnet the port of the device located in DMZ, it doesn't pass through. The device has Linux OS and it shows that it has received a packet SYN_RECV.

root@mail:~# netstat -tulpan | grep :587
tcp6       0      0 :::587                :::*                    LISTEN      974/hbbr
tcp6       0      0 172.16.220.1:587      10.154.181.41:64203     SYN_RECV    -

That's why I think. the Linux machine can't send SYN ACK to the customer IP address.
Most probably it still tries to reply from 172.16.220.1. But it should go through 172.16.210.100.

it should be:

DMZ 172.16.220.1 --> Virtual IP 172.16.210.100 --> customer network
customer network  --> Virtual IP 172.16.210.100 --> DMZ 172.16.220.1

Could you please give me a hint where I have made a mistake?