When applying a destination nat translation from e.g. 10.132.0.0/16 to 172.1.0.0/16, an address 10.132.20.3 does not map to 172.1.20.3 as expected, but picks a random address in the range.
{F878758}
I have a VPN between ASA and vyos1.3 here. The idea is to have a virtual IP range that is translated to the ASA networks range. 11.60.0.0/16 => 10.1.0.0/16
When I do a ping from PC3 to PC4 as:
```ping 11.60.1.4```
The nat translation table in the vyos shows as:
vyos@vyos:~$ show nat destination translations
| Pre-NAT | Post-NAT | Prot | Timeout |
|11.60.1.4 | 10.1.44.195 | icmp |27|
|11.60.1.4 | 10.1.44.195 | icmp |29|
|11.60.1.4 | 10.1.44.195 | icmp |25|
|11.60.1.4 | 10.1.44.195 | icmp |23|
This does this random mapping on 1.3 and works correctly on 1.2
Here's the config on the vyos:
```
set firewall all-ping 'enable'
set firewall broadcast-ping 'disable'
set firewall config-trap 'disable'
set firewall group network-group PrivateIPs network '10.2.0.0/16'
set firewall group network-group RecIPs network '10.2.2.3/32'
set firewall group network-group TapLan network '10.1.0.0/16'
set firewall ipv6-receive-redirects 'disable'
set firewall ipv6-src-route 'disable'
set firewall ip-src-route 'disable'
set firewall log-martians 'enable'
set firewall name Accept_Log default-action 'accept'
set firewall name Accept_Log enable-default-log
set firewall name Tap_In default-action 'accept'
set firewall name Tap_In enable-default-log
set firewall name Tap_In rule 100 action 'accept'
set firewall name Tap_In rule 100 destination group network-group 'RecIPs'
set firewall name Tap_In rule 100 log 'enable'
set firewall name Tap_In rule 100 protocol 'tcp_udp'
set firewall name Tap_In rule 100 source group network-group 'TapLan'
set firewall name Tap_In rule 200 action 'accept'
set firewall name Tap_In rule 200 destination group network-group 'RecIPs'
set firewall name Tap_In rule 200 log 'enable'
set firewall name Tap_In rule 200 protocol 'icmp'
set firewall name Tap_In rule 800 action 'reject'
set firewall name Tap_In rule 800 description 'No access to private IPs'
set firewall name Tap_In rule 800 destination group network-group 'PrivateIPs'
set firewall name Tap_In rule 800 log 'enable'
set firewall receive-redirects 'disable'
set firewall send-redirects 'enable'
set firewall source-validation 'disable'
set firewall state-policy established action 'accept'
set firewall state-policy invalid action 'drop'
set firewall state-policy invalid log enable
set firewall state-policy related action 'accept'
set firewall syn-cookies 'enable'
set firewall twa-hazards-protection 'disable'
set interfaces ethernet eth0 address '10.2.2.1/16'
set interfaces ethernet eth0 description 'inside'
set interfaces ethernet eth0 duplex 'auto'
set interfaces ethernet eth0 smp-affinity 'auto'
set interfaces ethernet eth0 speed 'auto'
set interfaces ethernet eth1 address '100.100.100.2/30'
set interfaces ethernet eth1 description 'outside'
set interfaces ethernet eth1 duplex 'auto'
set interfaces ethernet eth1 smp-affinity 'auto'
set interfaces ethernet eth1 speed 'auto'
set interfaces ethernet eth2 duplex 'auto'
set interfaces ethernet eth2 smp-affinity 'auto'
set interfaces ethernet eth2 speed 'auto'
set interfaces ethernet eth3 duplex 'auto'
set interfaces ethernet eth3 smp-affinity 'auto'
set interfaces ethernet eth3 speed 'auto'
set interfaces loopback lo
set interfaces vti vti0 address '192.168.13.3/24'
set interfaces vti vti0 firewall in name 'Tap_In'
set interfaces vti vti0 firewall out name 'Accept_Log'
set interfaces vti vti0 ip
**set nat destination rule 200 destination address '11.60.0.0/16'
set nat destination rule 200 inbound-interface 'eth0'
set nat destination rule 200 source address '10.2.0.0/16'
set nat destination rule 200 translation address '10.1.0.0/16'
**set nat destination rule 505 destination address '172.17.2.0/28'
set nat destination rule 505 inbound-interface 'vti0'
set nat destination rule 505 source address '10.1.0.0/16'
set nat destination rule 505 translation address '10.2.2.3'
set nat destination rule 8100 destination address '172.17.1.8'
set nat destination rule 8100 inbound-interface 'vti0'
set nat destination rule 8100 source address '10.1.0.0/16'
set nat destination rule 8100 translation address '10.2.2.3'
set nat source rule 100 destination address '10.1.0.0/16'
set nat source rule 100 outbound-interface 'vti0'
set nat source rule 100 protocol 'all'
set nat source rule 100 translation address 'masquerade'
set nat source rule 1000 outbound-interface 'eth1'
set nat source rule 1000 protocol 'all'
set nat source rule 1000 source address '10.2.0.0/16'
set nat source rule 1000 translation address 'masquerade'
set protocols bgp 200 address-family ipv4-unicast network 172.17.1.0/28
set protocols bgp 200 neighbor 192.168.13.4 address-family ipv4-unicast soft-reconfiguration inbound
set protocols bgp 200 neighbor 192.168.13.4 remote-as '100'
set protocols bgp 200 neighbor 192.168.13.4 update-source '192.168.13.3'
set protocols static interface-route 10.1.0.0/16 next-hop-interface vti0
set protocols static route 0.0.0.0/0 next-hop 100.100.100.1
set vpn ipsec esp-group espA compression 'disable'
set vpn ipsec esp-group espA lifetime '48800'
set vpn ipsec esp-group espA mode 'tunnel'
set vpn ipsec esp-group espA pfs 'dh-group14'
set vpn ipsec esp-group espA proposal 1 encryption 'aes256'
set vpn ipsec esp-group espA proposal 1 hash 'sha512'
set vpn ipsec ike-group ikeA close-action 'none'
set vpn ipsec ike-group ikeA dead-peer-detection action 'restart'
set vpn ipsec ike-group ikeA dead-peer-detection interval '10'
set vpn ipsec ike-group ikeA dead-peer-detection timeout '120'
set vpn ipsec ike-group ikeA ikev2-reauth 'no'
set vpn ipsec ike-group ikeA key-exchange 'ikev2'
set vpn ipsec ike-group ikeA lifetime '86400'
set vpn ipsec ike-group ikeA proposal 1 dh-group '14'
set vpn ipsec ike-group ikeA proposal 1 encryption 'aes256'
set vpn ipsec ike-group ikeA proposal 1 hash 'sha512'
set vpn ipsec ipsec-interfaces interface 'eth1'
set vpn ipsec logging log-level '1'
set vpn ipsec logging log-modes 'any'
set vpn ipsec site-to-site peer 200.200.200.2 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 200.200.200.2 authentication pre-shared-secret 'testkey'
set vpn ipsec site-to-site peer 200.200.200.2 connection-type 'initiate'
set vpn ipsec site-to-site peer 200.200.200.2 default-esp-group 'espA'
set vpn ipsec site-to-site peer 200.200.200.2 ike-group 'ikeA'
set vpn ipsec site-to-site peer 200.200.200.2 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 200.200.200.2 local-address '100.100.100.2'
set vpn ipsec site-to-site peer 200.200.200.2 vti bind 'vti0'
set vpn ipsec site-to-site peer 200.200.200.2 vti esp-group 'espA'
```
Version:
```
Version: VyOS 1.3-rolling-202009241556
Release Train: equuleus
Built by: redacted
Built on: Thu 24 Sep 2020 15:56 UTC
Build UUID: 32528dfd-734e-40e5-aeac-32ea171c9722
Build Commit ID: d571b383797719
Architecture: x86_64
Boot via: installed image
System type: KVM guest
Hardware vendor: QEMU
Hardware model: Standard PC (i440FX + PIIX, 1996)
Hardware S/N: Unknown
Hardware UUID: Unknown
Copyright: VyOS maintainers and contributors
```