Junos OS

Good day,

I have a SRX240 with 2 isp's

the primary use a PPoE pp0.0 and work as expected

The secondary use ethernet with vlan tagging.

I switched some of the ipsec tunnels to this new connection, and works fine.

i also want to use destination nat. but this isn't working. 

ge-0/0/15 {    vlan-tagging;    unit 9 {        vlan-id 9;        family inet {            address 1.2.3.4/28;        }    }}

The Routing instance

fiber {    instance-type virtual-router;    interface ge-0/0/15.9;    routing-options {        interface-routes {            rib-group inet inet-group;        }        static {            route 0.0.0.0/0 next-hop 1.2.3.5        }    }}

Routing options

interface-routes {    rib-group inet inet-group;}static {    route 0.0.0.0/0 next-hop pp0.0;}rib-groups {    inet-group {        import-rib [ inet.0 fiber.inet.0 ];    }}

Destenation nat

rule-set untrust {    from zone untrust;    rule myserver {        match {            destination-address 0.0.0.0/0;            destination-port 443;        }        then {            destination-nat {                pool {                    myserver;                }            }        }    }}rule-set untrust-fiber {    from zone untrust-fiber;    rule myserver-fiber {        match {            destination-address 0.0.0.0/0;            destination-port 443;        }        then {            destination-nat {                pool {                    myserver;                }            }        }    }}

The security policies are identical for untrust and untrust-fiber

If i connect to the public ip of pp0.0 the webpage shows.

if i connect to the public ip of ge-0/0/15.9 there is no response.

I know the connection is working, since the ipsec is working fine.

what am i missing?

Is there also a inbound security policy for the new untrust-fiber zone to permit the traffic matching  the original untrust zone policy?

Good day,

I have a SRX240 with 2 isp's

the primary use a PPoE pp0.0 and work as expected

The secondary use ethernet with vlan tagging.

I switched some of the ipsec tunnels to this new connection, and works fine.

i also want to use destination nat. but this isn't working. 

ge-0/0/15 {    vlan-tagging;    unit 9 {        vlan-id 9;        family inet {            address 1.2.3.4/28;        }    }}

The Routing instance

fiber {    instance-type virtual-router;    interface ge-0/0/15.9;    routing-options {        interface-routes {            rib-group inet inet-group;        }        static {            route 0.0.0.0/0 next-hop 1.2.3.5        }    }}

Routing options

interface-routes {    rib-group inet inet-group;}static {    route 0.0.0.0/0 next-hop pp0.0;}rib-groups {    inet-group {        import-rib [ inet.0 fiber.inet.0 ];    }}

Destenation nat

rule-set untrust {    from zone untrust;    rule myserver {        match {            destination-address 0.0.0.0/0;            destination-port 443;        }        then {            destination-nat {                pool {                    myserver;                }            }        }    }}rule-set untrust-fiber {    from zone untrust-fiber;    rule myserver-fiber {        match {            destination-address 0.0.0.0/0;            destination-port 443;        }        then {            destination-nat {                pool {                    myserver;                }            }        }    }}

The security policies are identical for untrust and untrust-fiber

If i connect to the public ip of pp0.0 the webpage shows.

if i connect to the public ip of ge-0/0/15.9 there is no response.

I know the connection is working, since the ipsec is working fine.

what am i missing?