I have tried to validate this functionality on SRX1500 and can confirm that it works as expected and described in https://kb.juniper.net/InfoCenter/index?page=content&id=KB11709.
Enviroment:
SRX1500 with destination nat on 1.2.3.4:2222 towards 172.30.104.1:22 with source-nat on ge-0/0/11.104.
config snippets:
user@srx1500-nfr> show configuration security nat destination
pool test-inside {
address 172.30.104.1/32 port 22;
}
rule-set WAN {
from zone untrust;
rule test {
match {
destination-address 1.2.3.4/32;
destination-port {
2222;
}
}
then {
destination-nat {
pool {
test-inside;
}
}
}
}
}
user@srx1500-nfr> show configuration security nat source
pool src-hide {
address {
172.30.104.254/32;
}
}
rule-set test-src {
from zone untrust;
to zone test;
rule src-tux {
match {
source-address 4.3.2.1/32;
}
then {
source-nat {
pool {
src-hide;
}
}
}
}
}
user@srx1500-nfr> show configuration security policies from-zone untrust to-zone test
policy test {
match {
source-address external-host;
destination-address test-inside;
application junos-ssh;
}
then {
permit;
log {
session-init;
session-close;
}
}
}
user@srx1500-nfr> show configuration interfaces
ge-0/0/1 {
unit 0 {
family inet {
filter {
input PCAP;
output PCAP;
}
address 1.2.3.4/27;
}
}
}
ge-0/0/11 {
vlan-tagging;
unit 104 {
vlan-id 104;
family inet {
filter {
input PCAP;
output PCAP;
}
address 172.30.104.254/24;
}
}
}
user@srx1500-nfr> show configuration firewall
filter PCAP {
term 1 {
from {
source-address {
4.3.2.1/32;
}
destination-address {
1.2.3.4/32;
}
}
then {
sample;
accept;
}
}
term 2 {
from {
source-address {
1.2.3.4/32;
}
destination-address {
4.3.2.1/32;
}
}
then {
sample;
accept;
}
}
term 3 {
from {
source-address {
172.30.104.254/32;
}
destination-address {
172.30.104.1/32;
}
}
then {
sample;
accept;
}
}
term 4 {
from {
source-address {
172.30.104.1/32;
}
destination-address {
172.30.104.254/32;
}
}
then {
sample;
accept;
}
}
term allow-all-else {
then accept;
}
}
user@srx1500-nfr> show configuration forwarding-options
packet-capture {
file filename pcapdump files 5 size 5m;
maximum-capture-size 1500;
}
Traffic passes correctly when testing from the outside, flow session is show and pcapdump files are generated:
ssh -p 2222 root@1.2.3.4
Password:
Last login: Mon Nov 6 11:06:22 2017 from 172.30.104.254
--- JUNOS 15.1X49-D100.6 built 2017-06-28 07:33:31 UTC
root@vsrx-test%
user@srx1500-nfr> show security flow session
Session ID: 901793, Policy name: test/6, Timeout: 1800, Valid
In: 4.3.2.1/33090 --> 1.2.3.4/2222;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 93, Bytes: 7697,
Out: 172.30.104.1/22 --> 172.30.104.254/28608;tcp, Conn Tag: 0x0, If: ge-0/0/11.104, Pkts: 165, Bytes: 17501,
Total sessions: 1
jh@srx1500-nfr> file list /var/tmp/pcapdump*
/var/tmp/pcapdump.ge-0.0.1
/var/tmp/pcapdump.ge-0.0.11
and content from tne internal interface is also shown correct ly in the dump file:
root@srx1500-nfr% tcpdump -ttttnr /var/tmp/pcapdump.ge-0.0.11 | grep 28608
17. 375924 Out IP 172.30.104.254.28608 > 172.30.104.1.22: S 3112655166:3112655166(0) win 65535 <mss 1460,nop,wscale 6,sackOK,timestamp 2729284302 0>
000008 In IP 172.30.104.1.22 > 172.30.104.254.28608: S 1009170727:1009170727(0) ack 3112655167 win 65535 <mss 1460,nop,wscale 1,nop,nop,timestamp 372119 2729284302,sackOK,eol>
000016 Out IP 172.30.104.254.28608 > 172.30.104.1.22: . ack 1 win 1040 <nop,nop,timestamp 2729284308 372119>
000010 Out IP 172.30.104.254.28608 > 172.30.104.1.22: P 1:50(49) ack 1 win 1040 <nop,nop,timestamp 2729284311 372119>
000005 In IP 172.30.104.1.22 > 172.30.104.254.28608: P 1:22(21) ack 50 win 33279 <nop,nop,timestamp 372123 2729284311>
000034 In IP truncated-ip - 18 bytes missing! 172.30.104.1.22 > 172.30.104.254.28608: . 22:1470(1448) ack 50 win 33304 <nop,nop,timestamp 372123 2729284311>
000043 Out IP 172.30.104.254.28608 > 172.30.104.1.22: . ack 1470 win 1018 <nop,nop,timestamp 2729284329 372123>
000005 In IP 172.30.104.1.22 > 172.30.104.254.28608: P 1470:1670(200) ack 50 win 33304 <nop,nop,timestamp 372124 2729284329>
000042 Out IP truncated-ip - 18 bytes missing! 172.30.104.254.28608 > 172.30.104.1.22: . 50:1498(1448) ack 1470 win 1018 <nop,nop,timestamp 2729284331 372123>
025621 Out IP 172.30.104.254.28608 > 172.30.104.1.22: P 1498:1922(424) ack 1470 win 1018 <nop,nop,timestamp 2729284331 372123>
000006 In IP 172.30.104.1.22 > 172.30.104.254.28608: . ack 1922 win 32368 <nop,nop,timestamp 372124 2729284331>
000023 Out IP 172.30.104.254.28608 > 172.30.104.1.22: P 1922:1970(48) ack 1670 win 1040 <nop,nop,timestamp 2729284345 372124>
128507 In IP 172.30.104.1.22 > 172.30.104.254.28608: P 1670:1950(280) ack 1970 win 33304 <nop,nop,timestamp 372130 2729284345>
So. You need to ensure you are looking at the active node for your RG1 and ensure you are dumping traffic for the right IPS (but as you have "any" it shouldn't been the issue. Hope this walkthrough helps.