Greetings!
The reason is simple!
The static NAT rule does not match the traffic generated from your Inside (or trust) zone. Your static rule matches traffic from untrust zone and any traffic from untrust zone gets natted and you are able to reach the internet.
In order to be able to reach the webserver from untrust and trust zone using the same Public IP address you will need to configure the following:
1. Static NAT rule:
static {
rule-set static-nat {
from routing-instance default;
rule my_website{
match {
destination-address <dedicated public ip for this website>/32;
}
then {
static-nat prefix 172.16.0.202/32; //private ip of my webserver.
}
}
This matches any traffic coming in from default routing instance.
2. Apply proxy arp or have the devices in trust zone point there default gateway towards the SRX internal (trust) IP so that packets reach the SRX
3. Change the source IP of the traffic.
nat {
source {
rule-set trust-to-trust {
from zone trust;
to zone trust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
Without the third step, after the packet's destination address gets NAT'ed and it reaches the webserver, the source address remains unchanged and in most cases can belong to same subnet as that of webserver (private) ip. If thats the case the web server will try to get MAC of that IP by sending ARPs instead of sending the reply packet back to SRX which will never work.
Hope this helps!
Regards,
Kinshuk