SRX

Why don't work my nat rules? 

root@srx210> show configuration security nat 
    rule-set rs1 {                      
        from zone trust;
        to zone untrust;
        rule r1 {
            match {
                source-address 0.0.0.0/0;
                destination-address 0.0.0.0/0;
            }
            then {
                source-nat {
                    interface;
                }
            }
        }
        rule r2 {
            match {
                source-address 172.30.0.111/32;
                destination-address 0.0.0.0/0;
            }
            then {
                source-nat {
                    off;
                }
            }                           
        }
    }
}
destination {
    pool mail-server1 {
        address 172.30.0.111/32 port 25;
    }
    pool mail-server2 {
        address 172.30.0.111/32 port 80;
    }
    pool mail-server3 {
        address 172.30.0.111/32 port 443;
    }
    rule-set mail-server {
        from interface fe-0/0/7.0;
        rule port-forward1 {
            match {
                destination-address 62.118.2.200/32;
                destination-port 80;
            }
            then {
                destination-nat pool mail-server2;
            }                           
        }
        rule port-forward2 {
            match {
                destination-address 62.118.2.200/32;
                destination-port 25;
            }
            then {
                destination-nat pool mail-server1;
            }
        }
        rule port-forward3 {
            match {
                destination-address 62.118.2.200/32;
                destination-port 443;
            }
            then {
                destination-nat pool mail-server3;
            }
        }
    }
}

root@srx210> show security flow session source-prefix 172.30.0.111/32    
Session ID: 45961, Policy name: trust-to-untrust/4, Timeout: 1800, Valid
  In: 172.30.0.111/4789 --> 64.12.73.195/443;tcp, If: ge-0/0/0.4, Pkts: 21, Bytes: 1533
  Out: 64.12.73.195/443 --> 62.118.2.205/28879;tcp, If: fe-0/0/7.0, Pkts: 26, Bytes: 17388

Session ID: 46415, Policy name: trust-to-untrust/4, Timeout: 1792, Valid
  In: 172.30.0.111/4802 --> 74.125.43.101/80;tcp, If: ge-0/0/0.4, Pkts: 5, Bytes: 958
  Out: 74.125.43.101/80 --> 62.118.2.205/2479;tcp, If: fe-0/0/7.0, Pkts: 5, Bytes: 3209

Session ID: 46458, Policy name: trust-to-untrust/4, Timeout: 150, Valid
  In: 172.30.0.111/4811 --> 89.208.32.3/80;tcp, If: ge-0/0/0.4, Pkts: 10, Bytes: 1410
  Out: 89.208.32.3/80 --> 62.118.2.205/43992;tcp, If: fe-0/0/7.0, Pkts: 11, Bytes: 13532

Session ID: 46534, Policy name: trust-to-untrust/4, Timeout: 1800, Valid
  In: 172.30.0.111/4817 --> 89.208.32.3/80;tcp, If: ge-0/0/0.4, Pkts: 2, Bytes: 88
  Out: 89.208.32.3/80 --> 62.118.2.205/55370;tcp, If: fe-0/0/7.0, Pkts: 1, Bytes: 48
---(more)---[abort]

root@srx210> show configuration interfaces 
ge-0/0/0 {
    vlan-tagging;
    unit 4 {
        vlan-id 4;
        family inet {
            address 172.30.0.230/24;
        }
    }
}
fe-0/0/7 {
    unit 0 {
        family inet {
            address 62.118.2.205/24;


root@srx210> show configuration security zones 
security-zone trust {
    host-inbound-traffic {
        system-services {
            all;
        }
        protocols {
            all;
        }
    }
    interfaces {
        vlan.0;
        ge-0/0/0.4;
    }
}
security-zone untrust {
    screen untrust-screen;
    host-inbound-traffic {
        system-services {
            all {
                except;
            }
        }
        protocols {
            all {                       
                except;
            }
        }
    }
    interfaces {
        fe-0/0/7.0;
    }
}

root@srx210> show configuration security zones 
security-zone trust {
    host-inbound-traffic {
        system-services {
            all;
        }
        protocols {
            all;
        }
    }
    interfaces {
        vlan.0;
        ge-0/0/0.4;
    }
}
security-zone untrust {
    screen untrust-screen;
    host-inbound-traffic {
        system-services {
            all {
                except;
            }
        }
        protocols {
            all {                       
                except;
            }
        }
    }
    interfaces {
        fe-0/0/7.0;
    }
}

Destination NAT is not bi-directional, you will need to configure Static NAT

Thx. It work.

root@srx210> show configuration security nat 
    rule-set rs1 {                      
        from zone trust;
        to zone untrust;
        rule r1 {
            match {
                source-address 0.0.0.0/0;
                destination-address 0.0.0.0/0;
            }
            then {
                source-nat {
                    interface;
                }
            }
        }
        rule rs2 {
            match {
                source-address 172.30.0.111/32;
                destination-address 0.0.0.0/0;
            }
            then {
                source-nat {
                    off;
                }
            }                           
        }
    }
}
static {
    rule-set mail-server {
        from interface fe-0/0/7.0;
        rule r1 {
            match {
                destination-address 62.118.2.200/32;
            }
            then {
                static-nat prefix 172.30.0.111/32;
            }
        }
    }
}

**bleep**... It work but only in one side, requests from internet on port 25, 443,53 don't translates in  172.30.0.111, why?

You can get a better idea of what is happening if you run this command whilst the MIP is trying to be accessed

show security flow session destination-prefix 62.118.2.200/24