i have a SRX210 connected to my cable modem that provides a public internet IP (Zone UNTRUST).
On the SRX i have a zone PRIVATE that holds my private VLAN . I configured a Source NAT from zone PRIVATE to UNTRUST so i can surf with my private devices in the internet. This just works fine.
Furthermore i have a zone VPN and TRUST (corporate VLAN) and an IPSec VPN configuration. An IPSec VPN tunnel (st0.0 in zone VPN) will be established and the respective security policies are set so that corporate traffic can flow from TRUST into the zone VPN. A static route is configured that routes any corporate traffic form TRUST into the st0.0 tunnel interface
Interestingly, the tunnel is established (IKE and IPSEC security associations are up ) but i cannot send traffic (e.g. Ping) into the tunnel. When I connect the SRX to a NAT Router (ISP WiFi Router) instead of directly to the cable modem, i can ping into the tunnel and everything works as expected.
Any ideas ? Did i miss something within the NAT config ?