SRX

Hello community.
I cant understand why this config is not working.
If this config loaded in test environment (firefly perimeter or SRX210) everything working good - use ping for check.
But if this config loaded in production SRX240 and set real public IP addresses - only SSH working good, but device not ping.
Somboby can explain why?

## Last changed: 2015-04-15 00:04:13 EET
version 12.1X44-D40.2;
system {
    host-name JUN_CNT;
    time-zone Europe/Kaliningrad;
    root-authentication {
        encrypted-password "secret"
    }
    name-server {
        8.8.8.8;
        8.8.4.4;
    }
    login {
        user amaksimenko {
            uid 2003;
            class super-user;
            authentication {
                ssh-rsa "secret";
            }
        }
        user juniadmin {
            uid 2002;
            class super-user;
            authentication {
                encrypted-password "secret";
            }
        }
    }
    services {
        ssh;
        xnm-clear-text;
        web-management {
            https {
                system-generated-certificate;
                interface all;
            }
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
        file syslog-messages {
            any notice;
            archive size 2m files 10;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            description ISP2_METRONET;
            family inet {
                filter {
                    input ISP2-IN;
                }
                address 111.222.145.160/20;
                address 111.222.145.161/20;
                address 111.222.145.162/20;
                address 111.222.145.163/20;
            }
        }
    }
    ge-0/0/7 {
        unit 0 {
            description ISP1-WESTCALL;
            family inet {
                filter {
                    input ISP1-IN;
                }
                address 333.444.79.98/30;
            }
        }
    }
}
routing-options {
    interface-routes {
        rib-group inet inside;
    }
    static {
        route 0.0.0.0/0 next-table ISP1.inet.0;
    }
    rib-groups {
        inside {
            import-rib [ inet.0 TRUST-VRF.inet.0 ISP1.inet.0 ISP2.inet.0 ];
        }
    }
}
security {
    address-book {
        global {
            address CORE_SSH 10.240.245.245/32;
            address NET_LAN 10.21.0.0/16;
            address NET_SERVERS 10.10.0.0/16;
            address-set NET_LOCAL {
                address CORE_SSH;
                address NET_LAN;
                address NET_SERVERS;
            }
        }
    }
    nat {
        source {
            rule-set SNAT-ISP1 {
                from routing-instance default;
                to routing-instance ISP1;
                rule SNAT1 {
                    match {
                        source-address-name NET_LOCAL;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
                rule nat-off {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 10.0.0.0/8;
                    }
                    then {
                        source-nat {
                            off;
                        }
                    }
                }
            }
            rule-set SNAT-ISP2 {
                from routing-instance default;
                to routing-instance ISP2;
                rule SNAT2 {
                    match {
                        source-address-name NET_LOCAL;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
                rule ISP2-nat-off {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 10.0.0.0/8;
                    }
                    then {
                        source-nat {
                            off;
                        }
                    }
                }
            }
        }
    }
    zones {
        security-zone ISP1 {
            host-inbound-traffic {
                system-services {
                    ping;
                    ssh;
                    ike;
                }
            }
            interfaces {
                ge-0/0/7.0;
            }
        }
        security-zone ISP2 {
            host-inbound-traffic {
                system-services {
                    ping;
                    ssh;
                    ike;
                }
            }
            interfaces {
                ge-0/0/0.0;
            }
        }
    }
}
firewall {
    filter ISP1-IN {
        term 0 {
            from {
                destination-address {
                    333.444.79.98/32;
                }
                destination-port 22;
            }
            then accept;
        }
        term 1 {
            from {
                destination-address {
                    333.444.79.98/32;
                }
            }
            then {
                routing-instance TRUST-VRF;
            }
        }
        term 2 {
            then accept;
        }
    }
    filter ISP2-IN {
        term 0 {
            from {
                destination-address {
                    111.222.145.160/29;
                }
                destination-port 22;
            }
            then accept;
        }
        term 1 {
            from {
                destination-address {
                    111.222.145.160/29;
                }
            }
            then {
                routing-instance TRUST-VRF;
            }
        }
        term 2 {
            then accept;
        }
    }
}
routing-instances {
    ISP1 {
        instance-type virtual-router;
        interface ge-0/0/7.0;
        routing-options {
            interface-routes {
                rib-group inet inside;
            }
            static {
                route 0.0.0.0/0 next-hop 333.444.79.97;
            }
        }
    }
    ISP2 {
        instance-type virtual-router;
        interface ge-0/0/0.0;
        routing-options {
            interface-routes {
                rib-group inet inside;
            }
            static {
                route 0.0.0.0/0 next-hop 111.222.144.1;
            }
        }
    }
    TRUST-VRF {
        instance-type forwarding;
    }
}

Hi HunterXXI ,

When you try to put this configuration in your SRX240 device , you SSH work fine to device put ping does not work , Cna you explain me from where to where are you trying to ping  ?  Is the ping initiated from the device to external host or pining to SRX from external host .

Also for routing export or import , I would recommend to you policy option than RIB groups since we will have more grasp on route manipulation . 

Please explain more on this setup . Since host imbound traffic should work fine .

I want to same time both ISPs work.

Are you trying to ping SRX from external device (if so which IP address are you trying to ping) ? or the ping is initiated from SRX ( if so policy would need to be configured on zone junos-host) ?

Ping from remote pubic host. 

Can you provide the SourceIP and the destination IP  . Also the below outputs :

>show route  <source-ip> | no-more

>show route <dest-ip> | no-more