Hi,
I made I mistake posting policies: it should confuse, sorry
252 Trust DMZ Any Any ANY Permit enabled ---X-X
250 DMZ Untrust Network-DMZ Any ANY Permit enabled ---X-X
253 Untrust DMZ Any VIP(212.36.~ FTP Permit enabled ---X-X
254 Untrust DMZ Any Any ANY Permit enabled -----X
255 Untrust Global Any VIP(212.36.~ FTP Permit enabled -----X
The zone is correct
ID Name Type Attr VR Default-IF VSYS
0 Null Null Shared untrust-vr null Root
1 Untrust Sec(L3) Shared trust-vr ethernet0/0 Root
101 DMZ Sec(L3) trust-vr ethernet0/8.2 Root
As I understand zone 1 is untrust and zone 101 is DMZ. Anyway I add the policies 254 and 255 (global one) us you suggest, with same result.
I atacched new debug with the two new policies enabled
****** 63047596.0: <Untrust/ethernet0/0> packet received [52]******
ipid = 915(0393), @1d6e8114
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet0/0:80.28.222.166/54675->212.36.84.102/21,6<Root>
no session found
flow_first_sanity_check: in <ethernet0/0>, out <N/A>
chose interface ethernet0/0 as incoming nat if.
flow_first_routing: in <ethernet0/0>, out <N/A>
search route to (ethernet0/0, 80.28.222.166->172.16.253.4) in vr trust-vr for vsd-0/flag-0/ifp-null
cached route 0 for 172.16.253.4
add route 125 for 172.16.253.4 to route cache table
[ Dest] 125.route 172.16.253.4->172.16.253.4, to ethernet0/8.2
routed (x_dst_ip 172.16.253.4) from ethernet0/0 (ethernet0/0 in 0) to ethernet0/8.2
policy search from zone 1-> zone 101
policy_flow_search policy search nat_crt from zone 1-> zone 10
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 212.36.84.102, port 21, proto 6)
No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 320000/-1/0x0
Searching global policy.
swrs_search_ip: policy matched id/idx/action = 320000/-1/0x0
policy id (320000)
packet dropped, denied by policy
Policy id deny policy, ipv6 0, flow_potential_violation 0
Thank you in advance.
Best regards,
Marc