Re: access to public NAT IP from device in DMZ zone
[ Edited ]
This is a fairly common issue whe doing Destination NAT:
You'll need to adjust your destination NAT rule so that the source zone includes both your "Untrust" and any other zones that you need to access it from - like the DMZ in your case. Even though the destination IP address doesn't technically belong in the DMZ zone, the NAT policy will still translate connections to it.
As for the host needing to connect to itself over a NATted IP - that's certainly a new one for me but if you're still having issues make sure there is an intrazone policy configured from zone DMZ to zone DMZ and this *may* just work.
I suspect the host probably needs to connect to itself via a FQDN which is resolving to it's public IP address which is where the DNAT comes into play.
If you still have issues getting that to work, try manually editing the hosts file on the machine so that the FQDN resolves to the private address of the box - that should bypass any issues you'll have with the SRX and NAT.
Ben Dale JNCIP-ENT, JNCIP-SP, JNCIP-DC, JNCIE-SEC #63 Juniper Ambassador Follow me @labelswitcher