Hi Andy,
First of all thank you for suggestion: by using debug I've found the reason of the problem. I had not static route to destination MIP at untrust interface. I've added route and have got access 🙂
Nevertheless, please take a look at the debug - is I'm right? (I have changed public IPs)
****** 928508.0: <Trust/bgroup0/0> packet received [60]******
ipid = 1510(05e6), @0d595114
packet passed sanity check.
bgroup0/0:10.41.3.41/49421->213.133.107.190/1280,1(8/0)<Root>
no session found
flow_first_sanity_check: in <bgroup0/0>, out <N/A>
chose interface bgroup0/0 as incoming nat if.
flow_first_routing: in <bgroup0/0>, out <N/A>
search route to (bgroup0/0, 10.41.3.41->213.133.107.190) in vr trust-vr for vsd-0/flag-0/ifp-null
[ Dest] 5.route 213.133.107.190->213.133.107.190, to ethernet0/1
routed (x_dst_ip 213.133.107.190) from bgroup0/0 (bgroup0/0 in 0) to ethernet0/1
policy search from zone 2-> zone 3
policy_flow_search policy search nat_crt from zone 2-> zone 3
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 213.133.107.190, port 34638, proto 1)
No SW RPC rule match, search HW rule
Permitted by policy 4
dip id = 2, 10.41.3.41/49421->213.133.107.145/17739
choose interface ethernet0/1 as outgoing phy if
no loop on ifp ethernet0/1.
session application type 0, name None, nas_id 0, timeout 60sec
service lookup identified service 0.
flow_first_final_check: in <bgroup0/0>, out <ethernet0/1>
existing vector list 201-5036e7c.
Session (id:44136) created for first pak 201
flow_first_install_session======>
route to 213.133.107.190
wait for arp rsp for 213.133.107.190
ifp2 ethernet0/1, out_ifp ethernet0/1, flag 10000800, tunnel ffffffff, rc 0
outgoing wing prepared, not ready
handle cleartext reverse route
search route to (ethernet0/1, 213.133.107.190->10.41.3.41) in vr trust-vr for vsd-0/flag-3000/ifp-bgroup0/0
[ Dest] 33.route 10.41.3.41->10.41.3.41, to bgroup0/0
route to 10.41.3.41
arp entry found for 10.41.3.41
ifp2 bgroup0/0, out_ifp bgroup0/0, flag 00800801, tunnel ffffffff, rc 1
Message Edited by Dmitry on 08-29-2008 04:59 AM