Based on this explaination, I believe this is the topology you have:
VM ----0/0/1.3000----(inside zone)----vSRX----(outside zone)----0/0/0.3000----WAN Router
fxp0 is the management interface and probably IP'ed from management subnet. Based on the Source NAT configured, any traffic from 'Inside' going to 'Outside' will be source natted using the 'Outside' interface IP. This will not NAT the traffic destined to fxp0.
However check the route you have on the VM for this fxp0 IP on the vSRX to how this routed. Also I don't see 0/0/0.3000 as part of your 'Outside' security zone and only 'ge-0/0/0.0' is listed there. Not sure if thats a typo but thought of letting you know.
If this post helped resolve your issue, please mark this post as an "Accepted Solution". Kudos are also appreciated too.
You can try few things here, I will divide the response in two items
The Source NAT configuration looks fine and as I understand default route is also pointing to WAN router which should be connected via ge-0/0/0. This is correct interface as per topology given. Start ping to 188.8.131.52 and look the "show security flow session output protocol icmp" You should see the something like this.
Look for the packet counter in incoming and outging direction. if you don't see the session the counters only in outgoing direction that mean SRX device doesn't see traffic in return direction which mean issue could be with Internet.
-If you don't see the session at all under "show security flow session output protocol icmp" that mean device is dropping the flow.
In order to find out why device is dropping packet you can run this traceoption to find out.
set security flow traceoptions flag basic-datapath set security flow traceoptions file flowtrace.txt set security flow traceoptions packet-filter PF1 source-prefix VM_IP/32 destination-prefix 184.108.40.206/32 set security flow traceoptions packet-filter PF1 source-prefix 220.127.116.11/32 destination-prefix ge-0/0/0_interface_IP/32
2)FXP0- FXP0 being a management interface you need to configure management subnet which should be different from your actual ge-0/0/0 intefaces. Instead of configuring 0/0 via fxp0 you can specify specific LAN subnet via fxp0 so that you can access it from internal network.
When you said you are coming from Internal for SSH access to fxp, do you mean to say you want to access fxp0 IP from LAN connected to ge-0/0/1.3000? If that is the case, it will not work. fxp0 sits on the RE and we cannot divert traffic coming on PFE to the fxp0. fxp0 is for out of band management only so to access the fxp0 IP, you need to be coming from a VM/LAN connected to the fxp0.
As HS suggested, please check if its ge-0/0/0.3000 that needs to be bound to the 'Outside' Security zone.
Also, what is the IP configuration for the interface in External zone? Does ge-0/0/0.3000 have a public IP configured on it?
Can you share the output for show interfaces terse?