Hi jeff, For NAT rules, zone matching is based on ingress interface and egress interface after PBF policy or route table lookup. Zone matching for Security rules is a post nat process; so a second lookup will occur after applying destination NAT rule (if there was a Nat policy match). on the other side, for ip matching, in security policy, you always have to keep pre-NAT IP address. When using Static SNAT bi-directional, an implied DNAT rule will be derived from your SNAT one (szone [any],sip [any] - dzone [same],dip [snated ip]). You can see it with # show running nat-policy. In you case, I think something is wrong with routing (maybe a wrong mask), your source IP from DMZ zone seems to be routed back in trust zone... furthermore, don't forget to keep your pre-NAT IP address in your security policy to allow the traffic.. Hope this will help you. Regards -Nicolas
... View more