You have created your tunnel interface in theUntrustzone. Traffic from the Trust zone is able to enter the tunnel and pass to the destination. However traffic from a different interface in theUntrust zone is not able to pass traffic through the tunnel. You are using a single virtual router.
What could be causing this problem?
Two virtual routers need to be configured
A policy is needed since intra-zone blocking is on by default in theUntrustzone.
The tunnel is configured with a proxy id that does not include the address from theUntrust interface.
The routing tables are not correctly configured to allow the traffic from theUntrustsource to be delivered to the destination.
To control traffic that traverses the same zone, a zone level option is available — "Block Intra-zone Traffic". This option can be set through theWebUIor the CLI.
WebUIselect: Network -> Zones -> Edit <select zone>
CLI:set zone <zone name> block
This is an "All or Nothing" feature that is disabled by default on all zonesin the Trust-VR, except for theUntrustzone (where it is enabled by default). When the option is set or the check box is selected, all traffic between interfaces within the specified zone will be blocked. This holds true EXCEPT when there is an Intra-zone policy configured. Intra-zone policies will take precedence over or override thezone blocking setting