address local-sys-prod-prenat 10.252.253.5/32;
address local-sys-prod-postnat 10.2.2.5/32;
address remote-sys-prenat 10.12.7.2/32;
policy vpn-to-sys-test-amqps {
match {
source-address remote-sys-prenat;
destination-address local-sys-test-prenat;
application test-abc;
}
then {
permit;
}
}
Here is you see the policy is for "local-sys-prod-prenat" . In JUNOS the Policy lookup happenes after destination NAT , so you need to creat policy for "local-sys-prod-postnat"
Also if you see here the "test-abc" application does not have ICMP :
application test-abc {
protocol tcp;
destination-port 671;
}
So thats why its taking the default deny policy . Correct this and it will work .