Juniper SRX 220

时间:2016-05-13 09:45:58

标签: juniper-network-connect

我是Juniper和SRX的新手。我们刚刚设置了一个带有2个Juniper SRX 220设备的集群,我只是在努力设置reth接口。瞻博网络必须向Cicso ASA提供2个上行链路。此时接口ge-0/0/0,ge-3/0/0和ge-0/0/1,ge- / 0/01连接到ASA。我已经设置了VLAN 192并将reth1接口添加到此VLAN。我可以ping reth1接口但不能在另一端的ASA接口上ping接口。请有人可以告诉我做错了什么。下面的配置。

chassis {

cluster {

reth-count 2;

redundancy-group 0 {

node 0 priority 100;

node 1 priority 1;

}

redundancy-group 1 {

node 0 priority 100;

node 1 priority 1;

preempt;

interface-monitor {

ge-3/0/1 weight 255;

ge-0/0/1 weight 255;


}

}

}

}

interfaces {

interface-range interfaces-fwtransit {

member ge-0/0/0;

member ge-3/0/0;

unit 0 {

family ethernet-switching {

vlan {

members fwtransit;

}

}

}

}

ge-0/0/1 {

gigether-options {

redundant-parent reth1;

}

}

ge-0/0/3 {

unit 0 {

family inet {

address 10.100.0.252/24;

}

}

}

ge-3/0/1 {

gigether-options {

redundant-parent reth1;

}

}

fab0 {


fabric-options {

member-interfaces {

ge-0/0/5;

}

}

}

fab1 {

fabric-options {

member-interfaces {

ge-3/0/5;

}

}

}

reth0 {

vlan-tagging;

redundant-ether-options {

redundancy-group 1;

}

}

reth1 {

vlan-tagging;

redundant-ether-options {

redundancy-group 1;

}

unit 192 {

description untrust;

vlan-id 192;
family inet {

address 192.168.2.252/24;

}

}

}

vlan {

unit 0 {


family inet {

address 192.168.1.1/24;

}

}

unit 162 {

family inet {

address 172.31.254.3/24;

}

}

unit 192 {

family inet {

address 192.168.2.3/24;

}

}

}

}

routing-options {

static {

route 10.100.0.0/24 next-hop 10.100.0.1;

}

}

protocols {

stp;

}

security {

zones {

security-zone trust {

interfaces {

ge-0/0/3.0 {

host-inbound-traffic {

system-services {

ping;

https;

ssh;

}

}

}

}

}

security-zone untrust {

host-inbound-traffic {

system-services {

ping;

}

}

interfaces {

vlan.162;

vlan.192;

}

}

}

}

vlans {

fwtransit {

vlan-id 162;

l3-interface vlan.162;

}

web_dmz {
vlan-id 192;

l3-interface vlan.192;

}
}

2 个答案:

答案 0 :(得分:0)

我的理解是你有这样的事情: 拓扑结构:

由于您已经拥有主机入站流量下的ICMP,您可以检查:

  1. 作为初始下行/肮脏测试,安全策略允许一切。这样做的前提是:“如果流量目标是传入接口以外的任何接口,Junos OS会检查安全策略。”

    2. 2.监控接口上的流量,确保ICMP ECHO正在离线,如果没有回复,ASA上的内容可能是。

    1. 您是否检查过丢弃或错误的接口统计信息?

答案 1 :(得分:0)

请检查您是否配置了正确的政策: - 显示配置安全策略

您可以使用以下命令配置策略:

set security policy from-zone xxx to-zone xxx policy my-policy match source-address any destination-address any application any
set security policy from-zone xxx to-zone xxx policy my-policy then permit

并尝试通过指定源接口来ping ASA接口: - ping x.x.x.xinterface ge-0 / 0/0

也许你也想定义一个loopback接口并将这个接口添加到你的:“trust”-security-zone

相关问题
最新问题