0

我是瞻博网络和 SRX 的新手。我们刚刚设置了一个包含 2 个 Juniper SRX 220 设备的集群,我只是在努力设置 reth 接口。瞻博网络必须有 2 个上行链路到 Cicso ASA。此时接口 ge-0/0/0、ge-3/0/0 和 ge-0/0/1、ge-/0/01 连接到 ASA。我已经设置了一个 VLAN 的 192 并将 reth1 接口添加到这个 VLAN。我可以 ping reth1 接口,但无法 ping 另一端 ASA 接口上的接口。请有人能告诉我我做错了什么。配置如下。

chassis {

cluster {

reth-count 2;

redundancy-group 0 {

node 0 priority 100;

node 1 priority 1;

}

redundancy-group 1 {

node 0 priority 100;

node 1 priority 1;

preempt;

interface-monitor {

ge-3/0/1 weight 255;

ge-0/0/1 weight 255;


}

}

}

}

interfaces {

interface-range interfaces-fwtransit {

member ge-0/0/0;

member ge-3/0/0;

unit 0 {

family ethernet-switching {

vlan {

members fwtransit;

}

}

}

}

ge-0/0/1 {

gigether-options {

redundant-parent reth1;

}

}

ge-0/0/3 {

unit 0 {

family inet {

address 10.100.0.252/24;

}

}

}

ge-3/0/1 {

gigether-options {

redundant-parent reth1;

}

}

fab0 {


fabric-options {

member-interfaces {

ge-0/0/5;

}

}

}

fab1 {

fabric-options {

member-interfaces {

ge-3/0/5;

}

}

}

reth0 {

vlan-tagging;

redundant-ether-options {

redundancy-group 1;

}

}

reth1 {

vlan-tagging;

redundant-ether-options {

redundancy-group 1;

}

unit 192 {

description untrust;

vlan-id 192;
family inet {

address 192.168.2.252/24;

}

}

}

vlan {

unit 0 {


family inet {

address 192.168.1.1/24;

}

}

unit 162 {

family inet {

address 172.31.254.3/24;

}

}

unit 192 {

family inet {

address 192.168.2.3/24;

}

}

}

}

routing-options {

static {

route 10.100.0.0/24 next-hop 10.100.0.1;

}

}

protocols {

stp;

}

security {

zones {

security-zone trust {

interfaces {

ge-0/0/3.0 {

host-inbound-traffic {

system-services {

ping;

https;

ssh;

}

}

}

}

}

security-zone untrust {

host-inbound-traffic {

system-services {

ping;

}

}

interfaces {

vlan.162;

vlan.192;

}

}

}

}

vlans {

fwtransit {

vlan-id 162;

l3-interface vlan.162;

}

web_dmz {
vlan-id 192;

l3-interface vlan.192;

}
}
4

2 回答 2

0

我的理解是你有这样的东西:拓扑:

由于您已经在 host-inbound-traffic 下拥有 ICMP,因此您可以检查:

  1. 作为初始故障/脏测试,安全策略允许一切。前提是:“如果流量目标是传入接口以外的任何接口,Junos OS 会检查安全策略。”

2.监控接口上的流量,确保 ICMP ECHO 正在离开线路,如果没有回复,则 ASA 上可能有问题。

  1. 您是否检查过接口统计信息是否有丢失或错误?
于 2017-04-16T22:49:15.973 回答
0

请检查您是否配置了正确的策略: - 显示配置安全策略

您可以使用以下方式配置策略:

set security policy from-zone xxx to-zone xxx policy my-policy match source-address any destination-address any application any
set security policy from-zone xxx to-zone xxx policy my-policy then permit

并尝试通过指定源接口来 ping ASA 接口: - ping xxxxinterface ge-0/0/0

也许您还想定义一个环回接口并将此接口添加到您的:“trust”-security-zone

于 2017-07-17T15:58:44.943 回答