我是Juniper和SRX的新手 . 我们刚刚设置了一个带有2个Juniper SRX 220设备的集群,我只是在努力设置reth接口 . 瞻博网络必须向Cicso ASA提供2个上行链路 . 此时接口ge-0/0/0,ge-3/0/0和ge-0/0/1,ge- / 0/01连接到ASA . 我已经设置了VLAN 192并将reth1接口添加到此VLAN . 我可以ping reth1接口但不能在另一端的ASA接口上ping接口 . 请有人可以告诉我做错了什么 . 配置如下 .
chassis {
cluster {
reth-count 2;
redundancy-group 0 {
node 0 priority 100;
node 1 priority 1;
}
redundancy-group 1 {
node 0 priority 100;
node 1 priority 1;
preempt;
interface-monitor {
ge-3/0/1 weight 255;
ge-0/0/1 weight 255;
}
}
}
}
interfaces {
interface-range interfaces-fwtransit {
member ge-0/0/0;
member ge-3/0/0;
unit 0 {
family ethernet-switching {
vlan {
members fwtransit;
}
}
}
}
ge-0/0/1 {
gigether-options {
redundant-parent reth1;
}
}
ge-0/0/3 {
unit 0 {
family inet {
address 10.100.0.252/24;
}
}
}
ge-3/0/1 {
gigether-options {
redundant-parent reth1;
}
}
fab0 {
fabric-options {
member-interfaces {
ge-0/0/5;
}
}
}
fab1 {
fabric-options {
member-interfaces {
ge-3/0/5;
}
}
}
reth0 {
vlan-tagging;
redundant-ether-options {
redundancy-group 1;
}
}
reth1 {
vlan-tagging;
redundant-ether-options {
redundancy-group 1;
}
unit 192 {
description untrust;
vlan-id 192;
family inet {
address 192.168.2.252/24;
}
}
}
vlan {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
unit 162 {
family inet {
address 172.31.254.3/24;
}
}
unit 192 {
family inet {
address 192.168.2.3/24;
}
}
}
}
routing-options {
static {
route 10.100.0.0/24 next-hop 10.100.0.1;
}
}
protocols {
stp;
}
security {
zones {
security-zone trust {
interfaces {
ge-0/0/3.0 {
host-inbound-traffic {
system-services {
ping;
https;
ssh;
}
}
}
}
}
security-zone untrust {
host-inbound-traffic {
system-services {
ping;
}
}
interfaces {
vlan.162;
vlan.192;
}
}
}
}
vlans {
fwtransit {
vlan-id 162;
l3-interface vlan.162;
}
web_dmz {
vlan-id 192;
l3-interface vlan.192;
}
}
2 回答
我的理解是你有这样的东西:拓扑:
由于您已经在主机入站流量下拥有ICMP,因此您可以检查:
2.监控接口上的流量,确保ICMP ECHO正在离线,如果没有回复,ASA上的东西可能是 .
请检查您是否已配置正确的策略: - 显示配置安全策略
您可以使用以下命令配置策略:
并尝试通过指定源接口ping ASA接口: - ping x.x.x.xinterface ge-0/0/0
也许你也想定义一个loopback接口并将这个接口添加到你的:“trust”-security-zone