SRX防火墙连通性测试，策略全放行环境

原创

大写的七 2019-12-24 12:10:57 ©著作权

©著作权归作者所有：来自51CTO博客作者大写的七的原创作品，谢绝转载，否则将追究法律责任

一、实验拓扑

业务网段： siteA: vlan100 192.168.100.0/24 , vlan200 192.168.200.0/24 siteB: 192.168.10.0/24 siteC: 192.168.20.0/24

互联网段： 172.16.1.0/24 172.16.2.0/24 172.16.3.0/24

siteA vlan100 ping siteB: ping 192.168.10.10 routing-instance v100 siteA vlan200 ping siteC: ping 192.168.10.10 routing-instance v200

vMX-ISP路由器模拟ISP运营商。

二、vSRXA的配置： vSRXA接口IP地址配置： set chassis cluster reth-count 8

set interfaces ge-0/0/2 gigether-options redundant-parent reth0 set interfaces ge-0/0/3 gigether-options redundant-parent reth1 set interfaces ge-7/0/2 gigether-options redundant-parent reth0 set interfaces ge-7/0/3 gigether-options redundant-parent reth1 set interfaces reth0 vlan-tagging set interfaces reth0 redundant-ether-options redundancy-group 1 set interfaces reth0 unit 100 vlan-id 100 set interfaces reth0 unit 100 family inet address 192.168.100.1/24 set interfaces reth0 unit 200 vlan-id 200 set interfaces reth0 unit 200 family inet address 192.168.200.1/24 set interfaces reth1 redundant-ether-options redundancy-group 1 set interfaces reth1 unit 0 family inet address 172.16.3.1/24

vSRXA接口加入到安全区域： set security zones security-zone v100 host-inbound-traffic system-services all set security zones security-zone v100 host-inbound-traffic protocols all set security zones security-zone v100 interfaces reth0.100 set security zones security-zone v200 host-inbound-traffic system-services all set security zones security-zone v200 host-inbound-traffic protocols all set security zones security-zone v200 interfaces reth0.200 set security zones security-zone untrust host-inbound-traffic system-services all set security zones security-zone untrust host-inbound-traffic protocols all set security zones security-zone untrust interfaces reth1.0

vSRXA配置安全策略，放行所有流量： set security zones security-zone v100 host-inbound-traffic system-services all set security zones security-zone v100 host-inbound-traffic protocols all set security zones security-zone v100 interfaces reth0.100 set security zones security-zone v200 host-inbound-traffic system-services all set security zones security-zone v200 host-inbound-traffic protocols all set security zones security-zone v200 interfaces reth0.200 set security zones security-zone untrust host-inbound-traffic system-services all set security zones security-zone untrust host-inbound-traffic protocols all set security zones security-zone untrust interfaces reth1.0

{primary:node0}[edit] root@vSRXA1# show security policies | display set set security policies from-zone v100 to-zone untrust policy 1 match source-address any set security policies from-zone v100 to-zone untrust policy 1 match destination-address any set security policies from-zone v100 to-zone untrust policy 1 match application any set security policies from-zone v100 to-zone untrust policy 1 then permit set security policies from-zone v200 to-zone untrust policy 1 match source-address any set security policies from-zone v200 to-zone untrust policy 1 match destination-address any set security policies from-zone v200 to-zone untrust policy 1 match application any set security policies from-zone v200 to-zone untrust policy 1 then permit set security policies from-zone v100 to-zone v200 policy 1 match source-address any set security policies from-zone v100 to-zone v200 policy 1 match destination-address any set security policies from-zone v100 to-zone v200 policy 1 match application any set security policies from-zone v100 to-zone v200 policy 1 then permit set security policies from-zone v200 to-zone v100 policy 1 match source-address any set security policies from-zone v200 to-zone v100 policy 1 match destination-address any set security policies from-zone v200 to-zone v100 policy 1 match application any set security policies from-zone v200 to-zone v100 policy 1 then permit set security policies from-zone untrust to-zone v100 policy 1 match source-address any set security policies from-zone untrust to-zone v100 policy 1 match destination-address any set security policies from-zone untrust to-zone v100 policy 1 match application any set security policies from-zone untrust to-zone v100 policy 1 then permit set security policies from-zone untrust to-zone v200 policy 1 match source-address any set security policies from-zone untrust to-zone v200 policy 1 match destination-address any set security policies from-zone untrust to-zone v200 policy 1 match application any set security policies from-zone untrust to-zone v200 policy 1 then permit

vSRXA的路由配置： set routing-options static route 0.0.0.0/0 next-hop 172.16.3.2

三、vSRXB1配置 vSRXB1的接口及安全区域配置： set interfaces ge-0/0/0 unit 0 family inet address 172.16.1.1/24 set interfaces ge-0/0/1 unit 0 family inet address 192.168.10.1/24

set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces ge-0/0/1.0 set security zones security-zone untrust host-inbound-traffic system-services all set security zones security-zone untrust host-inbound-traffic protocols all set security zones security-zone untrust interfaces ge-0/0/0.0

set routing-options static route 0.0.0.0/0 next-hop 172.16.1.2

vSRXB1的安全策略配置： set security policies from-zone trust to-zone trust policy default-permit match source-address any set security policies from-zone trust to-zone trust policy default-permit match destination-address any set security policies from-zone trust to-zone trust policy default-permit match application any set security policies from-zone trust to-zone trust policy default-permit then permit set security policies from-zone trust to-zone untrust policy default-permit match source-address any set security policies from-zone trust to-zone untrust policy default-permit match destination-address any set security policies from-zone trust to-zone untrust policy default-permit match application any set security policies from-zone trust to-zone untrust policy default-permit then permit set security policies from-zone untrust to-zone trust policy 1 match source-address any set security policies from-zone untrust to-zone trust policy 1 match destination-address any set security policies from-zone untrust to-zone trust policy 1 match application any set security policies from-zone untrust to-zone trust policy 1 then permit

四、vSRXC1配置 vSRXC1接口与安全区域配置: root@vSRX-NGC1# show interfaces | display set set interfaces ge-0/0/0 unit 0 family inet address 172.16.2.1/24 set interfaces ge-0/0/1 unit 0 family inet address 192.168.20.1/24

set security zones security-zone trust tcp-rst set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces ge-0/0/1.0 set security zones security-zone untrust screen untrust-screen set security zones security-zone untrust host-inbound-traffic system-services all set security zones security-zone untrust host-inbound-traffic protocols all set security zones security-zone untrust interfaces ge-0/0/0.0

set routing-options static route 0.0.0.0/0 next-hop 172.16.2.2

vSRXC1安全策略配置： set security policies from-zone trust to-zone trust policy default-permit match source-address any set security policies from-zone trust to-zone trust policy default-permit match destination-address any set security policies from-zone trust to-zone trust policy default-permit match application any set security policies from-zone trust to-zone trust policy default-permit then permit set security policies from-zone trust to-zone untrust policy default-permit match source-address any set security policies from-zone trust to-zone untrust policy default-permit match destination-address any set security policies from-zone trust to-zone untrust policy default-permit match application any set security policies from-zone trust to-zone untrust policy default-permit then permit set security policies from-zone untrust to-zone trust policy 1 match source-address any set security policies from-zone untrust to-zone trust policy 1 match destination-address any set security policies from-zone untrust to-zone trust policy 1 match application any set security policies from-zone untrust to-zone trust policy 1 then permit

五、vMX-ISP路由器配置 set interfaces ge-0/0/0 unit 0 family bridge interface-mode access set interfaces ge-0/0/0 unit 0 family bridge vlan-id 30 set interfaces ge-0/0/1 unit 0 family bridge interface-mode access set interfaces ge-0/0/1 unit 0 family bridge vlan-id 30 set interfaces ge-0/0/2 unit 0 family inet address 172.16.1.2/24 set interfaces ge-0/0/3 unit 0 family inet address 172.16.2.2/24 set interfaces irb unit 30 family inet address 172.16.3.2/24

[edit] root@vMX-ISP# show routing-options | display set set routing-options static route 192.168.10.0/24 next-hop 172.16.1.1 set routing-options static route 192.168.20.0/24 next-hop 172.16.2.1 set routing-options static route 192.168.100.0/24 next-hop 172.16.3.1 set routing-options static route 192.168.200.0/24 next-hop 172.16.3.1

六：vMXA1、vMXB1、vMXC1配置 root@vMXA1# show interfaces | display set
set interfaces ge-0/0/0 unit 0 family bridge interface-mode trunk set interfaces ge-0/0/0 unit 0 family bridge vlan-id-list 100 set interfaces ge-0/0/0 unit 0 family bridge vlan-id-list 200 set interfaces ge-0/0/1 unit 0 family bridge interface-mode trunk set interfaces ge-0/0/1 unit 0 family bridge vlan-id-list 100 set interfaces ge-0/0/1 unit 0 family bridge vlan-id-list 200 set interfaces irb unit 100 family inet address 192.168.100.10/24 set interfaces irb unit 200 family inet address 192.168.200.10/24

[edit] root@vMXA1# show routing-instances | display set set routing-instances v100 instance-type virtual-router set routing-instances v100 interface irb.100 set routing-instances v100 routing-options static route 0.0.0.0/0 next-hop 192.168.100.1 set routing-instances v200 instance-type virtual-router set routing-instances v200 interface irb.200 set routing-instances v200 routing-options static route 0.0.0.0/0 next-hop 192.168.200.1

[edit] root@vMXB1# show interfaces | display set set interfaces ge-0/0/0 unit 0 family inet address 192.168.10.10/24 root@vMXB1# show routing-options | display set set routing-options static route 0.0.0.0/0 next-hop 192.168.10.1

root@vMXC1# show interfaces | display set set interfaces ge-0/0/0 unit 0 family inet address 192.168.20.10/24 root@vMXC1# show routing-options | display set set routing-options static route 0.0.0.0/0 next-hop 192.168.20.1

七、连通性测试 root@vMXA1> ping 192.168.10.10 routing-instance v100 count 1 PING 192.168.10.10 (192.168.10.10): 56 data bytes 64 bytes from 192.168.10.10: icmp_seq=0 ttl=61 time=21.264 ms

--- 192.168.10.10 ping statistics --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max/stddev = 21.264/21.264/21.264/0.000 ms

root@vMXA1> ping 192.168.10.10 routing-instance v200 count 1
PING 192.168.10.10 (192.168.10.10): 56 data bytes 64 bytes from 192.168.10.10: icmp_seq=0 ttl=61 time=19.351 ms

--- 192.168.10.10 ping statistics --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max/stddev = 19.351/19.351/19.351/0.000 ms

root@vMXA1> ping 192.168.20.10 routing-instance v200 count 1
PING 192.168.20.10 (192.168.20.10): 56 data bytes 64 bytes from 192.168.20.10: icmp_seq=0 ttl=61 time=14.968 ms

--- 192.168.20.10 ping statistics --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max/stddev = 14.968/14.968/14.968/0.000 ms

root@vMXA1> ping 192.168.20.10 routing-instance v100 count 1
PING 192.168.20.10 (192.168.20.10): 56 data bytes 64 bytes from 192.168.20.10: icmp_seq=0 ttl=61 time=14.589 ms

--- 192.168.20.10 ping statistics --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max/stddev = 14.589/14.589/14.589/0.000 ms

root@vMXA1

总结： 1、SRX HA 环境下物理接口IP地址配置、vlan接口IP地址配置 2、接口与安全区域的配置 3、安全策略安放行配置 4、路由连通性配置