SRX防火牆連通性測試，策略全放行環境

一、實驗拓撲

業務網段：
siteA: vlan100 192.168.100.0/24 , vlan200 192.168.200.0/24
siteB: 192.168.10.0/24
siteC: 192.168.20.0/24

互聯網段：
172.16.1.0/24
172.16.2.0/24
172.16.3.0/24

siteA vlan100 ping siteB: ping 192.168.10.10 routing-instance v100
siteA vlan200 ping siteC: ping 192.168.10.10 routing-instance v200

vMX-ISP路由器模擬ISP運營商。

二、vSRXA的配置：
vSRXA接口IP地址配置：
set chassis cluster reth-count 8

set interfaces ge-0/0/2 gigether-options redundant-parent reth0
set interfaces ge-0/0/3 gigether-options redundant-parent reth1
set interfaces ge-7/0/2 gigether-options redundant-parent reth0
set interfaces ge-7/0/3 gigether-options redundant-parent reth1
set interfaces reth0 vlan-tagging
set interfaces reth0 redundant-ether-options redundancy-group 1
set interfaces reth0 unit 100 vlan-id 100
set interfaces reth0 unit 100 family inet address 192.168.100.1/24
set interfaces reth0 unit 200 vlan-id 200
set interfaces reth0 unit 200 family inet address 192.168.200.1/24
set interfaces reth1 redundant-ether-options redundancy-group 1
set interfaces reth1 unit 0 family inet address 172.16.3.1/24

vSRXA接口加入到安全區域：
set security zones security-zone v100 host-inbound-traffic system-services all
set security zones security-zone v100 host-inbound-traffic protocols all
set security zones security-zone v100 interfaces reth0.100
set security zones security-zone v200 host-inbound-traffic system-services all
set security zones security-zone v200 host-inbound-traffic protocols all
set security zones security-zone v200 interfaces reth0.200
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces reth1.0

vSRXA配置安全策略，放行所有流量：
set security zones security-zone v100 host-inbound-traffic system-services all
set security zones security-zone v100 host-inbound-traffic protocols all
set security zones security-zone v100 interfaces reth0.100
set security zones security-zone v200 host-inbound-traffic system-services all
set security zones security-zone v200 host-inbound-traffic protocols all
set security zones security-zone v200 interfaces reth0.200
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces reth1.0

{primary:node0}[edit]
root@vSRXA1# show security policies | display set
set security policies from-zone v100 to-zone untrust policy 1 match source-address any
set security policies from-zone v100 to-zone untrust policy 1 match destination-address any
set security policies from-zone v100 to-zone untrust policy 1 match application any
set security policies from-zone v100 to-zone untrust policy 1 then permit
set security policies from-zone v200 to-zone untrust policy 1 match source-address any
set security policies from-zone v200 to-zone untrust policy 1 match destination-address any
set security policies from-zone v200 to-zone untrust policy 1 match application any
set security policies from-zone v200 to-zone untrust policy 1 then permit
set security policies from-zone v100 to-zone v200 policy 1 match source-address any
set security policies from-zone v100 to-zone v200 policy 1 match destination-address any
set security policies from-zone v100 to-zone v200 policy 1 match application any
set security policies from-zone v100 to-zone v200 policy 1 then permit
set security policies from-zone v200 to-zone v100 policy 1 match source-address any
set security policies from-zone v200 to-zone v100 policy 1 match destination-address any
set security policies from-zone v200 to-zone v100 policy 1 match application any
set security policies from-zone v200 to-zone v100 policy 1 then permit
set security policies from-zone untrust to-zone v100 policy 1 match source-address any
set security policies from-zone untrust to-zone v100 policy 1 match destination-address any
set security policies from-zone untrust to-zone v100 policy 1 match application any
set security policies from-zone untrust to-zone v100 policy 1 then permit
set security policies from-zone untrust to-zone v200 policy 1 match source-address any
set security policies from-zone untrust to-zone v200 policy 1 match destination-address any
set security policies from-zone untrust to-zone v200 policy 1 match application any
set security policies from-zone untrust to-zone v200 policy 1 then permit

vSRXA的路由配置：
set routing-options static route 0.0.0.0/0 next-hop 172.16.3.2

三、vSRXB1配置
vSRXB1的接口及安全區域配置：
set interfaces ge-0/0/0 unit 0 family inet address 172.16.1.1/24
set interfaces ge-0/0/1 unit 0 family inet address 192.168.10.1/24

set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces ge-0/0/0.0

set routing-options static route 0.0.0.0/0 next-hop 172.16.1.2

vSRXB1的安全策略配置：
set security policies from-zone trust to-zone trust policy default-permit match source-address any
set security policies from-zone trust to-zone trust policy default-permit match destination-address any
set security policies from-zone trust to-zone trust policy default-permit match application any
set security policies from-zone trust to-zone trust policy default-permit then permit
set security policies from-zone trust to-zone untrust policy default-permit match source-address any
set security policies from-zone trust to-zone untrust policy default-permit match destination-address any
set security policies from-zone trust to-zone untrust policy default-permit match application any
set security policies from-zone trust to-zone untrust policy default-permit then permit
set security policies from-zone untrust to-zone trust policy 1 match source-address any
set security policies from-zone untrust to-zone trust policy 1 match destination-address any
set security policies from-zone untrust to-zone trust policy 1 match application any
set security policies from-zone untrust to-zone trust policy 1 then permit

四、vSRXC1配置
vSRXC1接口與安全區域配置:
root@vSRX-NGC1# show interfaces | display set
set interfaces ge-0/0/0 unit 0 family inet address 172.16.2.1/24
set interfaces ge-0/0/1 unit 0 family inet address 192.168.20.1/24

set security zones security-zone trust tcp-rst
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces ge-0/0/0.0

set routing-options static route 0.0.0.0/0 next-hop 172.16.2.2

vSRXC1安全策略配置：
set security policies from-zone trust to-zone trust policy default-permit match source-address any
set security policies from-zone trust to-zone trust policy default-permit match destination-address any
set security policies from-zone trust to-zone trust policy default-permit match application any
set security policies from-zone trust to-zone trust policy default-permit then permit
set security policies from-zone trust to-zone untrust policy default-permit match source-address any
set security policies from-zone trust to-zone untrust policy default-permit match destination-address any
set security policies from-zone trust to-zone untrust policy default-permit match application any
set security policies from-zone trust to-zone untrust policy default-permit then permit
set security policies from-zone untrust to-zone trust policy 1 match source-address any
set security policies from-zone untrust to-zone trust policy 1 match destination-address any
set security policies from-zone untrust to-zone trust policy 1 match application any
set security policies from-zone untrust to-zone trust policy 1 then permit

五、vMX-ISP路由器配置
set interfaces ge-0/0/0 unit 0 family bridge interface-mode access
set interfaces ge-0/0/0 unit 0 family bridge vlan-id 30
set interfaces ge-0/0/1 unit 0 family bridge interface-mode access
set interfaces ge-0/0/1 unit 0 family bridge vlan-id 30
set interfaces ge-0/0/2 unit 0 family inet address 172.16.1.2/24
set interfaces ge-0/0/3 unit 0 family inet address 172.16.2.2/24
set interfaces irb unit 30 family inet address 172.16.3.2/24

[edit]
root@vMX-ISP# show routing-options | display set
set routing-options static route 192.168.10.0/24 next-hop 172.16.1.1
set routing-options static route 192.168.20.0/24 next-hop 172.16.2.1
set routing-options static route 192.168.100.0/24 next-hop 172.16.3.1
set routing-options static route 192.168.200.0/24 next-hop 172.16.3.1

六：vMXA1、vMXB1、vMXC1配置
root@vMXA1# show interfaces | display set
set interfaces ge-0/0/0 unit 0 family bridge interface-mode trunk
set interfaces ge-0/0/0 unit 0 family bridge vlan-id-list 100
set interfaces ge-0/0/0 unit 0 family bridge vlan-id-list 200
set interfaces ge-0/0/1 unit 0 family bridge interface-mode trunk
set interfaces ge-0/0/1 unit 0 family bridge vlan-id-list 100
set interfaces ge-0/0/1 unit 0 family bridge vlan-id-list 200
set interfaces irb unit 100 family inet address 192.168.100.10/24
set interfaces irb unit 200 family inet address 192.168.200.10/24

[edit]
root@vMXA1# show routing-instances | display set
set routing-instances v100 instance-type virtual-router
set routing-instances v100 interface irb.100
set routing-instances v100 routing-options static route 0.0.0.0/0 next-hop 192.168.100.1
set routing-instances v200 instance-type virtual-router
set routing-instances v200 interface irb.200
set routing-instances v200 routing-options static route 0.0.0.0/0 next-hop 192.168.200.1

---

[edit]
root@vMXB1# show interfaces | display set
set interfaces ge-0/0/0 unit 0 family inet address 192.168.10.10/24
root@vMXB1# show routing-options | display set
set routing-options static route 0.0.0.0/0 next-hop 192.168.10.1

---

root@vMXC1# show interfaces | display set
set interfaces ge-0/0/0 unit 0 family inet address 192.168.20.10/24
root@vMXC1# show routing-options | display set
set routing-options static route 0.0.0.0/0 next-hop 192.168.20.1

七、連通性測試
root@vMXA1> ping 192.168.10.10 routing-instance v100 count 1
PING 192.168.10.10 (192.168.10.10): 56 data bytes
64 bytes from 192.168.10.10: icmp_seq=0 ttl=61 time=21.264 ms

--- 192.168.10.10 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 21.264/21.264/21.264/0.000 ms

root@vMXA1> ping 192.168.10.10 routing-instance v200 count 1
PING 192.168.10.10 (192.168.10.10): 56 data bytes
64 bytes from 192.168.10.10: icmp_seq=0 ttl=61 time=19.351 ms

--- 192.168.10.10 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 19.351/19.351/19.351/0.000 ms

root@vMXA1> ping 192.168.20.10 routing-instance v200 count 1
PING 192.168.20.10 (192.168.20.10): 56 data bytes
64 bytes from 192.168.20.10: icmp_seq=0 ttl=61 time=14.968 ms

--- 192.168.20.10 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 14.968/14.968/14.968/0.000 ms

root@vMXA1> ping 192.168.20.10 routing-instance v100 count 1
PING 192.168.20.10 (192.168.20.10): 56 data bytes
64 bytes from 192.168.20.10: icmp_seq=0 ttl=61 time=14.589 ms

--- 192.168.20.10 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 14.589/14.589/14.589/0.000 ms

root@vMXA1

總結：
1、SRX HA 環境下物理接口IP地址配置、vlan接口IP地址配置
2、接口與安全區域的配置
3、安全策略安放行配置
4、路由連通性配置