我的位置大约有 4 个不同的子网,当我尝试从 subnetwork2 ping 到 subnetwork1 中的静态设备时,我总是看到该设备在 ping,即使它已关闭。我假设我的 SRX300 回答 ICMP 请求,而不是将它们转发到特定的子网。我在 EdgeMAX 中没有同样的问题,我以前使用过。
如何让 SRX 不拦截对不同设备的 ICMP 请求而不是他自己?
配置:
version 15.1X49-D170.4;
system {
root-authentication {
encrypted-password ""; ## SECRET-DATA
}
name-server {
8.8.8.8;
8.8.4.4;
1.1.1.1;
1.0.0.1;
}
login {
.......
}
services {
ssh {
root-login deny;
protocol-version v2;
}
netconf {
ssh;
}
dns {
dns-proxy {
propogate-setting enable;
interface {
ae0.5;
ae0.11;
ae0.12;
ae0.22;
ae0.23;
}
default-domain main {
forwarders {
8.8.8.8;
8.8.4.4;
1.0.0.1;
1.1.1.1;
}
}
}
}
dhcp-local-server {
group CORP {
interface ae0.11;
}
group PBX {
interface ae0.22;
}
}
web-management {
https {
system-generated-certificate;
}
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any notice;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp {
boot-server 91.206.16.3;
server 185.102.185.102;
source-address 10.33.11.1;
source-address 10.41.22.1;
source-address 10.42.23.1;
}
}
chassis {
aggregated-devices {
ethernet {
device-count 4;
}
}
}
security {
log {
mode stream;
report;
}
address-book {
global {
......
}
}
flow {
allow-dns-reply;
tcp-mss {
all-tcp {
mss 1452;
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
destination {
.....
}
static {
.....
}
}
}
policies {
from-zone trust to-zone trust {
policy trust-to-trust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
.....
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
ntp;
}
protocols {
all;
}
}
interfaces {
ae0.11;
ae0.5;
ae0.22;
ae0.23;
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/7.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
}
}
}
ge-0/0/6.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
http;
https;
telnet;
}
}
}
pp0.0;
}
}
}
}
interfaces {
ge-0/0/0 {
gigether-options {
802.3ad ae0;
}
}
ge-0/0/1 {
gigether-options {
802.3ad ae0;
}
}
ge-0/0/2 {
gigether-options {
802.3ad ae0;
}
}
ge-0/0/3 {
gigether-options {
802.3ad ae0;
}
}
ge-0/0/5 {
unit 0 {
family inet {
address 172.16.16.1/24;
}
}
}
ge-0/0/6 {
unit 0 {
family inet {
address 192.168.8.8/24;
}
}
}
ge-0/0/7 {
mac 00:00:00:00:00:00;
unit 0 {
encapsulation ppp-over-ether;
}
}
ae0 {
vlan-tagging;
aggregated-ether-options {
lacp {
active;
periodic fast;
}
}
unit 5 {
vlan-id 5;
family inet {
address 10.5.5.1/24;
}
}
unit 11 {
vlan-id 11;
family inet {
address 10.33.11.1/24;
}
}
unit 12 {
vlan-id 12;
family inet {
address 172.17.17.1/24;
}
}
unit 22 {
vlan-id 22;
family inet {
address 10.41.22.1/24;
}
}
unit 23 {
vlan-id 23;
family inet {
address 10.42.23.1/24;
}
}
}
pp0 {
unit 0 {
.....
}
}
}
routing-options {
static {
route 0.0.0.0/0 {
next-hop pp0.0;
preference 5;
}
}
}
protocols {
l2-learning {
global-mode switching;
}
rstp {
interface all;
}
}
access {
address-assignment {
pool CORP {
family inet {
network 10.33.11.0/24;
range r1 {
low 10.33.11.201;
high 10.33.11.254;
}
dhcp-attributes {
name-server {
10.33.11.1;
}
router {
10.33.11.1;
}
propagate-settings irb.11;
}
}
}
pool PBX {
family inet {
network 10.41.22.0/24;
range r1 {
low 10.41.22.201;
high 10.41.22.254;
}
dhcp-attributes {
name-server {
10.41.22.1;
}
router {
10.41.22.1;
}
propagate-settings irb.22;
}
}
}
}
}
编辑 - 会话信息:
username> show security flow session protocol icmp source-prefix 10.33.11.206/32 destination-prefix 10.5.5.22/32
Session ID: 2690, Policy name: trust-to-trust/4, Timeout: 4, Valid
In: 10.33.11.206/1365 --> 10.5.5.22/1;icmp, Conn Tag: 0x0, If: ae0.11, Pkts: 1, Bytes: 60,
Out: 10.41.22.3/1 --> 10.33.11.206/1365;icmp, Conn Tag: 0x0, If: ae0.22, Pkts: 1, Bytes: 60,
Session ID: 3967, Policy name: trust-to-trust/4, Timeout: 2, Valid
In: 10.33.11.206/1363 --> 10.5.5.22/1;icmp, Conn Tag: 0x0, If: ae0.11, Pkts: 1, Bytes: 60,
Out: 10.41.22.3/1 --> 10.33.11.206/1363;icmp, Conn Tag: 0x0, If: ae0.22, Pkts: 1, Bytes: 60,
Session ID: 27899, Policy name: trust-to-trust/4, Timeout: 4, Valid
In: 10.33.11.206/1364 --> 10.5.5.22/1;icmp, Conn Tag: 0x0, If: ae0.11, Pkts: 1, Bytes: 60,
Out: 10.41.22.3/1 --> 10.33.11.206/1364;icmp, Conn Tag: 0x0, If: ae0.22, Pkts: 1, Bytes: 60,
Total sessions: 3