Hello,
I deployed a vSRX in Oracle Cloud but the following is happening:
1- I'm able to ping fxp0 from my home PC 1
2- Not able to shh fxp0
3- Not able ping or ssh ge-0/0/0
First, I didn't configure the new OCI routing instance and was not able to ping fxp0 or ge-0/0/0 from my home PC, but I was able to see in the show security flow that I'm receiving a packet on the srx but not able to reply once i ping the public ip of fxp0. I had the default route 10.0.76.1 which is ge-0/0/0 next-hop and only the default routing instance.
Then i followed the Oracle blog Blog and they suggested creating routing-instance for my revenue ports (ge-0/0/0 and ge-0/0/1) to avoid asymmetric routing and i changed the default route. The new configuration and the one running now is below.
Now i'm able to ping fxp0 but not ssh it but i'm not seeing the ping traffic in the show security flow session.
How can i make the fxp0 and ge-0/0/0 pingable and able to ssh it from home PC. Can someone tell me what is missing
[edit]
root# show | no-more
## Last changed: 2020-07-21 16:37:45 UTC
version 15.1X49-D172.1;
system {
root-authentication {
encrypted-password "$5$hy8.OvoE$ubrnzVD4wmIaUG.sP8yOi4z99RVho07G2P6T3x9yml1"; ## SECRET-DATA
}
name-server {
}
services {
ssh {
root-login allow;
}
web-management {
http {
interface [ fxp0.0 ge-0/0/0.0 ];
}
https {
system-generated-certificate;
interface [ fxp0.0 ge-0/0/0.0 ];
}
}
}
syslog {
user * {
any emergency;
}
file messages {
any any;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
security {
log {
mode stream;
report;
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
queue-size 2000; ## Warning: 'queue-size' is deprecated
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set Trust-2-Untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone trust {
policy Trust-2-Trust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
log {
session-init;
session-close;
}
}
}
}
from-zone trust to-zone untrust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
policy Trust-2-Untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
log {
session-init;
session-close;
}
}
}
}
}
zones {
security-zone trust {
tcp-rst;
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/1.0;
}
}
security-zone untrust {
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
ge-0/0/0.0;
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 10.0.76.4/24;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 10.0.80.5/24;
}
}
}
fxp0 {
unit 0 {
family inet {
address 10.0.28.3/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 10.0.28.1;
}
}
routing-instances {
OCI {
instance-type virtual-router;
interface ge-0/0/0.0;
interface ge-0/0/1.0;
routing-options {
static {
route 0.0.0.0/0 next-hop 10.0.76.1;
}
}
}
}
[edit]
root#
No comments:
Post a Comment