Hi all,
I was wondering if you could help me with this question. It might be a basic question, to be honest.
I'm a bit stuck at the moment as I'm trying to test basic connectivity between a vSRX and Olive, both running in Virtualbox. In fact I'm running GNS3 on an Ubuntu 16.04 guest with VMware and withing that guest I'm running olive and vMX in Virtualbox.
For a reason I can't still figure out, I'm unable to ping between the vSRX and the Olive machine. I haven't had problems pinging from Olive to Olive machines though so I think it could be due to some security configuration missing.
I have configured in the vSRX the interface Ge-0/0/1 to be part of the trusted zone and additionally I have configured the trusted zone to accept ping request with the following commands:
DIAGRAM:
[B]vSRX1[/B]
set security zones security-zone TEST host-inbound-traffic system-services ping
set security zones security-zone TEST interfaces ge-0/0/1
[B]root@vSRX1> show interfaces terse[/B]
Interface Admin Link Proto Local Remote
ge-0/0/0 up down
gr-0/0/0 up up
ip-0/0/0 up up
lsq-0/0/0 up up
lt-0/0/0 up up
mt-0/0/0 up up
sp-0/0/0 up up
ge-0/0/1 up up
[B]ge-0/0/1.0 up up inet 10.10.1.5/28[/B]
ge-0/0/2 up down
[B]root@vSRX1> show configuration security zones security-zone TEST[/B]
host-inbound-traffic {
system-services {
ping;
}
}
interfaces {
ge-0/0/1.0;
}
[B]root@vSRX1> show configuration security[/B]
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
queue-size 2000; ## Warning: 'queue-size' is deprecated
timeout 20;
}
land;
}
}
}
policies {
from-zone trust to-zone trust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone untrust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy default-deny {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
}
}
}
}
zones {
security-zone trust {
tcp-rst;
host-inbound-traffic {
system-services {
ping;
traceroute;
telnet;
ssh;
}
protocols {
ospf;
}
}
}
security-zone untrust {
screen untrust-screen;
}
security-zone TEST {
host-inbound-traffic {
system-services {
ping;
}
}
interfaces {
ge-0/0/1.0;
}
}
}
[B]R3[/B]
root@R3> show interfaces terse
Interface Admin Link Proto Local Remote
cbp0 up up
demux0 up up
dsc up up
em0 up up
em0.0 up up inet 10.10.0.3/28
em1 up up
[B]em1.0 up up inet 10.10.1.3/28[/B]
[B]root@R3> show interfaces em1 [/B]
physical interface: em1, Enabled, Physical link is Up
Interface index: 9, SNMP ifIndex: 23
Description: Link to R3 and R4 (Area 1)
Type: Ethernet, Link-level type: Ethernet, MTU: 1514, Speed: 1000mbps
Device flags : Present Running
Interface flags: SNMP-Traps
Link type : Full-Duplex
Current address: 08:00:27:c3:ff:c5, Hardware address: 08:00:27:c3:ff:c5
Last flapped : 2016-12-27 19:09:39 GMT (00:41:05 ago)
Input packets : 75
Output packets: 1154
Logical interface em1.0 (Index 6[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_cool.gif[/IMG] (SNMP ifIndex 24)
Flags: SNMP-Traps Encapsulation: ENET2
Input packets : 0
Output packets: 1154
Protocol inet, MTU: 1500
Flags: Sendbcast-pkt-to-re
Addresses, Flags: Is-Preferred Is-Primary
Destination: 10.10.1.0/28, Local: 10.10.1.3, Broadcast: 10.10.1.15[COLOR=#777777][FONT=acumin-pro]
[/FONT][/COLOR]
Thanks a lot for all your help.
