Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ## Last changed: 2014-04-14 12:07:03 MSK
- version 12.1X44.3;
- system {
- host-name st-petersburg;
- domain-name ariel.ru;
- time-zone Europe/Moscow;
- root-authentication {
- encrypted-password "password";
- }
- name-server {
- 192.168.70.254;
- }
- services {
- ssh;
- xnm-clear-text;
- web-management {
- http {
- interface [ vlan.0 fe-0/0/0.0 ];
- }
- https {
- system-generated-certificate;
- interface vlan.0;
- }
- }
- dhcp {
- pool 192.168.10.0/24 {
- address-range low 192.168.10.33 high 192.168.10.254;
- default-lease-time 36000;
- domain-name domain.loc;
- name-server {
- 8.8.8.8;
- }
- router {
- 192.168.10.1;
- }
- }
- }
- }
- syslog {
- archive size 100k files 3;
- user * {
- any emergency;
- }
- file messages {
- any critical;
- authorization info;
- }
- file interactive-commands {
- interactive-commands error;
- }
- }
- max-configurations-on-flash 5;
- max-configuration-rollbacks 5;
- license {
- autoupdate {
- url https://ae1.juniper.net/junos/key_retrieval;
- }
- }
- ntp {
- server 62.76.96.4;
- server 212.248.127.94;
- server 89.179.120.132;
- }
- }
- interfaces {
- fe-0/0/0 {
- unit 0 {
- family inet {
- address Juniper-1_IP/29;
- }
- }
- }
- fe-0/0/1 {
- unit 0 {
- family ethernet-switching {
- vlan {
- members vlan-trust;
- }
- }
- }
- }
- fe-0/0/2 {
- unit 0 {
- family ethernet-switching {
- vlan {
- members vlan-trust;
- }
- }
- }
- }
- fe-0/0/3 {
- unit 0 {
- family ethernet-switching {
- vlan {
- members vlan-trust;
- }
- }
- }
- }
- fe-0/0/4 {
- unit 0 {
- family ethernet-switching {
- vlan {
- members vlan-trust;
- }
- }
- }
- }
- fe-0/0/5 {
- unit 0 {
- family ethernet-switching {
- vlan {
- members vlan-trust;
- }
- }
- }
- }
- fe-0/0/6 {
- unit 0 {
- family ethernet-switching {
- vlan {
- members vlan-trust;
- }
- }
- }
- }
- fe-0/0/7 {
- unit 0 {
- family ethernet-switching {
- vlan {
- members vlan-trust;
- }
- }
- }
- }
- st0 {
- unit 0 {
- family inet;
- family inet6;
- }
- unit 1 {
- family inet;
- }
- }
- vlan {
- unit 0 {
- family inet {
- address 192.168.10.1/24;
- }
- }
- }
- }
- routing-options {
- static {
- route 0.0.0.0/0 next-hop gateway;
- route 192.168.31.0/24 next-hop st0.0;
- route 192.168.70.0/24 next-hop st0.0;
- route 172.17.20.0/24 next-hop st0.0;
- route 172.17.23.0/24 next-hop st0.0;
- route 192.168.11.0/24 next-hop st0.1;
- }
- }
- protocols {
- stp;
- }
- security {
- ike {
- proposal ike-sklad {
- authentication-method pre-shared-keys;
- dh-group group2;
- authentication-algorithm sha1;
- encryption-algorithm aes-128-cbc;
- }
- policy ike_pol_podolsk {
- mode main;
- proposal-set standard;
- pre-shared-key ascii-text "key";
- }
- policy ike_pol_sklad {
- mode main;
- proposals ike-sklad;
- pre-shared-key ascii-text "key";
- }
- gateway gw_podolsk {
- ike-policy ike_pol_podolsk;
- address linux_box_ip;
- dead-peer-detection {
- always-send;
- interval 20;
- threshold 5;
- }
- external-interface fe-0/0/0.0;
- }
- gateway gw-sklad {
- ike-policy ike_pol_sklad;
- address Juniper-2-ip;
- external-interface fe-0/0/0.0;
- }
- }
- ipsec {
- vpn-monitor-options;
- proposal ipsec-sklad {
- protocol esp;
- authentication-algorithm hmac-sha1-96;
- encryption-algorithm aes-128-cbc;
- }
- policy ipsec_pol_podolsk {
- perfect-forward-secrecy {
- keys group2;
- }
- proposal-set standard;
- }
- policy ipsec-pol-sklad {
- perfect-forward-secrecy {
- keys group2;
- }
- proposals ipsec-sklad;
- }
- vpn podolsk {
- bind-interface st0.0;
- ike {
- gateway gw_podolsk;
- ipsec-policy ipsec_pol_podolsk;
- }
- establish-tunnels immediately;
- }
- vpn ike-sklad {
- bind-interface st0.1;
- ike {
- gateway gw-sklad;
- ipsec-policy ipsec-pol-sklad;
- }
- establish-tunnels immediately;
- }
- }
- screen {
- ids-option untrust-screen {
- icmp {
- ping-death;
- }
- ip {
- source-route-option;
- tear-drop;
- }
- tcp {
- syn-flood {
- alarm-threshold 1024;
- attack-threshold 200;
- source-threshold 1024;
- destination-threshold 2048;
- timeout 20;
- }
- land;
- }
- }
- }
- nat {
- source {
- rule-set trust-to-untrust {
- from zone trust;
- to zone untrust;
- rule source-nat-rule {
- match {
- source-address 0.0.0.0/0;
- }
- then {
- source-nat {
- interface;
- }
- }
- }
- }
- }
- }
- policies {
- from-zone trust to-zone untrust {
- policy trust-to-untrust {
- match {
- source-address any;
- destination-address any;
- application any;
- }
- then {
- permit;
- }
- }
- }
- from-zone trust to-zone trust {
- policy policy_out_podolsk {
- match {
- source-address addr_192_168_10_0_24;
- destination-address [ addr_192_168_31_0_24 addr_192_168_70_0_24 addr_172_17_20_0_24 addr_172_17_23_0_24 addr_192_168_10_0_24 addr_192_168_11_0_24 ];
- application any;
- }
- then {
- permit;
- }
- }
- policy policy_in_podolsk {
- match {
- source-address [ addr_192_168_11_0_24 addr_192_168_31_0_24 addr_192_168_70_0_24 addr_172_17_20_0_24 addr_172_17_23_0_24 addr_192_168_10_0_24 ];
- destination-address addr_192_168_10_0_24;
- application any;
- }
- then {
- permit;
- }
- }
- }
- }
- zones {
- security-zone trust {
- address-book {
- address addr_192_168_10_0_24 192.168.10.0/24;
- address addr_192_168_11_0_24 192.168.11.0/24;
- address addr_192_168_31_0_24 192.168.31.0/24;
- address addr_192_168_70_0_24 192.168.70.0/24;
- address addr_172_17_20_0_24 172.17.20.0/24;
- address addr_172_17_23_0_24 172.17.23.0/24;
- }
- host-inbound-traffic {
- system-services {
- all;
- }
- protocols {
- all;
- }
- }
- interfaces {
- vlan.0;
- st0.0;
- }
- }
- security-zone untrust {
- screen untrust-screen;
- interfaces {
- fe-0/0/0.0 {
- host-inbound-traffic {
- system-services {
- dhcp;
- tftp;
- ping;
- ssh;
- http;
- }
- }
- }
- }
- }
- }
- }
- vlans {
- vlan-trust {
- vlan-id 3;
- l3-interface vlan.0;
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
