API tools faq
paste
Guest User

Juniper-2

a guest
Apr 14th, 2014
397
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 9.22 KB | None | 0 0
raw download clone embed print report
  1. ## Last changed: 2014-04-14 12:39:02 MSK
  2. version 12.1X44.3;
  3. system {
  4. host-name st-petersburg;
  5. domain-name ariel.ru;
  6. time-zone Europe/Moscow;
  7. root-authentication {
  8. encrypted-password "password";
  9. }
  10. name-server {
  11. 8.8.8.8;
  12. 8.8.4.4;
  13. }
  14. services {
  15. ssh;
  16. xnm-clear-text;
  17. web-management {
  18. http {
  19. interface [ vlan.0 fe-0/0/0.0 ];
  20. }
  21. https {
  22. system-generated-certificate;
  23. interface vlan.0;
  24. }
  25. }
  26. dhcp {
  27. pool 192.168.11.0/24 {
  28. address-range low 192.168.11.33 high 192.168.11.254;
  29. default-lease-time 36000;
  30. domain-name general.ariel.loc;
  31. name-server {
  32. 8.8.8.8;
  33. }
  34. router {
  35. 192.168.11.1;
  36. }
  37. }
  38. }
  39. }
  40. syslog {
  41. archive size 100k files 3;
  42. user * {
  43. any emergency;
  44. }
  45. file messages {
  46. any critical;
  47. authorization info;
  48. }
  49. file interactive-commands {
  50. interactive-commands error;
  51. }
  52. }
  53. max-configurations-on-flash 5;
  54. max-configuration-rollbacks 5;
  55. license {
  56. autoupdate {
  57. url https://ae1.juniper.net/junos/key_retrieval;
  58. }
  59. }
  60. ntp {
  61. server 62.76.96.4;
  62. server 212.248.127.94;
  63. server 89.179.120.132;
  64. }
  65. }
  66. interfaces {
  67. fe-0/0/0 {
  68. unit 0 {
  69. family inet {
  70. address juniper-2-ip/29;
  71. }
  72. }
  73. }
  74. fe-0/0/1 {
  75. unit 0 {
  76. family ethernet-switching {
  77. vlan {
  78. members vlan-trust;
  79. }
  80. }
  81. }
  82. }
  83. fe-0/0/2 {
  84. unit 0 {
  85. family ethernet-switching {
  86. vlan {
  87. members vlan-trust;
  88. }
  89. }
  90. }
  91. }
  92. fe-0/0/3 {
  93. unit 0 {
  94. family ethernet-switching {
  95. vlan {
  96. members vlan-trust;
  97. }
  98. }
  99. }
  100. }
  101. fe-0/0/4 {
  102. unit 0 {
  103. family ethernet-switching {
  104. vlan {
  105. members vlan-trust;
  106. }
  107. }
  108. }
  109. }
  110. fe-0/0/5 {
  111. unit 0 {
  112. family ethernet-switching {
  113. vlan {
  114. members vlan-trust;
  115. }
  116. }
  117. }
  118. }
  119. fe-0/0/6 {
  120. unit 0 {
  121. family ethernet-switching {
  122. vlan {
  123. members vlan-trust;
  124. }
  125. }
  126. }
  127. }
  128. fe-0/0/7 {
  129. unit 0 {
  130. family ethernet-switching {
  131. vlan {
  132. members vlan-trust;
  133. }
  134. }
  135. }
  136. }
  137. st0 {
  138. unit 0 {
  139. family inet;
  140. family inet6;
  141. }
  142. unit 1 {
  143. family inet;
  144. }
  145. }
  146. vlan {
  147. unit 0 {
  148. family inet {
  149. address 192.168.11.1/24;
  150. }
  151. }
  152. }
  153. }
  154. routing-options {
  155. static {
  156. route 0.0.0.0/0 next-hop gateway;
  157. route 192.168.31.0/24 next-hop st0.0;
  158. route 192.168.70.0/24 next-hop st0.0;
  159. route 172.17.20.0/24 next-hop st0.0;
  160. route 172.17.23.0/24 next-hop st0.0;
  161. route 192.168.10.0/24 next-hop st0.1;
  162. }
  163. }
  164. protocols {
  165. stp;
  166. }
  167. security {
  168. ike {
  169. proposal ike-piter-office {
  170. authentication-method pre-shared-keys;
  171. dh-group group2;
  172. authentication-algorithm sha1;
  173. encryption-algorithm aes-128-cbc;
  174. }
  175. policy ike_pol_podolsk {
  176. mode main;
  177. proposal-set standard;
  178. pre-shared-key ascii-text "key";
  179. }
  180. policy ike-pol-piter-office {
  181. mode main;
  182. proposals ike-piter-office;
  183. pre-shared-key ascii-text "key";
  184. }
  185. gateway gw_podolsk {
  186. ike-policy ike_pol_podolsk;
  187. address linux_box_ip;
  188. dead-peer-detection {
  189. always-send;
  190. interval 20;
  191. threshold 5;
  192. }
  193. external-interface fe-0/0/0.0;
  194. }
  195. gateway gw-piter {
  196. ike-policy ike-pol-piter-office;
  197. address juniper-2;
  198. external-interface fe-0/0/0.0;
  199. }
  200. }
  201. ipsec {
  202. vpn-monitor-options;
  203. proposal ipsec-piter-office {
  204. protocol esp;
  205. authentication-algorithm hmac-sha1-96;
  206. encryption-algorithm aes-128-cbc;
  207. }
  208. policy ipsec_pol_podolsk {
  209. perfect-forward-secrecy {
  210. keys group2;
  211. }
  212. proposal-set standard;
  213. }
  214. policy ipsec-pol-piter-office {
  215. perfect-forward-secrecy {
  216. keys group2;
  217. }
  218. proposals ipsec-piter-office;
  219. }
  220. vpn podolsk {
  221. bind-interface st0.0;
  222. ike {
  223. gateway gw_podolsk;
  224. ipsec-policy ipsec_pol_podolsk;
  225. }
  226. establish-tunnels immediately;
  227. }
  228. vpn ike-vpn-piter-office {
  229. bind-interface st0.1;
  230. ike {
  231. gateway gw-piter;
  232. ipsec-policy ipsec-pol-piter-office;
  233. }
  234. establish-tunnels immediately;
  235. }
  236. }
  237. screen {
  238. ids-option untrust-screen {
  239. icmp {
  240. ping-death;
  241. }
  242. ip {
  243. source-route-option;
  244. tear-drop;
  245. }
  246. tcp {
  247. syn-flood {
  248. alarm-threshold 1024;
  249. attack-threshold 200;
  250. source-threshold 1024;
  251. destination-threshold 2048;
  252. timeout 20;
  253. }
  254. land;
  255. }
  256. }
  257. }
  258. nat {
  259. source {
  260. rule-set trust-to-untrust {
  261. from zone trust;
  262. to zone untrust;
  263. rule source-nat-rule {
  264. match {
  265. source-address 0.0.0.0/0;
  266. }
  267. then {
  268. source-nat {
  269. interface;
  270. }
  271. }
  272. }
  273. }
  274. }
  275. }
  276. policies {
  277. from-zone trust to-zone untrust {
  278. policy trust-to-untrust {
  279. match {
  280. source-address any;
  281. destination-address any;
  282. application any;
  283. }
  284. then {
  285. permit;
  286. }
  287. }
  288. }
  289. from-zone trust to-zone trust {
  290. policy policy_out_podolsk {
  291. match {
  292. source-address addr_192_168_11_0_24;
  293. destination-address [ addr_192_168_31_0_24 addr_192_168_70_0_24 addr_172_17_20_0_24 addr_172_17_23_0_24 addr_192_168_10_0_24 ];
  294. application any;
  295. }
  296. then {
  297. permit;
  298. }
  299. }
  300. policy policy_in_podolsk {
  301. match {
  302. source-address [ addr_192_168_31_0_24 addr_192_168_70_0_24 addr_172_17_20_0_24 addr_172_17_23_0_24 addr_192_168_10_0_24 ];
  303. destination-address addr_192_168_11_0_24;
  304. application any;
  305. }
  306. then {
  307. permit;
  308. }
  309. }
  310. }
  311. }
  312. zones {
  313. security-zone trust {
  314. address-book {
  315. address addr_192_168_10_0_24 192.168.10.0/24;
  316. address addr_192_168_11_0_24 192.168.11.0/24;
  317. address addr_192_168_31_0_24 192.168.31.0/24;
  318. address addr_192_168_70_0_24 192.168.70.0/24;
  319. address addr_172_17_20_0_24 172.17.20.0/24;
  320. address addr_172_17_23_0_24 172.17.23.0/24;
  321. }
  322. host-inbound-traffic {
  323. system-services {
  324. all;
  325. }
  326. protocols {
  327. all;
  328. }
  329. }
  330. interfaces {
  331. vlan.0;
  332. st0.0;
  333. }
  334. }
  335. security-zone untrust {
  336. screen untrust-screen;
  337. interfaces {
  338. fe-0/0/0.0 {
  339. host-inbound-traffic {
  340. system-services {
  341. dhcp;
  342. tftp;
  343. ping;
  344. ssh;
  345. http;
  346. }
  347. }
  348. }
  349. }
  350. }
  351. }
  352. }
  353. vlans {
  354. vlan-trust {
  355. vlan-id 3;
  356. l3-interface vlan.0;
  357. }
  358. }
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!