API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jan 11th, 2017
715
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 108.18 KB | None | 0 0
raw download clone embed print report
  1. 192.168.253.x config:
  2.  
  3.  
  4. {primary:node0}[edit]
  5. dscott@EGIAWATTFW2# show
  6. ## Last changed: 2015-12-10 08:00:23 PST
  7. version 12.1X44-D35.5;
  8. groups {
  9. node0 {
  10. system {
  11. host-name EGIAWATTFW1;
  12. }
  13. interfaces {
  14. fxp0 {
  15. unit 0 {
  16. family inet {
  17. address 192.168.251.1/32;
  18. }
  19. }
  20. }
  21. }
  22. }
  23. node1 {
  24. system {
  25. host-name EGIAWATTFW2;
  26. }
  27. interfaces {
  28. fxp0 {
  29. unit 0 {
  30. family inet {
  31. address 192.168.251.2/32;
  32. }
  33. }
  34. }
  35. }
  36. }
  37. }
  38. apply-groups "${node}";
  39. system {
  40. host-name EGIAWATTFW2;
  41. time-zone America/Los_Angeles;
  42. root-authentication {
  43. encrypted-password "xxxxxxxxxxxxxxxxxxxxxxxxxxx1"; ## SECRET-DATA
  44. }
  45. name-server {
  46. 208.67.222.222;
  47. 208.67.220.220;
  48. }
  49. login {
  50. user dscott {
  51. full-name "Dustin Scott";
  52. uid 4000;
  53. class super-user;
  54. authentication {
  55. encrypted-password "xxxxxxxxxxxxxxxxxxxxxxxxxx"; ## SECRET-DATA
  56. }
  57. }
  58. }
  59. services {
  60. ssh;
  61. }
  62. syslog {
  63. archive size 100k files 3;
  64. user * {
  65. any emergency;
  66. }
  67. file messages {
  68. any critical;
  69. authorization info;
  70. }
  71. file interactive-commands {
  72. interactive-commands error;
  73. }
  74. }
  75. max-configurations-on-flash 20;
  76. max-configuration-rollbacks 20;
  77. license {
  78. autoupdate {
  79. url https://ae1.juniper.net/junos/key_retrieval;
  80. }
  81. }
  82. ntp {
  83. server xxxxxxxxxxxxxxxxxxxxx;
  84. }
  85. }
  86. chassis {
  87. cluster {
  88. control-link-recovery;
  89. reth-count 3;
  90. heartbeat-interval 2000;
  91. heartbeat-threshold 8;
  92. redundancy-group 0 {
  93. node 0 priority 254;
  94. node 1 priority 1;
  95. }
  96. redundancy-group 1 {
  97. node 0 priority 254;
  98. node 1 priority 1;
  99. }
  100. }
  101. }
  102. interfaces {
  103. ge-0/0/0 {
  104. gigether-options {
  105. redundant-parent reth0;
  106. }
  107. }
  108. ge-0/0/2 {
  109. gigether-options {
  110. redundant-parent reth1;
  111. }
  112. }
  113. ge-0/0/3 {
  114. gigether-options {
  115. redundant-parent reth2;
  116. }
  117. }
  118. ge-3/0/0 {
  119. gigether-options {
  120. redundant-parent reth0;
  121. }
  122. }
  123. ge-3/0/2 {
  124. gigether-options {
  125. redundant-parent reth1;
  126. }
  127. }
  128. ge-3/0/3 {
  129. gigether-options {
  130. redundant-parent reth2;
  131. }
  132. }
  133. fab0 {
  134. fabric-options {
  135. member-interfaces {
  136. ge-0/0/5;
  137. }
  138. }
  139. }
  140. fab1 {
  141. fabric-options {
  142. member-interfaces {
  143. ge-3/0/5;
  144. }
  145. }
  146. }
  147. lo0 {
  148. unit 0 {
  149. family inet {
  150. address 127.0.0.1/32;
  151. }
  152. }
  153. }
  154. reth0 {
  155. redundant-ether-options {
  156. redundancy-group 1;
  157. }
  158. unit 0 {
  159. family inet {
  160. inactive: filter {
  161. input LAN-IN;
  162. }
  163. address 192.168.253.10/24;
  164. }
  165. }
  166. }
  167. reth1 {
  168. redundant-ether-options {
  169. redundancy-group 1;
  170. }
  171. unit 0 {
  172. family inet {
  173. address xxxxxxxxxxxxxxxxxxx
  174. }
  175. }
  176. }
  177. reth2 {
  178. redundant-ether-options {
  179. redundancy-group 1;
  180. }
  181. unit 0 {
  182. family inet {
  183. address xxxxxxxxxxxxxxxxxxxxxxxxxx;
  184. }
  185. }
  186. }
  187. st0 {
  188. unit 0 {
  189. family inet {
  190. address 172.16.0.2/30;
  191. }
  192. }
  193. unit 1 {
  194. family inet {
  195. address 172.16.1.2/30;
  196. }
  197. }
  198. }
  199. }
  200. snmp {
  201. location Herakles;
  202. contact "dscott98@gmail.com";
  203. community egia-public {
  204. authorization read-only;
  205. clients {
  206. 192.168.252.0/24;
  207. 192.168.20.0/24;
  208. 0.0.0.0/0 restrict;
  209. }
  210. }
  211. }
  212. routing-options {
  213. interface-routes {
  214. rib-group inet IMPORT-PHY;
  215. }
  216. static {
  217. route 0.0.0.0/0 {
  218. next-hop xxxxxxxxxxxxxxx;
  219. inactive: qualified-next-hop 207.231.77.101 {
  220. preference 10;
  221. }
  222. qualified-next-hop xxxxxxxxxxxxxxxxxxxx {
  223. preference 10;
  224. }
  225. }
  226. route 192.168.254.0/24 next-hop 192.168.253.233;
  227. route 192.168.10.0/24 {
  228. next-hop st0.0;
  229. qualified-next-hop st0.1 {
  230. preference 10;
  231. }
  232. }
  233. route 192.168.11.0/24 {
  234. next-hop st0.0;
  235. qualified-next-hop st0.1 {
  236. preference 10;
  237. }
  238. }
  239. route 192.168.12.0/24 {
  240. next-hop st0.0;
  241. qualified-next-hop st0.1 {
  242. preference 10;
  243. }
  244. }
  245. route 192.168.20.0/24 {
  246. next-hop st0.0;
  247. qualified-next-hop st0.1 {
  248. preference 10;
  249. }
  250. }
  251. route 192.168.252.0/24 {
  252. next-hop st0.0;
  253. qualified-next-hop st0.1 {
  254. preference 10;
  255. }
  256. }
  257. }
  258. rib-groups {
  259. IMPORT-PHY {
  260. import-rib [ inet.0 INTEGRA-1.inet.0 CONSOLIDATED-1.inet.0 ];
  261. }
  262. }
  263. }
  264. protocols {
  265. stp;
  266. }
  267. security {
  268. ike {
  269. respond-bad-spi 5;
  270. proposal IKE-PROPOSAL {
  271. authentication-method pre-shared-keys;
  272. dh-group group2;
  273. authentication-algorithm sha-256;
  274. encryption-algorithm aes-256-cbc;
  275. }
  276. policy IKE-POLICY {
  277. mode main;
  278. proposals IKE-PROPOSAL;
  279. pre-shared-key ascii-text "xxxxxxxxxxxxxxxxxxxxxxxxxx"; ## SECRET-DATA
  280. }
  281. gateway IKE-GATEWAY {
  282. ike-policy IKE-POLICY;
  283. address xxxxxxxxxxxxxxxxxxxx;
  284. dead-peer-detection {
  285. interval 10;
  286. threshold 5;
  287. }
  288. external-interface reth1.0;
  289. }
  290. gateway IKE-GATEWAY-secondary {
  291. ike-policy IKE-POLICY;
  292. address xxxxxxxxxxxxxxxxxxxx;
  293. dead-peer-detection {
  294. interval 10;
  295. threshold 5;
  296. }
  297. external-interface reth2.0;
  298. }
  299. }
  300. ipsec {
  301. vpn-monitor-options {
  302. interval 5;
  303. threshold 7;
  304. }
  305. proposal IPSEC-PROPOSAL {
  306. protocol esp;
  307. authentication-algorithm hmac-md5-96;
  308. encryption-algorithm aes-256-cbc;
  309. }
  310. policy IPSEC-POLICY {
  311. proposals IPSEC-PROPOSAL;
  312. }
  313. vpn HERAKLES {
  314. bind-interface st0.0;
  315. vpn-monitor {
  316. optimized;
  317. }
  318. ike {
  319. gateway IKE-GATEWAY;
  320. ipsec-policy IPSEC-POLICY;
  321. }
  322. establish-tunnels immediately;
  323. }
  324. vpn HERAKLES-secondary {
  325. bind-interface st0.1;
  326. vpn-monitor {
  327. optimized;
  328. }
  329. ike {
  330. gateway IKE-GATEWAY-secondary;
  331. ipsec-policy IPSEC-POLICY;
  332. }
  333. establish-tunnels immediately;
  334. }
  335. }
  336. alg {
  337. sql disable;
  338. }
  339. flow {
  340. tcp-mss {
  341. ipsec-vpn {
  342. mss 1350;
  343. }
  344. }
  345. }
  346. screen {
  347. ids-option untrust-screen {
  348. icmp {
  349. ping-death;
  350. }
  351. ip {
  352. source-route-option;
  353. tear-drop;
  354. }
  355. tcp {
  356. syn-flood {
  357. alarm-threshold 1024;
  358. attack-threshold 200;
  359. source-threshold 1024;
  360. destination-threshold 2048;
  361. timeout 20;
  362. }
  363. land;
  364. }
  365. }
  366. }
  367. nat {
  368. source {
  369. rule-set trust-to-untrust {
  370. from zone trust;
  371. to zone untrust;
  372. rule source-nat-rule {
  373. match {
  374. source-address 0.0.0.0/0;
  375. }
  376. then {
  377. source-nat {
  378. interface;
  379. }
  380. }
  381. }
  382. }
  383. }
  384. destination {
  385. pool WHITE {
  386. address 192.168.253.25/32 port 25;
  387. }
  388. rule-set dest_nat_R1 {
  389. from zone untrust;
  390. rule WHITE_smtp {
  391. match {
  392. destination-address xxxxxxxxxxxxxxxx;
  393. destination-port 25;
  394. }
  395. then {
  396. destination-nat pool WHITE;
  397. }
  398. }
  399. }
  400. }
  401. static {
  402. inactive: rule-set R1 {
  403. from zone untrust;
  404. rule WHITE {
  405. match {
  406. destination-address xxxxxxxxxxxxxxxxx;
  407. }
  408. then {
  409. static-nat {
  410. prefix {
  411. 192.168.253.35/32;
  412. }
  413. }
  414. }
  415. }
  416. }
  417. }
  418. }
  419. policies {
  420. from-zone HERAKLESVPN to-zone trust {
  421. policy default-permit {
  422. match {
  423. source-address any;
  424. destination-address any;
  425. application any;
  426. }
  427. then {
  428. permit;
  429. }
  430. }
  431. }
  432. from-zone trust to-zone HERAKLESVPN {
  433. policy default-permit {
  434. match {
  435. source-address any;
  436. destination-address any;
  437. application any;
  438. }
  439. then {
  440. permit;
  441. }
  442. }
  443. }
  444. from-zone trust to-zone untrust {
  445. policy trust-to-untrust {
  446. match {
  447. source-address any;
  448. destination-address any;
  449. application any;
  450. }
  451. then {
  452. permit;
  453. }
  454. }
  455. }
  456. from-zone untrust to-zone trust {
  457. policy Surewest-white-exchange-incoming {
  458. match {
  459. source-address any;
  460. destination-address WHITE-EXCHANGE;
  461. application [ junos-smtp junos-icmp-all ];
  462. }
  463. then {
  464. permit;
  465. }
  466. }
  467. }
  468. from-zone trust to-zone trust {
  469. policy VOIP_NETWORK_ACCESS {
  470. match {
  471. source-address any;
  472. destination-address VOIP_NETWORK;
  473. application any;
  474. }
  475. then {
  476. permit;
  477. }
  478. }
  479. }
  480. }
  481. zones {
  482. security-zone trust {
  483. tcp-rst;
  484. address-book {
  485. address WHITE-EXCHANGE 192.168.253.25/32;
  486. address VOIP_NETWORK 192.168.254.0/24;
  487. }
  488. host-inbound-traffic {
  489. system-services {
  490. all;
  491. }
  492. protocols {
  493. all;
  494. }
  495. }
  496. interfaces {
  497. reth0.0;
  498. lo0.0 {
  499. host-inbound-traffic {
  500. system-services {
  501. all;
  502. }
  503. protocols {
  504. all;
  505. }
  506. }
  507. }
  508. }
  509. }
  510. security-zone untrust {
  511. screen untrust-screen;
  512. host-inbound-traffic {
  513. system-services {
  514. ssh;
  515. ike;
  516. ping;
  517. }
  518. }
  519. interfaces {
  520. reth2.0 {
  521. host-inbound-traffic {
  522. system-services {
  523. ping;
  524. ssh;
  525. ike;
  526. }
  527. }
  528. }
  529. reth1.0 {
  530. host-inbound-traffic {
  531. system-services {
  532. rpm;
  533. }
  534. }
  535. }
  536. }
  537. }
  538. security-zone HERAKLESVPN {
  539. interfaces {
  540. st0.0 {
  541. host-inbound-traffic {
  542. system-services {
  543. all;
  544. }
  545. protocols {
  546. all;
  547. }
  548. }
  549. }
  550. st0.1 {
  551. host-inbound-traffic {
  552. system-services {
  553. all;
  554. }
  555. protocols {
  556. all;
  557. }
  558. }
  559. }
  560. }
  561. }
  562. }
  563. }
  564. firewall {
  565. policer bandwidth-control-512k {
  566. if-exceeding {
  567. bandwidth-limit 5m;
  568. burst-size-limit 256k;
  569. }
  570. then discard;
  571. }
  572. filter ISP-in {
  573. term filter-management-traffic {
  574. from {
  575. source-address {
  576. 0.0.0.0/0;
  577. xxxxxxxxxxxx/32 except;
  578. xxxxxxxxxxxxx/32 except;
  579. xxxxxxxxxxxxx/32 except;
  580. }
  581. protocol tcp;
  582. source-port 1024-65535;
  583. destination-port ssh;
  584. }
  585. then {
  586. discard;
  587. }
  588. }
  589. term incoming-internet-access {
  590. from {
  591. destination-address {
  592. xxxxxxxxxxxx/25;
  593. }
  594. }
  595. then accept;
  596. }
  597. term forwared-to-flow-processing {
  598. then accept;
  599. }
  600. }
  601. filter ISP-out {
  602. term rate-limit-host {
  603. from {
  604. source-address {
  605. 192.168.253.0/24;
  606. }
  607. }
  608. then {
  609. policer bandwidth-control-512k;
  610. accept;
  611. }
  612. }
  613. term catch-all {
  614. then accept;
  615. }
  616. }
  617. filter LAN-IN {
  618. inactive: term web-traffic {
  619. from {
  620. destination-address {
  621. 0.0.0.0/0;
  622. 192.168.252.0/24 except;
  623. 192.168.10.0/24 except;
  624. 192.168.11.0/24 except;
  625. 192.168.12.0/24 except;
  626. 192.168.20.0/24 except;
  627. 192.168.254.0/24 except;
  628. }
  629. destination-port [ 80 443 ];
  630. }
  631. then {
  632. routing-instance CONSOLIDATED-1;
  633. }
  634. }
  635. term default {
  636. from {
  637. destination-address {
  638. 0.0.0.0/0;
  639. 192.168.252.0/24 except;
  640. 192.168.10.0/24 except;
  641. 192.168.11.0/24 except;
  642. 192.168.12.0/24 except;
  643. 192.168.20.0/24 except;
  644. 192.168.254.0/24 except;
  645. }
  646. }
  647. then {
  648. routing-instance CONSOLIDATED-1;
  649. }
  650. }
  651. term catch-all {
  652. then accept;
  653. }
  654. }
  655. }
  656. routing-instances {
  657. CONSOLIDATED-1 {
  658. instance-type forwarding;
  659. routing-options {
  660. static {
  661. route 0.0.0.0/0 next-hop 207.231.77.101;
  662. }
  663. }
  664. }
  665. INTEGRA-1 {
  666. instance-type forwarding;
  667. routing-options {
  668. static {
  669. route 0.0.0.0/0 next-hop 70.98.111.169;
  670. }
  671. }
  672. }
  673. }
  674. services {
  675. rpm {
  676. probe CONSOLIDATED-PRIMARY {
  677. test DNS1 {
  678. probe-type icmp-ping;
  679. target address 8.8.8.8;
  680. probe-count 10;
  681. probe-interval 5;
  682. test-interval 10;
  683. thresholds {
  684. successive-loss 10;
  685. total-loss 5;
  686. }
  687. destination-interface reth1.0;
  688. next-hop 207.231.77.101;
  689. }
  690. test DNS2 {
  691. probe-type icmp-ping;
  692. target address 4.2.2.2;
  693. probe-count 10;
  694. probe-interval 5;
  695. test-interval 10;
  696. thresholds {
  697. successive-loss 10;
  698. total-loss 5;
  699. }
  700. destination-interface reth1.0;
  701. next-hop xxxxxxxxxxxxxxx;
  702. }
  703. }
  704. probe INTEGRA-PRIMARY {
  705. test DNS1 {
  706. probe-type icmp-ping;
  707. target address 8.8.8.8;
  708. probe-count 10;
  709. probe-interval 5;
  710. test-interval 10;
  711. thresholds {
  712. successive-loss 10;
  713. total-loss 5;
  714. }
  715. destination-interface reth2.0;
  716. next-hop 70.98.111.169;
  717. }
  718. test DNS2 {
  719. probe-type icmp-ping;
  720. target address 4.2.2.2;
  721. probe-count 10;
  722. probe-interval 5;
  723. test-interval 10;
  724. thresholds {
  725. successive-loss 10;
  726. total-loss 5;
  727. }
  728. destination-interface reth2.0;
  729. next-hop xxxxxxxxxxxxxxxxxxx;
  730. }
  731. }
  732. }
  733. ip-monitoring {
  734. policy INTEGRA-PRIMARY-TRACKING {
  735. match {
  736. rpm-probe INTEGRA-PRIMARY;
  737. }
  738. then {
  739. preferred-route {
  740. routing-instances INTEGRA-1 {
  741. route 0.0.0.0/0 {
  742. next-hop xxxxxxxxxxxxxxx;
  743. }
  744. }
  745. }
  746. }
  747. }
  748. policy CONSOLIDATED-PRIMARY-TRACKING {
  749. match {
  750. rpm-probe CONSOLIDATED-PRIMARY;
  751. }
  752. then {
  753. preferred-route {
  754. routing-instances CONSOLIDATED-1 {
  755. route 0.0.0.0/0 {
  756. next-hop xxxxxxxxxxxxxxxxxxx;
  757. }
  758. }
  759. }
  760. }
  761. }
  762. }
  763. }
  764.  
  765. ________________________________
  766. 192.168.252.x config:
  767.  
  768. login as: root
  769. root@192.168.252.10's password:
  770. --- JUNOS 11.4R10.3 built 2013-11-15 06:56:20 UTC
  771.  
  772.  
  773.  
  774. root@EGIAFW01% cli
  775. {primary:node0}
  776. root@EGIAFW01> configure
  777. warning: Clustering enabled; using private edit
  778. warning: uncommitted changes will be discarded on exit
  779. Entering configuration mode
  780.  
  781. {primary:node0}[edit]
  782. root@EGIAFW01# show run
  783. ^
  784. syntax error.
  785. root@EGIAFW01# show run
  786. ^
  787. syntax error.
  788. root@EGIAFW01# show
  789. ## Last changed: 2016-05-23 14:12:34 PDT
  790. version 11.4R10.3;
  791. groups {
  792. node0 {
  793. system {
  794. host-name EGIAFW01;
  795. }
  796. interfaces {
  797. fxp0 {
  798. unit 0 {
  799. family inet {
  800. address 192.168.250.2/24;
  801. }
  802. }
  803. }
  804. }
  805. }
  806. node1 {
  807. system {
  808. host-name EGIAFW02;
  809. }
  810. interfaces {
  811. fxp0 {
  812. unit 0 {
  813. family inet {
  814. address 192.168.250.3/24;
  815. }
  816. }
  817. }
  818. }
  819. }
  820. global {
  821. system {
  822. services {
  823. ssh {
  824. protocol-version v2;
  825. }
  826. }
  827. }
  828. }
  829. }
  830. apply-groups "${node}";
  831. system {
  832. time-zone America/Los_Angeles;
  833. root-authentication {
  834. encrypted-password "xxxxxxxxxxxxxxxxxxxxxxxxxx0"; ## SECRET-DATA
  835. }
  836. name-server {
  837. 208.67.222.222;
  838. 208.67.220.220;
  839. }
  840. login {
  841. user dscott {
  842. full-name "Dustin Scott";
  843. uid 4000;
  844. class super-user;
  845. authentication {
  846. encrypted-password "xxxxxxxxxxxxxxxxxxxxxxxx"; ## SECRET-DATA
  847. }
  848. }
  849. }
  850. services {
  851. ssh;
  852. telnet;
  853. xnm-clear-text;
  854. web-management {
  855. http {
  856. interface [ fxp0.0 reth0.0 ];
  857. }
  858. https {
  859. system-generated-certificate;
  860. interface [ fxp0.0 reth0.0 ];
  861. }
  862. }
  863. }
  864. syslog {
  865. archive size 100k files 3;
  866. user * {
  867. any emergency;
  868. }
  869. file messages {
  870. any critical;
  871. authorization info;
  872. }
  873. file interactive-commands {
  874. interactive-commands error;
  875. }
  876. file kmd-logs {
  877. daemon info;
  878. match KMD;
  879. }
  880. }
  881. max-configurations-on-flash 5;
  882. max-configuration-rollbacks 5;
  883. license {
  884. autoupdate {
  885. url https://ae1.juniper.net/junos/key_retrieval;
  886. }
  887. }
  888. ntp {
  889. server xxxxxxxxxxxxxxxxxx;
  890. }
  891. }
  892. chassis {
  893. cluster {
  894. reth-count 3;
  895. redundancy-group 0 {
  896. node 0 priority 100;
  897. node 1 priority 1;
  898. }
  899. redundancy-group 1 {
  900. node 0 priority 100;
  901. node 1 priority 1;
  902. interface-monitor {
  903. ge-0/0/0 weight 255;
  904. ge-2/0/0 weight 255;
  905. fe-0/0/2 weight 255;
  906. fe-2/0/2 weight 255;
  907. }
  908. }
  909. redundancy-group 2 {
  910. node 0 priority 100;
  911. node 1 priority 1;
  912. interface-monitor {
  913. ge-0/0/1 weight 255;
  914. ge-2/0/1 weight 255;
  915. }
  916. }
  917. }
  918. }
  919. interfaces {
  920. ge-0/0/0 {
  921. gigether-options {
  922. redundant-parent reth0;
  923. }
  924. }
  925. ge-0/0/1 {
  926. gigether-options {
  927. redundant-parent reth2;
  928. }
  929. }
  930. fe-0/0/2 {
  931. speed 100m;
  932. link-mode full-duplex;
  933. fastether-options {
  934. redundant-parent reth1;
  935. }
  936. }
  937. ge-2/0/0 {
  938. gigether-options {
  939. redundant-parent reth0;
  940. }
  941. }
  942. ge-2/0/1 {
  943. gigether-options {
  944. redundant-parent reth2;
  945. }
  946. }
  947. fe-2/0/2 {
  948. speed 100m;
  949. link-mode full-duplex;
  950. fastether-options {
  951. redundant-parent reth1;
  952. }
  953. }
  954. fab0 {
  955. fabric-options {
  956. member-interfaces {
  957. fe-0/0/5;
  958. }
  959. }
  960. }
  961. fab1 {
  962. fabric-options {
  963. member-interfaces {
  964. fe-2/0/5;
  965. }
  966. }
  967. }
  968. lo0 {
  969. unit 0 {
  970. family inet {
  971. address 127.0.0.1/32;
  972. }
  973. }
  974. }
  975. reth0 {
  976. redundant-ether-options {
  977. redundancy-group 1;
  978. }
  979. unit 0 {
  980. description "Herakles LAN";
  981. family inet {
  982. inactive: sampling {
  983. input;
  984. output;
  985. }
  986. address 192.168.252.10/24;
  987. }
  988. }
  989. }
  990. reth1 {
  991. redundant-ether-options {
  992. redundancy-group 1;
  993. }
  994. unit 0 {
  995. description "Herakles WAN";
  996. family inet {
  997. filter {
  998. input Herakles-in;
  999. output Herakles-out;
  1000. }
  1001. inactive: sampling {
  1002. input;
  1003. output;
  1004. }
  1005. address xxxxxxxxxxxxxxxxxxx;
  1006. }
  1007. }
  1008. }
  1009. reth2 {
  1010. description "Datacenter LAN";
  1011. vlan-tagging;
  1012. redundant-ether-options {
  1013. redundancy-group 2;
  1014. }
  1015. unit 10 {
  1016. description DMZ;
  1017. vlan-id 10;
  1018. family inet {
  1019. address 192.168.10.1/24;
  1020. }
  1021. }
  1022. unit 11 {
  1023. description APP;
  1024. vlan-id 11;
  1025. family inet {
  1026. address 192.168.11.1/24;
  1027. }
  1028. }
  1029. unit 12 {
  1030. description DATA;
  1031. vlan-id 12;
  1032. family inet {
  1033. address 192.168.12.1/24;
  1034. }
  1035. }
  1036. unit 20 {
  1037. description MGMT;
  1038. vlan-id 20;
  1039. family inet {
  1040. address 192.168.20.1/24;
  1041. }
  1042. }
  1043. }
  1044. st0 {
  1045. unit 0 {
  1046. family inet {
  1047. address 172.16.0.1/30;
  1048. }
  1049. }
  1050. unit 1 {
  1051. family inet {
  1052. address 172.16.1.1/30;
  1053. }
  1054. }
  1055. unit 2 {
  1056. description "VLAB MONITORING";
  1057. family inet {
  1058. address 172.31.255.253/30;
  1059. }
  1060. }
  1061. }
  1062. }
  1063. forwarding-options {
  1064. inactive: sampling {
  1065. input {
  1066. rate 1;
  1067. run-length 0;
  1068. max-packets-per-second 50000;
  1069. }
  1070. family inet {
  1071. output {
  1072. flow-server 192.168.252.52 {
  1073. port 9996;
  1074. autonomous-system-type origin;
  1075. no-local-dump;
  1076. version 5;
  1077. }
  1078. }
  1079. }
  1080. }
  1081. helpers {
  1082. bootp {
  1083. relay-agent-option;
  1084. description "Global DHCP Forwarder";
  1085. server 192.168.252.102;
  1086. interface {
  1087. reth2.10;
  1088. reth2.11;
  1089. reth2.12;
  1090. reth2.20;
  1091. }
  1092. }
  1093. }
  1094. }
  1095. snmp {
  1096. location Herakles;
  1097. contact "dscott98@gmail.com";
  1098. community egia-public {
  1099. authorization read-only;
  1100. clients {
  1101. 192.168.252.0/24;
  1102. 0.0.0.0/0 restrict;
  1103. }
  1104. }
  1105. }
  1106. routing-options {
  1107. static {
  1108. route 0.0.0.0/0 next-hop 65.74.160.194;
  1109. route 192.168.253.0/24 {
  1110. next-hop st0.0;
  1111. qualified-next-hop st0.1 {
  1112. preference 10;
  1113. }
  1114. }
  1115. }
  1116. }
  1117. protocols {
  1118. stp;
  1119. }
  1120. security {
  1121. ike {
  1122. proposal IKE-PROPOSAL {
  1123. authentication-method pre-shared-keys;
  1124. dh-group group2;
  1125. authentication-algorithm sha-256;
  1126. encryption-algorithm aes-256-cbc;
  1127. }
  1128. policy IKE-POLICY {
  1129. mode main;
  1130. proposals IKE-PROPOSAL;
  1131. pre-shared-key ascii-text "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; ## SECRET-DATA
  1132. }
  1133. policy DYNAMIC-IKE {
  1134. mode aggressive;
  1135. proposals IKE-PROPOSAL;
  1136. pre-shared-key ascii-text "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; ## SECRET-DATA
  1137. }
  1138. gateway IKE-GATEWAY {
  1139. ike-policy IKE-POLICY;
  1140. address 207.231.77.102;
  1141. dead-peer-detection;
  1142. external-interface reth1.0;
  1143. }
  1144. gateway IKE-GATEWAY-Secondary {
  1145. ike-policy IKE-POLICY;
  1146. address 70.98.111.172;
  1147. dead-peer-detection;
  1148. external-interface reth1.0;
  1149. }
  1150. gateway VLAB-MONITOR {
  1151. ike-policy DYNAMIC-IKE;
  1152. dynamic user-at-hostname "monitor@vlab.local";
  1153. dead-peer-detection;
  1154. local-identity user-at-hostname "qts@egia.com";
  1155. external-interface reth1.0;
  1156. }
  1157. }
  1158. ipsec {
  1159. vpn-monitor-options {
  1160. interval 5;
  1161. threshold 7;
  1162. }
  1163. proposal IPSEC-PROPOSAL {
  1164. protocol esp;
  1165. authentication-algorithm hmac-md5-96;
  1166. encryption-algorithm aes-256-cbc;
  1167. }
  1168. policy IPSEC-POLICY {
  1169. proposals IPSEC-PROPOSAL;
  1170. }
  1171. vpn OFFICE {
  1172. bind-interface st0.0;
  1173. vpn-monitor {
  1174. optimized;
  1175. }
  1176. ike {
  1177. gateway IKE-GATEWAY;
  1178. ipsec-policy IPSEC-POLICY;
  1179. }
  1180. establish-tunnels immediately;
  1181. }
  1182. vpn OFFICE-secondary {
  1183. bind-interface st0.1;
  1184. vpn-monitor {
  1185. optimized;
  1186. }
  1187. ike {
  1188. gateway IKE-GATEWAY-Secondary;
  1189. ipsec-policy IPSEC-POLICY;
  1190. }
  1191. establish-tunnels immediately;
  1192. }
  1193. vpn VLAB-MONITOR {
  1194. bind-interface st0.2;
  1195. vpn-monitor {
  1196. optimized;
  1197. }
  1198. ike {
  1199. gateway VLAB-MONITOR;
  1200. ipsec-policy IPSEC-POLICY;
  1201. }
  1202. establish-tunnels immediately;
  1203. }
  1204. }
  1205. alg {
  1206. msrpc disable;
  1207. sql disable;
  1208. }
  1209. flow {
  1210. tcp-mss {
  1211. ipsec-vpn {
  1212. mss 1350;
  1213. }
  1214. }
  1215. }
  1216. nat {
  1217. source {
  1218. rule-set interface-nat-out {
  1219. from zone Trust;
  1220. to zone Herakles;
  1221. rule interface-nat-out {
  1222. match {
  1223. source-address 0.0.0.0/0;
  1224. }
  1225. then {
  1226. source-nat {
  1227. interface;
  1228. }
  1229. }
  1230. }
  1231. }
  1232. rule-set DMZ_NAT {
  1233. from zone DMZ;
  1234. to zone Herakles;
  1235. rule DMZ_INTERFACE_NAT {
  1236. match {
  1237. source-address 192.168.10.0/24;
  1238. }
  1239. then {
  1240. source-nat {
  1241. interface;
  1242. }
  1243. }
  1244. }
  1245. }
  1246. rule-set APP_NAT {
  1247. from zone APP;
  1248. to zone Herakles;
  1249. rule APP_INTERFACE_NAT {
  1250. match {
  1251. source-address 192.168.11.0/24;
  1252. }
  1253. then {
  1254. source-nat {
  1255. interface;
  1256. }
  1257. }
  1258. }
  1259. }
  1260. rule-set MGMT_NAT {
  1261. from zone MGMT;
  1262. to zone Herakles;
  1263. rule MGMT_INTERFACE_NAT {
  1264. match {
  1265. source-address 192.168.20.0/24;
  1266. }
  1267. then {
  1268. source-nat {
  1269. interface;
  1270. }
  1271. }
  1272. }
  1273. }
  1274. }
  1275. destination {
  1276. pool EGIA-VPN-Trust {
  1277. address 192.168.252.9/32 port 1723;
  1278. }
  1279. pool STAGE-WEB-Trust {
  1280. address 192.168.252.211/32 port 80;
  1281. }
  1282. pool EGIAPRDWEB1 {
  1283. address 192.168.252.53/32;
  1284. }
  1285. pool EGIAWEB2 {
  1286. address 192.168.252.35/32;
  1287. }
  1288. pool EGIAFTP1 {
  1289. address 192.168.252.80/32;
  1290. }
  1291. pool TEMP_VPN_RDP {
  1292. address 192.168.252.5/32 port 3389;
  1293. }
  1294. rule-set Herakles-to-Trust {
  1295. from zone Herakles;
  1296. rule PGE_SFTP {
  1297. match {
  1298. source-address [ xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ];
  1299. destination-address xxxxxxxxxxxxxxxxxxxxxxxxxxxxx;
  1300. destination-port 22;
  1301. }
  1302. then {
  1303. destination-nat pool EGIAFTP1;
  1304. }
  1305. }
  1306. rule Herakles-EGIA-VPN-in {
  1307. match {
  1308. source-address 0.0.0.0/0;
  1309. destination-address xxxxxxxxxxxxxxxxxxxx;
  1310. destination-port 1723;
  1311. }
  1312. then {
  1313. destination-nat pool EGIA-VPN-Trust;
  1314. }
  1315. }
  1316. rule Herakles-STAGE-Web-in {
  1317. match {
  1318. source-address 0.0.0.0/0;
  1319. destination-address xxxxxxxxxxxxxxxxxxxxxxxxxxxx;
  1320. destination-port 80;
  1321. }
  1322. then {
  1323. destination-nat pool STAGE-WEB-Trust;
  1324. }
  1325. }
  1326. rule Herakles-EGIAPRDWEB1-in {
  1327. match {
  1328. source-address 0.0.0.0/0;
  1329. destination-address xxxxxxxxxxxxxxxxxxxxxxxxxxx;
  1330. }
  1331. then {
  1332. destination-nat pool EGIAPRDWEB1;
  1333. }
  1334. }
  1335. rule TEMP_RDP {
  1336. match {
  1337. source-address xxxxxxxxxxxxxxxxxxxxx;
  1338. destination-address xxxxxxxxxxxxxxxxxxxx;
  1339. }
  1340. then {
  1341. destination-nat pool TEMP_VPN_RDP;
  1342. }
  1343. }
  1344. rule EGIA-WEB {
  1345. match {
  1346. destination-address xxxxxxxxxxxxxxxxxx; ------------ BAD ------------------
  1347. }
  1348. then {
  1349. destination-nat pool EGIAWEB2;
  1350. }
  1351. }
  1352. }
  1353. }
  1354. static {
  1355. rule-set rs1 {
  1356. from zone Herakles;
  1357. inactive: rule r197 {
  1358. match {
  1359. destination-address xxxxxxxxxxxxxxxxxxxx;
  1360. }
  1361. then {
  1362. static-nat {
  1363. prefix {
  1364. 192.168.252.35/32;
  1365. }
  1366. }
  1367. }
  1368. }
  1369. rule r198 {
  1370. match {
  1371. destination-address xxxxxxxxxxxxxxxxxxxxxx;
  1372. }
  1373. then {
  1374. static-nat {
  1375. prefix {
  1376. 192.168.252.12/32;
  1377. }
  1378. }
  1379. }
  1380. }
  1381. rule r201 {
  1382. match {
  1383. destination-address xxxxxxxxxxxxxxxxxxxxxx;
  1384. }
  1385. then {
  1386. static-nat {
  1387. prefix {
  1388. 192.168.10.244/32;
  1389. }
  1390. }
  1391. }
  1392. }
  1393. rule r202 {
  1394. match {
  1395. destination-address xxxxxxxxxxxxxxxxxxxxxx;
  1396. }
  1397. then {
  1398. static-nat {
  1399. prefix {
  1400. 192.168.252.67/32;
  1401. }
  1402. }
  1403. }
  1404. }
  1405. rule r203 {
  1406. match {
  1407. destination-address xxxxxxxxxxxxxxxxxxxxxxxx;
  1408. }
  1409. then {
  1410. static-nat {
  1411. prefix {
  1412. 192.168.10.253/32;
  1413. }
  1414. }
  1415. }
  1416. }
  1417. rule r204 {
  1418. match {
  1419. destination-address xxxxxxxxxxxxxxxxxxx;
  1420. }
  1421. then {
  1422. static-nat {
  1423. prefix {
  1424. 192.168.252.80/32;
  1425. }
  1426. }
  1427. }
  1428. }
  1429. rule 205 {
  1430. match {
  1431. destination-address xxxxxxxxxxxxxxxxxx;
  1432. }
  1433. then {
  1434. static-nat {
  1435. prefix {
  1436. 192.168.10.252/32;
  1437. }
  1438. }
  1439. }
  1440. }
  1441. rule 206 {
  1442. match {
  1443. destination-address xxxxxxxxxxxxxxxxxxxx;
  1444. }
  1445. then {
  1446. static-nat {
  1447. prefix {
  1448. 192.168.10.251/32;
  1449. }
  1450. }
  1451. }
  1452. }
  1453. rule 221 {
  1454. match {
  1455. destination-address xxxxxxxxxxxxxxxxxxxx/32;
  1456. }
  1457. then {
  1458. static-nat {
  1459. prefix {
  1460. 192.168.252.87/32;
  1461. }
  1462. }
  1463. }
  1464. }
  1465. rule 220 {
  1466. match {
  1467. destination-address xxxxxxxxxxxxxxxx;
  1468. }
  1469. then {
  1470. static-nat {
  1471. prefix {
  1472. 192.168.252.88/32;
  1473. }
  1474. }
  1475. }
  1476. }
  1477. rule 219 {
  1478. match {
  1479. destination-address xxxxxxxxxxxxxxxxxxxxxx;
  1480. }
  1481. then {
  1482. static-nat {
  1483. prefix {
  1484. 192.168.10.250/32;
  1485. }
  1486. }
  1487. }
  1488. }
  1489. rule 218 {
  1490. match {
  1491. destination-address xxxxxxxxxxxxxxxxxxxx;
  1492. }
  1493. then {
  1494. static-nat {
  1495. prefix {
  1496. 192.168.10.249/32;
  1497. }
  1498. }
  1499. }
  1500. }
  1501. rule r207 {
  1502. match {
  1503. destination-address xxxxxxxxxxxxxxxxxxx;
  1504. }
  1505. then {
  1506. static-nat {
  1507. prefix {
  1508. 192.168.10.248/32;
  1509. }
  1510. }
  1511. }
  1512. }
  1513. rule r217 {
  1514. match {
  1515. destination-address xxxxxxxxxxxxxxxxxxxxxxxxx;
  1516. }
  1517. then {
  1518. static-nat {
  1519. prefix {
  1520. 192.168.10.247/32;
  1521. }
  1522. }
  1523. }
  1524. }
  1525. rule r216 {
  1526. match {
  1527. destination-address xxxxxxxxxxxxxxxxxx;
  1528. }
  1529. then {
  1530. static-nat {
  1531. prefix {
  1532. 192.168.10.243/32;
  1533. }
  1534. }
  1535. }
  1536. }
  1537. rule r215 {
  1538. match {
  1539. destination-address xxxxxxxxxxxxxxxxxxx;
  1540. }
  1541. then {
  1542. static-nat {
  1543. prefix {
  1544. 192.168.10.246/32;
  1545. }
  1546. }
  1547. }
  1548. }
  1549. rule r208 {
  1550. match {
  1551. destination-address xxxxxxxxxxxxxxxxxxxx;
  1552. }
  1553. then {
  1554. static-nat {
  1555. prefix {
  1556. 192.168.10.245/32;
  1557. }
  1558. }
  1559. }
  1560. }
  1561. rule r209 {
  1562. match {
  1563. destination-address xxxxxxxxxxxxxxxxxxx;
  1564. }
  1565. then {
  1566. static-nat {
  1567. prefix {
  1568. 192.168.10.254/32;
  1569. }
  1570. }
  1571. }
  1572. }
  1573. rule r210 {
  1574. match {
  1575. destination-address xxxxxxxxxxxxxxxxxxxxx;
  1576. }
  1577. then {
  1578. static-nat {
  1579. prefix {
  1580. 192.168.10.240/32;
  1581. }
  1582. }
  1583. }
  1584. }
  1585. rule r211 {
  1586. match {
  1587. destination-address xxxxxxxxxxxxxxxx;
  1588. }
  1589. then {
  1590. static-nat {
  1591. prefix {
  1592. 192.168.10.239/32;
  1593. }
  1594. }
  1595. }
  1596. }
  1597. rule r212 {
  1598. match {
  1599. destination-address xxxxxxxxxxxxxxx;
  1600. }
  1601. then {
  1602. static-nat {
  1603. prefix {
  1604. 192.168.10.238/32;
  1605. }
  1606. }
  1607. }
  1608. }
  1609. rule r213 {
  1610. match {
  1611. destination-address xxxxxxxxxxxxxxxxxx;
  1612. }
  1613. then {
  1614. static-nat {
  1615. prefix {
  1616. 192.168.10.237/32;
  1617. }
  1618. }
  1619. }
  1620. }
  1621. rule r214 {
  1622. match {
  1623. destination-address xxxxxxxxxxxxxxxxxxxxxxx;
  1624. }
  1625. then {
  1626. static-nat {
  1627. prefix {
  1628. 192.168.252.99/32;
  1629. }
  1630. }
  1631. }
  1632. }
  1633. }
  1634. }
  1635. proxy-arp {
  1636. interface reth1.0 {
  1637. address {
  1638. xxxxxxxxxxxxxxxxxxxxxxxxxxx
  1639.  
  1640.  
  1641. }
  1642. }
  1643. }
  1644. }
  1645. policies {
  1646. from-zone Trust to-zone Herakles {
  1647. policy Trust-out {
  1648. match {
  1649. source-address any;
  1650. destination-address any;
  1651. application any;
  1652. }
  1653. then {
  1654. permit;
  1655. }
  1656. }
  1657. }
  1658. from-zone Herakles to-zone Trust {
  1659. policy Herakles-web-incoming {
  1660. match {
  1661. source-address any;
  1662. destination-address [ EGIA-WEB-server CONSERVATIONREBATES-WEB-server STAGE-WEB-server EGIAPRDWEB1 EGIAPRDWEB5 EGIAQAWEB2 PGE_VIRTUAL_IP EGIAQWEB4 NICOR_VIRTUAL_IP EGIARPS_VIRTUAL_IP SWG_EGIAPRDWEB1 CCNG_EGIAPRDWEB1 RECOL_VIRTUAL_IP AGL_VIRTUAL_IP CNGC_VIRTUAL_IP DKNG_VIRTUAL_IP SOCALGAS_VIRTUAL_IP MWDTURF_VIRTUAL_IP SDBX_VIRTUAL_IP SCGA_VIRTUAL_IP NICOR_REVIEW_VIRTUAL_IP EGIA_99 ];
  1663. application [ junos-http junos-https ];
  1664. }
  1665. then {
  1666. permit;
  1667. }
  1668. }
  1669. policy Herakles-sftp-incomfing {
  1670. match {
  1671. source-address any;
  1672. destination-address [ EGIA-WEB-server EGIAFTP1 ];
  1673. application [ junos-ftp junos-ssh ];
  1674. }
  1675. then {
  1676. permit;
  1677. }
  1678. }
  1679. policy Herakles-VPN-incoming {
  1680. match {
  1681. source-address any;
  1682. destination-address EGIA-VPN-server;
  1683. application junos-pptp;
  1684. }
  1685. then {
  1686. permit;
  1687. }
  1688. }
  1689. policy Herakles-ping {
  1690. match {
  1691. source-address any;
  1692. destination-address any;
  1693. application junos-icmp-ping;
  1694. }
  1695. then {
  1696. permit;
  1697. }
  1698. }
  1699. policy Dustin_RDP {
  1700. match {
  1701. source-address Dustin;
  1702. destination-address [ EGIA-VPN-server VC1 ];
  1703. application any;
  1704. }
  1705. then {
  1706. permit;
  1707. }
  1708. }
  1709. }
  1710. from-zone OFFICEVPN to-zone Trust {
  1711. policy default-permit {
  1712. match {
  1713. source-address any;
  1714. destination-address any;
  1715. application any;
  1716. }
  1717. then {
  1718. permit;
  1719. }
  1720. }
  1721. }
  1722. from-zone Trust to-zone OFFICEVPN {
  1723. policy default-permit {
  1724. match {
  1725. source-address any;
  1726. destination-address any;
  1727. application any;
  1728. }
  1729. then {
  1730. permit;
  1731. }
  1732. }
  1733. }
  1734. from-zone APP to-zone Trust {
  1735. policy DHCP-REQUEST {
  1736. match {
  1737. source-address APP_LAN;
  1738. destination-address EGIADC02;
  1739. application any;
  1740. }
  1741. then {
  1742. permit;
  1743. }
  1744. }
  1745. policy APP_TO_TRUST {
  1746. match {
  1747. source-address APP_LAN;
  1748. destination-address any;
  1749. application [ ORACLE_APP_IGNORE junos-nfs ];
  1750. }
  1751. then {
  1752. permit;
  1753. }
  1754. }
  1755. }
  1756. from-zone DMZ to-zone Trust {
  1757. policy DHCP-REQUEST {
  1758. match {
  1759. source-address DMZ_LAN;
  1760. destination-address EGIADC02;
  1761. application any;
  1762. }
  1763. then {
  1764. permit;
  1765. }
  1766. }
  1767. policy DMZ-WEB-ACCESS {
  1768. match {
  1769. source-address DMZ_LAN;
  1770. destination-address any;
  1771. application junos-http;
  1772. }
  1773. then {
  1774. permit;
  1775. }
  1776. }
  1777. }
  1778. from-zone DATA to-zone Trust {
  1779. policy DHCP-REQUEST {
  1780. match {
  1781. source-address DATA_LAN;
  1782. destination-address EGIADC02;
  1783. application any;
  1784. }
  1785. then {
  1786. permit;
  1787. }
  1788. }
  1789. }
  1790. from-zone Trust to-zone DATA {
  1791. policy DHCP-REPLY {
  1792. match {
  1793. source-address EGIADC02;
  1794. destination-address DATA_LAN;
  1795. application any;
  1796. }
  1797. then {
  1798. permit;
  1799. }
  1800. }
  1801. policy RDC {
  1802. match {
  1803. source-address any;
  1804. destination-address DATA_LAN;
  1805. application RDC;
  1806. }
  1807. then {
  1808. permit;
  1809. }
  1810. }
  1811. }
  1812. from-zone Trust to-zone DMZ {
  1813. policy DHCP-REPLY {
  1814. match {
  1815. source-address EGIADC02;
  1816. destination-address DMZ_LAN;
  1817. application any;
  1818. }
  1819. then {
  1820. permit;
  1821. }
  1822. }
  1823. policy Trust_TO_DMZ {
  1824. match {
  1825. source-address any;
  1826. destination-address DMZ_LAN;
  1827. application [ junos-ssh junos-http junos-https ];
  1828. }
  1829. then {
  1830. permit;
  1831. }
  1832. }
  1833. }
  1834. from-zone Trust to-zone APP {
  1835. policy DHCP-REPLY {
  1836. match {
  1837. source-address EGIADC02;
  1838. destination-address APP_LAN;
  1839. application any;
  1840. }
  1841. then {
  1842. permit;
  1843. }
  1844. }
  1845. policy Trust_TO_APP {
  1846. match {
  1847. source-address any;
  1848. destination-address APP_LAN;
  1849. application [ junos-ssh junos-http junos-https ];
  1850. }
  1851. then {
  1852. permit;
  1853. }
  1854. }
  1855. }
  1856. from-zone DMZ to-zone Herakles {
  1857. policy DMZ_TO_Herakles {
  1858. match {
  1859. source-address DMZ_LAN;
  1860. destination-address any;
  1861. application [ junos-ssh junos-http junos-https junos-icmp-ping ];
  1862. }
  1863. then {
  1864. permit;
  1865. }
  1866. }
  1867. }
  1868. from-zone Herakles to-zone DMZ {
  1869. policy DMZ-WEB-ACCESS {
  1870. match {
  1871. source-address any;
  1872. destination-address DMZ_LAN;
  1873. application [ junos-http junos-https ];
  1874. }
  1875. then {
  1876. permit;
  1877. }
  1878. }
  1879. }
  1880. from-zone OFFICEVPN to-zone DMZ {
  1881. policy OFFICE_TO_DMZ {
  1882. match {
  1883. source-address any;
  1884. destination-address DMZ_LAN;
  1885. application [ junos-ssh junos-http junos-https ];
  1886. }
  1887. then {
  1888. permit;
  1889. }
  1890. }
  1891. }
  1892. from-zone APP to-zone DMZ {
  1893. policy APP_TO_PROXY {
  1894. match {
  1895. source-address APP_LAN;
  1896. destination-address EGIAPROXY01;
  1897. application SQUID;
  1898. }
  1899. then {
  1900. permit;
  1901. }
  1902. }
  1903. policy APP_TO_DMZ {
  1904. match {
  1905. source-address APP_LAN;
  1906. destination-address DMZ_LAN;
  1907. application [ junos-http junos-https junos-ftp ];
  1908. }
  1909. then {
  1910. permit;
  1911. }
  1912. }
  1913. }
  1914. from-zone DMZ to-zone APP {
  1915. policy DMZ_WEB_ACCESS {
  1916. match {
  1917. source-address DMZ_LAN;
  1918. destination-address APP_LAN;
  1919. application junos-http;
  1920. }
  1921. then {
  1922. permit;
  1923. }
  1924. }
  1925. }
  1926. from-zone Trust to-zone MGMT {
  1927. policy trust_to_mgmt {
  1928. match {
  1929. source-address any;
  1930. destination-address MGMT_LAN;
  1931. application any;
  1932. }
  1933. then {
  1934. permit;
  1935. }
  1936. }
  1937. }
  1938. from-zone MGMT to-zone Trust {
  1939. policy mgmt_to_trust {
  1940. match {
  1941. source-address MGMT_LAN;
  1942. destination-address any;
  1943. application any;
  1944. }
  1945. then {
  1946. permit;
  1947. }
  1948. }
  1949. }
  1950. from-zone MGMT to-zone Herakles {
  1951. inactive: policy MGMT_TO_HERAKLES {
  1952. match {
  1953. source-address MGMT_LAN;
  1954. destination-address any;
  1955. application [ junos-http junos-https junos-dns-tcp junos-dns-udp junos-ftp BARRACUDA ];
  1956. }
  1957. then {
  1958. permit;
  1959. }
  1960. }
  1961. policy MGMT_TEMP {
  1962. match {
  1963. source-address MGMT_LAN;
  1964. destination-address any;
  1965. application any;
  1966. }
  1967. then {
  1968. permit;
  1969. }
  1970. }
  1971. }
  1972. from-zone OFFICEVPN to-zone MGMT {
  1973. policy Office_to_mgmt {
  1974. match {
  1975. source-address any;
  1976. destination-address MGMT_LAN;
  1977. application [ junos-http junos-https junos-cifs ];
  1978. }
  1979. then {
  1980. permit;
  1981. }
  1982. }
  1983. }
  1984. from-zone DATA to-zone DMZ {
  1985. policy DATA_TO_PROXY {
  1986. match {
  1987. source-address DATA_LAN;
  1988. destination-address EGIAPROXY01;
  1989. application SQUID;
  1990. }
  1991. then {
  1992. permit;
  1993. }
  1994. }
  1995. }
  1996. from-zone OFFICEVPN to-zone APP {
  1997. policy OFFICE_TO_APP {
  1998. match {
  1999. source-address any;
  2000. destination-address APP_LAN;
  2001. application [ junos-ssh junos-http junos-https junos-ftp junos-icmp-ping ];
  2002. }
  2003. then {
  2004. permit;
  2005. }
  2006. }
  2007. }
  2008. from-zone APP to-zone Herakles {
  2009. policy APP_TO_Herakles {
  2010. match {
  2011. source-address APP_LAN;
  2012. destination-address any;
  2013. application [ junos-http junos-https junos-ftp ];
  2014. }
  2015. then {
  2016. permit;
  2017. }
  2018. }
  2019. }
  2020. from-zone MGMT to-zone OFFICEVPN {
  2021. policy default-permit {
  2022. match {
  2023. source-address any;
  2024. destination-address any;
  2025. application any;
  2026. }
  2027. then {
  2028. permit;
  2029. }
  2030. }
  2031. }
  2032. }
  2033. zones {
  2034. security-zone Trust {
  2035. tcp-rst;
  2036. address-book {
  2037. address EGIA-WEB-server 192.168.252.35/32;
  2038. address CONSERVATIONREBATES-WEB-server 192.168.252.12/32;
  2039. address EGIA-VPN-server 192.168.252.9/32;
  2040. address STAGE-WEB-server 192.168.252.211/32;
  2041. address EGIAPRDWEB1 192.168.252.53/32;
  2042. address EGIAPRDWEB5 192.168.252.57/32;
  2043. address EGIAQAWEB2 192.168.252.67/32;
  2044. address PGE_VIRTUAL_IP 192.168.252.100/32;
  2045. address EGIAFTP1 192.168.252.80/32;
  2046. address EGIAQWEB4 192.168.252.61/32;
  2047. address NICOR_VIRTUAL_IP 192.168.252.101/32;
  2048. address EGIARPS_VIRTUAL_IP 192.168.252.103/32;
  2049. address SWG_EGIAPRDWEB1 192.168.252.87/32;
  2050. address CCNG_EGIAPRDWEB1 192.168.252.88/32;
  2051. address RECOL_VIRTUAL_IP 192.168.252.104/32;
  2052. address AGL_VIRTUAL_IP 192.168.252.105/32;
  2053. address CNGC_VIRTUAL_IP 192.168.252.106/32;
  2054. address DKNG_VIRTUAL_IP 192.168.252.108/32;
  2055. address VC1 192.168.252.5/32;
  2056. address SOCALGAS_VIRTUAL_IP 192.168.252.109/32;
  2057. address MWDTURF_VIRTUAL_IP 192.168.252.110/32;
  2058. address SDBX_VIRTUAL_IP 192.168.252.111/32;
  2059. address SCGA_VIRTUAL_IP 192.168.252.112/32;
  2060. address NICOR_REVIEW_VIRTUAL_IP 192.168.252.113/32;
  2061. address EGIADC02 192.168.252.102/32;
  2062. address EGIA_99 192.168.252.99/32;
  2063. }
  2064. interfaces {
  2065. reth0.0 {
  2066. host-inbound-traffic {
  2067. system-services {
  2068. all;
  2069. }
  2070. protocols {
  2071. all;
  2072. }
  2073. }
  2074. }
  2075. lo0.0 {
  2076. host-inbound-traffic {
  2077. system-services {
  2078. all;
  2079. }
  2080. protocols {
  2081. all;
  2082. }
  2083. }
  2084. }
  2085. }
  2086. }
  2087. security-zone Herakles {
  2088. address-book {
  2089. address Dustin1 99.89.113.240/32;
  2090. address Dustin2 32.158.121.9/32;
  2091. address-set Dustin {
  2092. address Dustin1;
  2093. address Dustin2;
  2094. }
  2095. }
  2096. host-inbound-traffic {
  2097. system-services {
  2098. ike;
  2099. }
  2100. }
  2101. interfaces {
  2102. reth1.0 {
  2103. host-inbound-traffic {
  2104. system-services {
  2105. ping;
  2106. ike;
  2107. }
  2108. }
  2109. }
  2110. }
  2111. }
  2112. security-zone OFFICEVPN {
  2113. host-inbound-traffic {
  2114. system-services {
  2115. all;
  2116. }
  2117. protocols {
  2118. all;
  2119. }
  2120. }
  2121. interfaces {
  2122. st0.0;
  2123. st0.1;
  2124. }
  2125. }
  2126. security-zone APP {
  2127. address-book {
  2128. address APP_LAN 192.168.11.0/24;
  2129. }
  2130. interfaces {
  2131. reth2.11 {
  2132. host-inbound-traffic {
  2133. system-services {
  2134. ping;
  2135. dhcp;
  2136. }
  2137. }
  2138. }
  2139. }
  2140. }
  2141. security-zone DATA {
  2142. address-book {
  2143. address DATA_LAN 192.168.12.0/24;
  2144. }
  2145. interfaces {
  2146. reth2.12 {
  2147. host-inbound-traffic {
  2148. system-services {
  2149. ping;
  2150. dhcp;
  2151. }
  2152. }
  2153. }
  2154. }
  2155. }
  2156. security-zone DMZ {
  2157. address-book {
  2158. address DMZ_LAN 192.168.10.0/24;
  2159. address EGIAPROXY01 192.168.10.12/32;
  2160. }
  2161. interfaces {
  2162. reth2.10 {
  2163. host-inbound-traffic {
  2164. system-services {
  2165. ping;
  2166. dhcp;
  2167. }
  2168. }
  2169. }
  2170. }
  2171. }
  2172. security-zone MGMT {
  2173. address-book {
  2174. address MGMT_LAN 192.168.20.0/24;
  2175. }
  2176. interfaces {
  2177. reth2.20 {
  2178. host-inbound-traffic {
  2179. system-services {
  2180. ping;
  2181. dhcp;
  2182. ssh;
  2183. }
  2184. }
  2185. }
  2186. }
  2187. }
  2188. security-zone VPN {
  2189. interfaces {
  2190. st0.2 {
  2191. host-inbound-traffic {
  2192. system-services {
  2193. ping;
  2194. snmp;
  2195. }
  2196. }
  2197. }
  2198. }
  2199. }
  2200. }
  2201. }
  2202. firewall {
  2203. policer bandwidth-control-512k {
  2204. if-exceeding {
  2205. bandwidth-limit 512k;
  2206. burst-size-limit 128k;
  2207. }
  2208. then discard;
  2209. }
  2210. policer bandwidth-control-1024k {
  2211. if-exceeding {
  2212. bandwidth-limit 1024000;
  2213. burst-size-limit 128k;
  2214. }
  2215. then discard;
  2216. }
  2217. policer bandwidth-control-2048k {
  2218. if-exceeding {
  2219. bandwidth-limit 2048000;
  2220. burst-size-limit 512k;
  2221. }
  2222. then discard;
  2223. }
  2224. filter Herakles-in {
  2225. term incoming-internet-access {
  2226. from {
  2227. destination-address {
  2228. xxxxxxxxxxxxx7;
  2229. }
  2230. }
  2231. then accept;
  2232. }
  2233. }
  2234. filter Herakles-out {
  2235. term rackspace_traffic {
  2236. from {
  2237. destination-address {
  2238. xxxxxxxxxxxxxxxxxxxx;
  2239. }
  2240. destination-port [ http https ];
  2241. }
  2242. then accept;
  2243. }
  2244. term rate-limit-web-traffic {
  2245. from {
  2246. source-address {
  2247. 192.168.252.7/32;
  2248. }
  2249. destination-port [ http https ];
  2250. }
  2251. then accept;
  2252. }
  2253. term catch-all {
  2254. then accept;
  2255. }
  2256. }
  2257. }
  2258. applications {
  2259. application ORACLE_APP_IGNORE {
  2260. term t1 alg ignore protocol tcp destination-port 1521;
  2261. }
  2262. application SQUID {
  2263. term t1 protocol tcp destination-port 3128;
  2264. }
  2265. application RDC {
  2266. term t1 protocol tcp destination-port 3389;
  2267. }
  2268. application BARRACUDA {
  2269. term t1 protocol tcp destination-port 1194;
  2270. term t2 protocol udp destination-port 1194;
  2271. term t3 protocol tcp destination-port 5120-5129;
  2272. term t4 protocol udp destination-port 5120-5129;
  2273. }
  2274. }
  2275.  
  2276. {primary:node0}[edit]
  2277. root@EGIAFW01# ot
  2278. ^
  2279. _____________________________
  2280. 192.168.20.x config:
  2281.  
  2282. login as: root
  2283. root@192.168.20.1's password:
  2284. Access denied
  2285. root@192.168.20.1's password:
  2286. pam_unix: pam_sm_authenticate: UNIX authentication refused
  2287.  
  2288. --- JUNOS 11.4R10.3 built 2013-11-15 06:56:20 UTC
  2289.  
  2290. root@EGIAFW01> show chassis hardware
  2291. node0:
  2292. --------------------------------------------------------------------------
  2293. Hardware inventory:
  2294. Item Version Part number Serial number Description
  2295. Chassis AD2610AA0247 SRX210H
  2296. Routing Engine REV 40 750-021779 AABT6622 RE-SRX210H
  2297. FPC 0 FPC
  2298. PIC 0 2x GE, 6x FE, 1x 3G
  2299. Power Supply 0
  2300.  
  2301. node1:
  2302. --------------------------------------------------------------------------
  2303. Hardware inventory:
  2304. Item Version Part number Serial number Description
  2305. Chassis AD2610AA0310 SRX210H
  2306. Routing Engine REV 40 750-021779 AABT6469 RE-SRX210H
  2307. FPC 0 FPC
  2308. PIC 0 2x GE, 6x FE, 1x 3G
  2309. Power Supply 0
  2310.  
  2311. {primary:node0}
  2312.  
  2313.  
  2314. root@EGIAFW01% cli
  2315. {primary:node0}
  2316. root@EGIAFW01> configure
  2317. warning: Clustering enabled; using private edit
  2318. warning: uncommitted changes will be discarded on exit
  2319. Entering configuration mode
  2320.  
  2321. {primary:node0}[edit]
  2322. root@EGIAFW01# show
  2323. ## Last changed: 2016-05-23 14:12:34 PDT
  2324. version 11.4R10.3;
  2325. groups {
  2326. node0 {
  2327. system {
  2328. host-name EGIAFW01;
  2329. }
  2330. interfaces {
  2331. fxp0 {
  2332. unit 0 {
  2333. family inet {
  2334. address 192.168.250.2/24;
  2335. }
  2336. }
  2337. }
  2338. }
  2339. }
  2340. node1 {
  2341. system {
  2342. host-name EGIAFW02;
  2343. }
  2344. interfaces {
  2345. fxp0 {
  2346. unit 0 {
  2347. family inet {
  2348. address 192.168.250.3/24;
  2349. }
  2350. }
  2351. }
  2352. }
  2353. }
  2354. global {
  2355. system {
  2356. services {
  2357. ssh {
  2358. protocol-version v2;
  2359. }
  2360. }
  2361. }
  2362. }
  2363. }
  2364. apply-groups "${node}";
  2365. system {
  2366. time-zone America/Los_Angeles;
  2367. root-authentication {
  2368. encrypted-password "xxxxxxxxxxxxxxxxxxxxxxxxxx"; ## SECRET-DATA
  2369. }
  2370. name-server {
  2371. 208.67.222.222;
  2372. 208.67.220.220;
  2373. }
  2374. login {
  2375. user dscott {
  2376. full-name "Dustin Scott";
  2377. uid 4000;
  2378. class super-user;
  2379. authentication {
  2380. encrypted-password "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; ## SECRET-DATA
  2381. }
  2382. }
  2383. }
  2384. services {
  2385. ssh;
  2386. telnet;
  2387. xnm-clear-text;
  2388. web-management {
  2389. http {
  2390. interface [ fxp0.0 reth0.0 ];
  2391. }
  2392. https {
  2393. system-generated-certificate;
  2394. interface [ fxp0.0 reth0.0 ];
  2395. }
  2396. }
  2397. }
  2398. syslog {
  2399. archive size 100k files 3;
  2400. user * {
  2401. any emergency;
  2402. }
  2403. file messages {
  2404. any critical;
  2405. authorization info;
  2406. }
  2407. file interactive-commands {
  2408. interactive-commands error;
  2409. }
  2410. file kmd-logs {
  2411. daemon info;
  2412. match KMD;
  2413. }
  2414. }
  2415. max-configurations-on-flash 5;
  2416. max-configuration-rollbacks 5;
  2417. license {
  2418. autoupdate {
  2419. url https://ae1.juniper.net/junos/key_retrieval;
  2420. }
  2421. }
  2422. ntp {
  2423. server xxxxxxxxxxxxxxxxxxxxxx;
  2424. }
  2425. }
  2426. chassis {
  2427. cluster {
  2428. reth-count 3;
  2429. redundancy-group 0 {
  2430. node 0 priority 100;
  2431. node 1 priority 1;
  2432. }
  2433. redundancy-group 1 {
  2434. node 0 priority 100;
  2435. node 1 priority 1;
  2436. interface-monitor {
  2437. ge-0/0/0 weight 255;
  2438. ge-2/0/0 weight 255;
  2439. fe-0/0/2 weight 255;
  2440. fe-2/0/2 weight 255;
  2441. }
  2442. }
  2443. redundancy-group 2 {
  2444. node 0 priority 100;
  2445. node 1 priority 1;
  2446. interface-monitor {
  2447. ge-0/0/1 weight 255;
  2448. ge-2/0/1 weight 255;
  2449. }
  2450. }
  2451. }
  2452. }
  2453. interfaces {
  2454. ge-0/0/0 {
  2455. gigether-options {
  2456. redundant-parent reth0;
  2457. }
  2458. }
  2459. ge-0/0/1 {
  2460. gigether-options {
  2461. redundant-parent reth2;
  2462. }
  2463. }
  2464. fe-0/0/2 {
  2465. speed 100m;
  2466. link-mode full-duplex;
  2467. fastether-options {
  2468. redundant-parent reth1;
  2469. }
  2470. }
  2471. ge-2/0/0 {
  2472. gigether-options {
  2473. redundant-parent reth0;
  2474. }
  2475. }
  2476. ge-2/0/1 {
  2477. gigether-options {
  2478. redundant-parent reth2;
  2479. }
  2480. }
  2481. fe-2/0/2 {
  2482. speed 100m;
  2483. link-mode full-duplex;
  2484. fastether-options {
  2485. redundant-parent reth1;
  2486. }
  2487. }
  2488. fab0 {
  2489. fabric-options {
  2490. member-interfaces {
  2491. fe-0/0/5;
  2492. }
  2493. }
  2494. }
  2495. fab1 {
  2496. fabric-options {
  2497. member-interfaces {
  2498. fe-2/0/5;
  2499. }
  2500. }
  2501. }
  2502. lo0 {
  2503. unit 0 {
  2504. family inet {
  2505. address 127.0.0.1/32;
  2506. }
  2507. }
  2508. }
  2509. reth0 {
  2510. redundant-ether-options {
  2511. redundancy-group 1;
  2512. }
  2513. unit 0 {
  2514. description "Herakles LAN";
  2515. family inet {
  2516. inactive: sampling {
  2517. input;
  2518. output;
  2519. }
  2520. address 192.168.252.10/24;
  2521. }
  2522. }
  2523. }
  2524. reth1 {
  2525. redundant-ether-options {
  2526. redundancy-group 1;
  2527. }
  2528. unit 0 {
  2529. description "Herakles WAN";
  2530. family inet {
  2531. filter {
  2532. input Herakles-in;
  2533. output Herakles-out;
  2534. }
  2535. inactive: sampling {
  2536. input;
  2537. output;
  2538. }
  2539. address xxxxxxxxxxxxxxxxxxxxxx;
  2540. }
  2541. }
  2542. }
  2543. reth2 {
  2544. description "Datacenter LAN";
  2545. vlan-tagging;
  2546. redundant-ether-options {
  2547. redundancy-group 2;
  2548. }
  2549. unit 10 {
  2550. description DMZ;
  2551. vlan-id 10;
  2552. family inet {
  2553. address 192.168.10.1/24;
  2554. }
  2555. }
  2556. unit 11 {
  2557. description APP;
  2558. vlan-id 11;
  2559. family inet {
  2560. address 192.168.11.1/24;
  2561. }
  2562. }
  2563. unit 12 {
  2564. description DATA;
  2565. vlan-id 12;
  2566. family inet {
  2567. address 192.168.12.1/24;
  2568. }
  2569. }
  2570. unit 20 {
  2571. description MGMT;
  2572. vlan-id 20;
  2573. family inet {
  2574. address 192.168.20.1/24;
  2575. }
  2576. }
  2577. }
  2578. st0 {
  2579. unit 0 {
  2580. family inet {
  2581. address 172.16.0.1/30;
  2582. }
  2583. }
  2584. unit 1 {
  2585. family inet {
  2586. address 172.16.1.1/30;
  2587. }
  2588. }
  2589. unit 2 {
  2590. description "VLAB MONITORING";
  2591. family inet {
  2592. address 172.31.255.253/30;
  2593. }
  2594. }
  2595. }
  2596. }
  2597. forwarding-options {
  2598. inactive: sampling {
  2599. input {
  2600. rate 1;
  2601. run-length 0;
  2602. max-packets-per-second 50000;
  2603. }
  2604. family inet {
  2605. output {
  2606. flow-server 192.168.252.52 {
  2607. port 9996;
  2608. autonomous-system-type origin;
  2609. no-local-dump;
  2610. version 5;
  2611. }
  2612. }
  2613. }
  2614. }
  2615. helpers {
  2616. bootp {
  2617. relay-agent-option;
  2618. description "Global DHCP Forwarder";
  2619. server 192.168.252.102;
  2620. interface {
  2621. reth2.10;
  2622. reth2.11;
  2623. reth2.12;
  2624. reth2.20;
  2625. }
  2626. }
  2627. }
  2628. }
  2629. snmp {
  2630. location Herakles;
  2631. contact "dscott98@gmail.com";
  2632. community egia-public {
  2633. authorization read-only;
  2634. clients {
  2635. 192.168.252.0/24;
  2636. 0.0.0.0/0 restrict;
  2637. }
  2638. }
  2639. }
  2640. routing-options {
  2641. static {
  2642. route 0.0.0.0/0 next-hop 65.74.160.194;
  2643. route 192.168.253.0/24 {
  2644. next-hop st0.0;
  2645. qualified-next-hop st0.1 {
  2646. preference 10;
  2647. }
  2648. }
  2649. }
  2650. }
  2651. protocols {
  2652. stp;
  2653. }
  2654. security {
  2655. ike {
  2656. proposal IKE-PROPOSAL {
  2657. authentication-method pre-shared-keys;
  2658. dh-group group2;
  2659. authentication-algorithm sha-256;
  2660. encryption-algorithm aes-256-cbc;
  2661. }
  2662. policy IKE-POLICY {
  2663. mode main;
  2664. proposals IKE-PROPOSAL;
  2665. pre-shared-key ascii-text "xxxxxxxxxxxxxxxxxxxxxxxxxxxb"; ## SECRET-DATA
  2666. }
  2667. policy DYNAMIC-IKE {
  2668. mode aggressive;
  2669. proposals IKE-PROPOSAL;
  2670. pre-shared-key ascii-text "xxxxxxxxxxxxxxxxxxxxxxxxxx"; ## SECRET-DATA
  2671. }
  2672. gateway IKE-GATEWAY {
  2673. ike-policy IKE-POLICY;
  2674. address 207.231.77.102;
  2675. dead-peer-detection;
  2676. external-interface reth1.0;
  2677. }
  2678. gateway IKE-GATEWAY-Secondary {
  2679. ike-policy IKE-POLICY;
  2680. address 70.98.111.172;
  2681. dead-peer-detection;
  2682. external-interface reth1.0;
  2683. }
  2684. gateway VLAB-MONITOR {
  2685. ike-policy DYNAMIC-IKE;
  2686. dynamic user-at-hostname "monitor@vlab.local";
  2687. dead-peer-detection;
  2688. local-identity user-at-hostname "qts@egia.com";
  2689. external-interface reth1.0;
  2690. }
  2691. }
  2692. ipsec {
  2693. vpn-monitor-options {
  2694. interval 5;
  2695. threshold 7;
  2696. }
  2697. proposal IPSEC-PROPOSAL {
  2698. protocol esp;
  2699. authentication-algorithm hmac-md5-96;
  2700. encryption-algorithm aes-256-cbc;
  2701. }
  2702. policy IPSEC-POLICY {
  2703. proposals IPSEC-PROPOSAL;
  2704. }
  2705. vpn OFFICE {
  2706. bind-interface st0.0;
  2707. vpn-monitor {
  2708. optimized;
  2709. }
  2710. ike {
  2711. gateway IKE-GATEWAY;
  2712. ipsec-policy IPSEC-POLICY;
  2713. }
  2714. establish-tunnels immediately;
  2715. }
  2716. vpn OFFICE-secondary {
  2717. bind-interface st0.1;
  2718. vpn-monitor {
  2719. optimized;
  2720. }
  2721. ike {
  2722. gateway IKE-GATEWAY-Secondary;
  2723. ipsec-policy IPSEC-POLICY;
  2724. }
  2725. establish-tunnels immediately;
  2726. }
  2727. vpn VLAB-MONITOR {
  2728. bind-interface st0.2;
  2729. vpn-monitor {
  2730. optimized;
  2731. }
  2732. ike {
  2733. gateway VLAB-MONITOR;
  2734. ipsec-policy IPSEC-POLICY;
  2735. }
  2736. establish-tunnels immediately;
  2737. }
  2738. }
  2739. alg {
  2740. msrpc disable;
  2741. sql disable;
  2742. }
  2743. flow {
  2744. tcp-mss {
  2745. ipsec-vpn {
  2746. mss 1350;
  2747. }
  2748. }
  2749. }
  2750. nat {
  2751. source {
  2752. rule-set interface-nat-out {
  2753. from zone Trust;
  2754. to zone Herakles;
  2755. rule interface-nat-out {
  2756. match {
  2757. source-address 0.0.0.0/0;
  2758. }
  2759. then {
  2760. source-nat {
  2761. interface;
  2762. }
  2763. }
  2764. }
  2765. }
  2766. rule-set DMZ_NAT {
  2767. from zone DMZ;
  2768. to zone Herakles;
  2769. rule DMZ_INTERFACE_NAT {
  2770. match {
  2771. source-address 192.168.10.0/24;
  2772. }
  2773. then {
  2774. source-nat {
  2775. interface;
  2776. }
  2777. }
  2778. }
  2779. }
  2780. rule-set APP_NAT {
  2781. from zone APP;
  2782. to zone Herakles;
  2783. rule APP_INTERFACE_NAT {
  2784. match {
  2785. source-address 192.168.11.0/24;
  2786. }
  2787. then {
  2788. source-nat {
  2789. interface;
  2790. }
  2791. }
  2792. }
  2793. }
  2794. rule-set MGMT_NAT {
  2795. from zone MGMT;
  2796. to zone Herakles;
  2797. rule MGMT_INTERFACE_NAT {
  2798. match {
  2799. source-address 192.168.20.0/24;
  2800. }
  2801. then {
  2802. source-nat {
  2803. interface;
  2804. }
  2805. }
  2806. }
  2807. }
  2808. }
  2809. destination {
  2810. pool EGIA-VPN-Trust {
  2811. address 192.168.252.9/32 port 1723;
  2812. }
  2813. pool STAGE-WEB-Trust {
  2814. address 192.168.252.211/32 port 80;
  2815. }
  2816. pool EGIAPRDWEB1 {
  2817. address 192.168.252.53/32;
  2818. }
  2819. pool EGIAWEB2 {
  2820. address 192.168.252.35/32;
  2821. }
  2822. pool EGIAFTP1 {
  2823. address 192.168.252.80/32;
  2824. }
  2825. pool TEMP_VPN_RDP {
  2826. address 192.168.252.5/32 port 3389;
  2827. }
  2828. rule-set Herakles-to-Trust {
  2829. from zone Herakles;
  2830. rule PGE_SFTP {
  2831. match {
  2832. xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  2833. }
  2834. then {
  2835. destination-nat pool EGIAFTP1;
  2836. }
  2837. }
  2838. rule Herakles-EGIA-VPN-in {
  2839. match {
  2840. source-address 0.0.0.0/0;
  2841. destination-address xxxxxxxxxxxxxxxx;
  2842. destination-port 1723;
  2843. }
  2844. then {
  2845. destination-nat pool EGIA-VPN-Trust;
  2846. }
  2847. }
  2848. rule Herakles-STAGE-Web-in {
  2849. match {
  2850. source-address 0.0.0.0/0;
  2851. destination-address xxxxxxxxxxxxxxxxx;
  2852. destination-port 80;
  2853. }
  2854. then {
  2855. destination-nat pool STAGE-WEB-Trust;
  2856. }
  2857. }
  2858. rule Herakles-EGIAPRDWEB1-in {
  2859. match {
  2860. source-address 0.0.0.0/0;
  2861. destination-address xxxxxxxxxxxxxxxxxxxx;
  2862. }
  2863. then {
  2864. destination-nat pool EGIAPRDWEB1;
  2865. }
  2866. }
  2867. rule TEMP_RDP {
  2868. match {
  2869. source-address 32.158.121.9/32;
  2870. destination-address xxxxxxxxxxxxxxxxxxxxxx;
  2871. }
  2872. then {
  2873. destination-nat pool TEMP_VPN_RDP;
  2874. }
  2875. }
  2876. rule EGIA-WEB {
  2877. match {
  2878. destination-address xxxxxxxxxxxxxxxxx2;
  2879. }
  2880. then {
  2881. destination-nat pool EGIAWEB2;
  2882. }
  2883. }
  2884. }
  2885. }
  2886. static {
  2887. rule-set rs1 {
  2888. from zone Herakles;
  2889. inactive: rule r197 {
  2890. match {xxxxxxxx;
  2891. }
  2892. then {
  2893. static-nat {
  2894. prefix {
  2895. 192.168.252.35/32;
  2896. }
  2897. }
  2898. }
  2899. }
  2900. rule r198 {
  2901. match {
  2902. destination-address xxxxxxxxxxxxxx;
  2903. }
  2904. then {
  2905. static-nat {
  2906. prefix {
  2907. 192.168.252.12/32;
  2908. }
  2909. }
  2910. }
  2911. }
  2912. rule r201 {
  2913. match {
  2914. destination-address xxxxxxxxxxxxxxxxxx;
  2915. }
  2916. then {
  2917. static-nat {
  2918. prefix {
  2919. 192.168.10.244/32;
  2920. }
  2921. }
  2922. }
  2923. }
  2924. rule r202 {
  2925. match {
  2926. destination-address xxxxxxxxxxxxxxxxxxxxxxx;
  2927. }
  2928. then {
  2929. static-nat {
  2930. prefix {
  2931. 192.168.252.67/32;
  2932. }
  2933. }
  2934. }
  2935. }
  2936. rule r203 {
  2937. match {
  2938. destination-address xxxxxxxxxxxxxxxxxxxxxxx;
  2939. }
  2940. then {
  2941. static-nat {
  2942. prefix {
  2943. 192.168.10.253/32;
  2944. }
  2945. }
  2946. }
  2947. }
  2948. rule r204 {
  2949. match {
  2950. destination-address xxxxxxxxxxxxxxxxxx2;
  2951. }
  2952. then {
  2953. static-nat {
  2954. prefix {
  2955. 192.168.252.80/32;
  2956. }
  2957. }
  2958. }
  2959. }
  2960. rule 205 {
  2961. match {
  2962. destination-address xxxxxxxxxxxxxx;
  2963. }
  2964. then {
  2965. static-nat {
  2966. prefix {
  2967. 192.168.10.252/32;
  2968. }
  2969. }
  2970. }
  2971. }
  2972. rule 206 {
  2973. match {
  2974. destination-address xxxxxxxxxxxxxxxxxx;
  2975. }
  2976. then {
  2977. static-nat {
  2978. prefix {
  2979. 192.168.10.251/32;
  2980. }
  2981. }
  2982. }
  2983. }
  2984. rule 221 {
  2985. match {
  2986. destination-address xxxxxxxxxxxxxxxxxxxxx;
  2987. }
  2988. then {
  2989. static-nat {
  2990. prefix {
  2991. 192.168.252.87/32;
  2992. }
  2993. }
  2994. }
  2995. }
  2996. rule 220 {
  2997. match {
  2998. destination-address xxxxxxxxxxxxxxxxxxxxxxx;
  2999. }
  3000. then {
  3001. static-nat {
  3002. prefix {
  3003. 192.168.252.88/32;
  3004. }
  3005. }
  3006. }
  3007. }
  3008. rule 219 {
  3009. match {
  3010. destination-address xxxxxxxxxxxxxxxxxxxxx;
  3011. }
  3012. then {
  3013. static-nat {
  3014. prefix {
  3015. 192.168.10.250/32;
  3016. }
  3017. }
  3018. }
  3019. }
  3020. rule 218 {
  3021. match {
  3022. destination-address xxxxxxxxxxxxxxxxxxx;
  3023. }
  3024. then {
  3025. static-nat {
  3026. prefix {
  3027. 192.168.10.249/32;
  3028. }
  3029. }
  3030. }
  3031. }
  3032. rule r207 {
  3033. match {
  3034. destination-address xxxxxxxxxxxxxxx2;
  3035. }
  3036. then {
  3037. static-nat {
  3038. prefix {
  3039. 192.168.10.248/32;
  3040. }
  3041. }
  3042. }
  3043. }
  3044. rule r217 {
  3045. match {
  3046. destination-address 65.74.160.217/32;
  3047. }
  3048. then {
  3049. static-nat {
  3050. prefix {
  3051. 192.168.10.247/32;
  3052. }
  3053. }
  3054. }
  3055. }
  3056. rule r216 {
  3057. match {
  3058. destination-address sssssssssssssssssssssss
  3059. }
  3060. then {
  3061. static-nat {
  3062. prefix {
  3063. 192.168.10.243/32;
  3064. }
  3065. }
  3066. }
  3067. }
  3068. rule r215 {
  3069. match {
  3070. destination-address xxxxxxxxxxxxxxxxxxxxxxxx;
  3071. }
  3072. then {
  3073. static-nat {
  3074. prefix {
  3075. 192.168.10.246/32;
  3076. }
  3077. }
  3078. }
  3079. }
  3080. rule r208 {
  3081. match {
  3082. destination-address xxxxxxxxxxxxxx;
  3083. }
  3084. then {
  3085. static-nat {
  3086. prefix {
  3087. 192.168.10.245/32;
  3088. }
  3089. }
  3090. }
  3091. }
  3092. rule r209 {
  3093. match {
  3094. destination-address xxxxxxxxxxxxxxx
  3095. }
  3096. then {
  3097. static-nat {
  3098. prefix {
  3099. 192.168.10.254/32;
  3100. }
  3101. }
  3102. }
  3103. }
  3104. rule r210 {
  3105. match {
  3106. destination-address xxxxxxxxxxxxxxxxxxxx
  3107. }
  3108. then {
  3109. static-nat {
  3110. prefix {
  3111. 192.168.10.240/32;
  3112. }
  3113. }
  3114. }
  3115. }
  3116. rule r211 {
  3117. match {
  3118. destination-address xxxxxxxxxxxx;
  3119. }
  3120. then {
  3121. static-nat {
  3122. prefix {
  3123. 192.168.10.239/32;
  3124. }
  3125. }
  3126. }
  3127. }
  3128. rule r212 {
  3129. match {
  3130. destination-address xxxxxxxxxxxxxx
  3131. }
  3132. then {
  3133. static-nat {
  3134. prefix {
  3135. 192.168.10.238/32;
  3136. }
  3137. }
  3138. }
  3139. }
  3140. rule r213 {
  3141. match {
  3142. destination-address xxxxxxxxxxxxxxxx
  3143.  
  3144. then {
  3145. static-nat {
  3146. prefix {
  3147. 192.168.10.237/32;
  3148. }
  3149. }
  3150. }
  3151. }
  3152. rule r214 {
  3153. match {
  3154. destination-address xxxxxxxxxxxx
  3155.  
  3156. then {
  3157. static-nat {
  3158. prefix {
  3159. 192.168.252.99/32;
  3160. }
  3161. }
  3162. }
  3163. }
  3164. }
  3165. }
  3166. proxy-arp {
  3167. interface reth1.0 {
  3168. address {
  3169. xxxxxxxxxxxxxxxx
  3170.  
  3171.  
  3172. }
  3173. }
  3174. }
  3175. policies {
  3176. from-zone Trust to-zone Herakles {
  3177. policy Trust-out {
  3178. match {
  3179. source-address any;
  3180. destination-address any;
  3181. application any;
  3182. }
  3183. then {
  3184. permit;
  3185. }
  3186. }
  3187. }
  3188. from-zone Herakles to-zone Trust {
  3189. policy Herakles-web-incoming {
  3190. match {
  3191. source-address any;
  3192. destination-address [ EGIA-WEB-server CONSERVATIONREBATES-WEB-server STAGE-WEB-server EGIAPRDWEB1 EGIAPRDWEB5 EGIAQAWEB2 PGE_VIRTUAL_IP EGIAQWEB4 NICOR_VIRTUAL_IP EGIARPS_VIRTUAL_IP SWG_EGIAPRDWEB1 CCNG_EGIAPRDWEB1 RECOL_VIRTUAL_IP AGL_VIRTUAL_IP CNGC_VIRTUAL_IP DKNG_VIRTUAL_IP SOCALGAS_VIRTUAL_IP MWDTURF_VIRTUAL_IP SDBX_VIRTUAL_IP SCGA_VIRTUAL_IP NICOR_REVIEW_VIRTUAL_IP EGIA_99 ];
  3193. application [ junos-http junos-https ];
  3194. }
  3195. then {
  3196. permit;
  3197. }
  3198. }
  3199. policy Herakles-sftp-incomfing {
  3200. match {
  3201. source-address any;
  3202. destination-address [ EGIA-WEB-server EGIAFTP1 ];
  3203. application [ junos-ftp junos-ssh ];
  3204. }
  3205. then {
  3206. permit;
  3207. }
  3208. }
  3209. policy Herakles-VPN-incoming {
  3210. match {
  3211. source-address any;
  3212. destination-address EGIA-VPN-server;
  3213. application junos-pptp;
  3214. }
  3215. then {
  3216. permit;
  3217. }
  3218. }
  3219. policy Herakles-ping {
  3220. match {
  3221. source-address any;
  3222. destination-address any;
  3223. application junos-icmp-ping;
  3224. }
  3225. then {
  3226. permit;
  3227. }
  3228. }
  3229. policy Dustin_RDP {
  3230. match {
  3231. source-address Dustin;
  3232. destination-address [ EGIA-VPN-server VC1 ];
  3233. application any;
  3234. }
  3235. then {
  3236. permit;
  3237. }
  3238. }
  3239. }
  3240. from-zone OFFICEVPN to-zone Trust {
  3241. policy default-permit {
  3242. match {
  3243. source-address any;
  3244. destination-address any;
  3245. application any;
  3246. }
  3247. then {
  3248. permit;
  3249. }
  3250. }
  3251. }
  3252. from-zone Trust to-zone OFFICEVPN {
  3253. policy default-permit {
  3254. match {
  3255. source-address any;
  3256. destination-address any;
  3257. application any;
  3258. }
  3259. then {
  3260. permit;
  3261. }
  3262. }
  3263. }
  3264. from-zone APP to-zone Trust {
  3265. policy DHCP-REQUEST {
  3266. match {
  3267. source-address APP_LAN;
  3268. destination-address EGIADC02;
  3269. application any;
  3270. }
  3271. then {
  3272. permit;
  3273. }
  3274. }
  3275. policy APP_TO_TRUST {
  3276. match {
  3277. source-address APP_LAN;
  3278. destination-address any;
  3279. application [ ORACLE_APP_IGNORE junos-nfs ];
  3280. }
  3281. then {
  3282. permit;
  3283. }
  3284. }
  3285. }
  3286. from-zone DMZ to-zone Trust {
  3287. policy DHCP-REQUEST {
  3288. match {
  3289. source-address DMZ_LAN;
  3290. destination-address EGIADC02;
  3291. application any;
  3292. }
  3293. then {
  3294. permit;
  3295. }
  3296. }
  3297. policy DMZ-WEB-ACCESS {
  3298. match {
  3299. source-address DMZ_LAN;
  3300. destination-address any;
  3301. application junos-http;
  3302. }
  3303. then {
  3304. permit;
  3305. }
  3306. }
  3307. }
  3308. from-zone DATA to-zone Trust {
  3309. policy DHCP-REQUEST {
  3310. match {
  3311. source-address DATA_LAN;
  3312. destination-address EGIADC02;
  3313. application any;
  3314. }
  3315. then {
  3316. permit;
  3317. }
  3318. }
  3319. }
  3320. from-zone Trust to-zone DATA {
  3321. policy DHCP-REPLY {
  3322. match {
  3323. source-address EGIADC02;
  3324. destination-address DATA_LAN;
  3325. application any;
  3326. }
  3327. then {
  3328. permit;
  3329. }
  3330. }
  3331. policy RDC {
  3332. match {
  3333. source-address any;
  3334. destination-address DATA_LAN;
  3335. application RDC;
  3336. }
  3337. then {
  3338. permit;
  3339. }
  3340. }
  3341. }
  3342. from-zone Trust to-zone DMZ {
  3343. policy DHCP-REPLY {
  3344. match {
  3345. source-address EGIADC02;
  3346. destination-address DMZ_LAN;
  3347. application any;
  3348. }
  3349. then {
  3350. permit;
  3351. }
  3352. }
  3353. policy Trust_TO_DMZ {
  3354. match {
  3355. source-address any;
  3356. destination-address DMZ_LAN;
  3357. application [ junos-ssh junos-http junos-https ];
  3358. }
  3359. then {
  3360. permit;
  3361. }
  3362. }
  3363. }
  3364. from-zone Trust to-zone APP {
  3365. policy DHCP-REPLY {
  3366. match {
  3367. source-address EGIADC02;
  3368. destination-address APP_LAN;
  3369. application any;
  3370. }
  3371. then {
  3372. permit;
  3373. }
  3374. }
  3375. policy Trust_TO_APP {
  3376. match {
  3377. source-address any;
  3378. destination-address APP_LAN;
  3379. application [ junos-ssh junos-http junos-https ];
  3380. }
  3381. then {
  3382. permit;
  3383. }
  3384. }
  3385. }
  3386. from-zone DMZ to-zone Herakles {
  3387. policy DMZ_TO_Herakles {
  3388. match {
  3389. source-address DMZ_LAN;
  3390. destination-address any;
  3391. application [ junos-ssh junos-http junos-https junos-icmp-ping ];
  3392. }
  3393. then {
  3394. permit;
  3395. }
  3396. }
  3397. }
  3398. from-zone Herakles to-zone DMZ {
  3399. policy DMZ-WEB-ACCESS {
  3400. match {
  3401. source-address any;
  3402. destination-address DMZ_LAN;
  3403. application [ junos-http junos-https ];
  3404. }
  3405. then {
  3406. permit;
  3407. }
  3408. }
  3409. }
  3410. from-zone OFFICEVPN to-zone DMZ {
  3411. policy OFFICE_TO_DMZ {
  3412. match {
  3413. source-address any;
  3414. destination-address DMZ_LAN;
  3415. application [ junos-ssh junos-http junos-https ];
  3416. }
  3417. then {
  3418. permit;
  3419. }
  3420. }
  3421. }
  3422. from-zone APP to-zone DMZ {
  3423. policy APP_TO_PROXY {
  3424. match {
  3425. source-address APP_LAN;
  3426. destination-address EGIAPROXY01;
  3427. application SQUID;
  3428. }
  3429. then {
  3430. permit;
  3431. }
  3432. }
  3433. policy APP_TO_DMZ {
  3434. match {
  3435. source-address APP_LAN;
  3436. destination-address DMZ_LAN;
  3437. application [ junos-http junos-https junos-ftp ];
  3438. }
  3439. then {
  3440. permit;
  3441. }
  3442. }
  3443. }
  3444. from-zone DMZ to-zone APP {
  3445. policy DMZ_WEB_ACCESS {
  3446. match {
  3447. source-address DMZ_LAN;
  3448. destination-address APP_LAN;
  3449. application junos-http;
  3450. }
  3451. then {
  3452. permit;
  3453. }
  3454. }
  3455. }
  3456. from-zone Trust to-zone MGMT {
  3457. policy trust_to_mgmt {
  3458. match {
  3459. source-address any;
  3460. destination-address MGMT_LAN;
  3461. application any;
  3462. }
  3463. then {
  3464. permit;
  3465. }
  3466. }
  3467. }
  3468. from-zone MGMT to-zone Trust {
  3469. policy mgmt_to_trust {
  3470. match {
  3471. source-address MGMT_LAN;
  3472. destination-address any;
  3473. application any;
  3474. }
  3475. then {
  3476. permit;
  3477. }
  3478. }
  3479. }
  3480. from-zone MGMT to-zone Herakles {
  3481. inactive: policy MGMT_TO_HERAKLES {
  3482. match {
  3483. source-address MGMT_LAN;
  3484. destination-address any;
  3485. application [ junos-http junos-https junos-dns-tcp junos-dns-udp junos-ftp BARRACUDA ];
  3486. }
  3487. then {
  3488. permit;
  3489. }
  3490. }
  3491. policy MGMT_TEMP {
  3492. match {
  3493. source-address MGMT_LAN;
  3494. destination-address any;
  3495. application any;
  3496. }
  3497. then {
  3498. permit;
  3499. }
  3500. }
  3501. }
  3502. from-zone OFFICEVPN to-zone MGMT {
  3503. policy Office_to_mgmt {
  3504. match {
  3505. source-address any;
  3506. destination-address MGMT_LAN;
  3507. application [ junos-http junos-https junos-cifs ];
  3508. }
  3509. then {
  3510. permit;
  3511. }
  3512. }
  3513. }
  3514. from-zone DATA to-zone DMZ {
  3515. policy DATA_TO_PROXY {
  3516. match {
  3517. source-address DATA_LAN;
  3518. destination-address EGIAPROXY01;
  3519. application SQUID;
  3520. }
  3521. then {
  3522. permit;
  3523. }
  3524. }
  3525. }
  3526. from-zone OFFICEVPN to-zone APP {
  3527. policy OFFICE_TO_APP {
  3528. match {
  3529. source-address any;
  3530. destination-address APP_LAN;
  3531. application [ junos-ssh junos-http junos-https junos-ftp junos-icmp-ping ];
  3532. }
  3533. then {
  3534. permit;
  3535. }
  3536. }
  3537. }
  3538. from-zone APP to-zone Herakles {
  3539. policy APP_TO_Herakles {
  3540. match {
  3541. source-address APP_LAN;
  3542. destination-address any;
  3543. application [ junos-http junos-https junos-ftp ];
  3544. }
  3545. then {
  3546. permit;
  3547. }
  3548. }
  3549. }
  3550. from-zone MGMT to-zone OFFICEVPN {
  3551. policy default-permit {
  3552. match {
  3553. source-address any;
  3554. destination-address any;
  3555. application any;
  3556. }
  3557. then {
  3558. permit;
  3559. }
  3560. }
  3561. }
  3562. }
  3563. zones {
  3564. security-zone Trust {
  3565. tcp-rst;
  3566. address-book {
  3567. address EGIA-WEB-server 192.168.252.35/32;
  3568. address CONSERVATIONREBATES-WEB-server 192.168.252.12/32;
  3569. address EGIA-VPN-server 192.168.252.9/32;
  3570. address STAGE-WEB-server 192.168.252.211/32;
  3571. address EGIAPRDWEB1 192.168.252.53/32;
  3572. address EGIAPRDWEB5 192.168.252.57/32;
  3573. address EGIAQAWEB2 192.168.252.67/32;
  3574. address PGE_VIRTUAL_IP 192.168.252.100/32;
  3575. address EGIAFTP1 192.168.252.80/32;
  3576. address EGIAQWEB4 192.168.252.61/32;
  3577. address NICOR_VIRTUAL_IP 192.168.252.101/32;
  3578. address EGIARPS_VIRTUAL_IP 192.168.252.103/32;
  3579. address SWG_EGIAPRDWEB1 192.168.252.87/32;
  3580. address CCNG_EGIAPRDWEB1 192.168.252.88/32;
  3581. address RECOL_VIRTUAL_IP 192.168.252.104/32;
  3582. address AGL_VIRTUAL_IP 192.168.252.105/32;
  3583. address CNGC_VIRTUAL_IP 192.168.252.106/32;
  3584. address DKNG_VIRTUAL_IP 192.168.252.108/32;
  3585. address VC1 192.168.252.5/32;
  3586. address SOCALGAS_VIRTUAL_IP 192.168.252.109/32;
  3587. address MWDTURF_VIRTUAL_IP 192.168.252.110/32;
  3588. address SDBX_VIRTUAL_IP 192.168.252.111/32;
  3589. address SCGA_VIRTUAL_IP 192.168.252.112/32;
  3590. address NICOR_REVIEW_VIRTUAL_IP 192.168.252.113/32;
  3591. address EGIADC02 192.168.252.102/32;
  3592. address EGIA_99 192.168.252.99/32;
  3593. }
  3594. interfaces {
  3595. reth0.0 {
  3596. host-inbound-traffic {
  3597. system-services {
  3598. all;
  3599. }
  3600. protocols {
  3601. all;
  3602. }
  3603. }
  3604. }
  3605. lo0.0 {
  3606. host-inbound-traffic {
  3607. system-services {
  3608. all;
  3609. }
  3610. protocols {
  3611. all;
  3612. }
  3613. }
  3614. }
  3615. }
  3616. }
  3617. security-zone Herakles {
  3618. address-book {
  3619. address Dustin1 99.89.113.240/32;
  3620. address Dustin2 32.158.121.9/32;
  3621. address-set Dustin {
  3622. address Dustin1;
  3623. address Dustin2;
  3624. }
  3625. }
  3626. host-inbound-traffic {
  3627. system-services {
  3628. ike;
  3629. }
  3630. }
  3631. interfaces {
  3632. reth1.0 {
  3633. host-inbound-traffic {
  3634. system-services {
  3635. ping;
  3636. ike;
  3637. }
  3638. }
  3639. }
  3640. }
  3641. }
  3642. security-zone OFFICEVPN {
  3643. host-inbound-traffic {
  3644. system-services {
  3645. all;
  3646. }
  3647. protocols {
  3648. all;
  3649. }
  3650. }
  3651. interfaces {
  3652. st0.0;
  3653. st0.1;
  3654. }
  3655. }
  3656. security-zone APP {
  3657. address-book {
  3658. address APP_LAN 192.168.11.0/24;
  3659. }
  3660. interfaces {
  3661. reth2.11 {
  3662. host-inbound-traffic {
  3663. system-services {
  3664. ping;
  3665. dhcp;
  3666. }
  3667. }
  3668. }
  3669. }
  3670. }
  3671. security-zone DATA {
  3672. address-book {
  3673. address DATA_LAN 192.168.12.0/24;
  3674. }
  3675. interfaces {
  3676. reth2.12 {
  3677. host-inbound-traffic {
  3678. system-services {
  3679. ping;
  3680. dhcp;
  3681. }
  3682. }
  3683. }
  3684. }
  3685. }
  3686. security-zone DMZ {
  3687. address-book {
  3688. address DMZ_LAN 192.168.10.0/24;
  3689. address EGIAPROXY01 192.168.10.12/32;
  3690. }
  3691. interfaces {
  3692. reth2.10 {
  3693. host-inbound-traffic {
  3694. system-services {
  3695. ping;
  3696. dhcp;
  3697. }
  3698. }
  3699. }
  3700. }
  3701. }
  3702. security-zone MGMT {
  3703. address-book {
  3704. address MGMT_LAN 192.168.20.0/24;
  3705. }
  3706. interfaces {
  3707. reth2.20 {
  3708. host-inbound-traffic {
  3709. system-services {
  3710. ping;
  3711. dhcp;
  3712. ssh;
  3713. }
  3714. }
  3715. }
  3716. }
  3717. }
  3718. security-zone VPN {
  3719. interfaces {
  3720. st0.2 {
  3721. host-inbound-traffic {
  3722. system-services {
  3723. ping;
  3724. snmp;
  3725. }
  3726. }
  3727. }
  3728. }
  3729. }
  3730. }
  3731. }
  3732. firewall {
  3733. policer bandwidth-control-512k {
  3734. if-exceeding {
  3735. bandwidth-limit 512k;
  3736. burst-size-limit 128k;
  3737. }
  3738. then discard;
  3739. }
  3740. policer bandwidth-control-1024k {
  3741. if-exceeding {
  3742. bandwidth-limit 1024000;
  3743. burst-size-limit 128k;
  3744. }
  3745. then discard;
  3746. }
  3747. policer bandwidth-control-2048k {
  3748. if-exceeding {
  3749. bandwidth-limit 2048000;
  3750. burst-size-limit 512k;
  3751. }
  3752. then discard;
  3753. }
  3754. filter Herakles-in {
  3755. term incoming-internet-access {
  3756. from {
  3757. destination-address {
  3758. xxxxxxxxxxxxxxxxxx
  3759. }
  3760. }
  3761. then accept;
  3762. }
  3763. }
  3764. filter Herakles-out {
  3765. term rackspace_traffic {
  3766. from {
  3767. destination-address {
  3768. xxxxxxxxxxxxxxxxxxxxx
  3769. }
  3770. destination-port [ http https ];
  3771. }
  3772. then accept;
  3773. }
  3774. term rate-limit-web-traffic {
  3775. from {
  3776. source-address {
  3777. 192.168.252.7/32;
  3778. }
  3779. destination-port [ http https ];
  3780. }
  3781. then accept;
  3782. }
  3783. term catch-all {
  3784. then accept;
  3785. }
  3786. }
  3787. }
  3788. applications {
  3789. application ORACLE_APP_IGNORE {
  3790. term t1 alg ignore protocol tcp destination-port 1521;
  3791. }
  3792. application SQUID {
  3793. term t1 protocol tcp destination-port 3128;
  3794. }
  3795. application RDC {
  3796. term t1 protocol tcp destination-port 3389;
  3797. }
  3798. application BARRACUDA {
  3799. term t1 protocol tcp destination-port 1194;
  3800. term t2 protocol udp destination-port 1194;
  3801. term t3 protocol tcp destination-port 5120-5129;
  3802. term t4 protocol udp destination-port 5120-5129;
  3803. }
  3804. }
  3805.  
  3806. {primary:node0}[edit]
  3807. root@EGIAFW01#
  3808.  
  3809. _______________________________
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!