Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 192.168.253.x config:
- {primary:node0}[edit]
- dscott@EGIAWATTFW2# show
- ## Last changed: 2015-12-10 08:00:23 PST
- version 12.1X44-D35.5;
- groups {
- node0 {
- system {
- host-name EGIAWATTFW1;
- }
- interfaces {
- fxp0 {
- unit 0 {
- family inet {
- address 192.168.251.1/32;
- }
- }
- }
- }
- }
- node1 {
- system {
- host-name EGIAWATTFW2;
- }
- interfaces {
- fxp0 {
- unit 0 {
- family inet {
- address 192.168.251.2/32;
- }
- }
- }
- }
- }
- }
- apply-groups "${node}";
- system {
- host-name EGIAWATTFW2;
- time-zone America/Los_Angeles;
- root-authentication {
- encrypted-password "xxxxxxxxxxxxxxxxxxxxxxxxxxx1"; ## SECRET-DATA
- }
- name-server {
- 208.67.222.222;
- 208.67.220.220;
- }
- login {
- user dscott {
- full-name "Dustin Scott";
- uid 4000;
- class super-user;
- authentication {
- encrypted-password "xxxxxxxxxxxxxxxxxxxxxxxxxx"; ## SECRET-DATA
- }
- }
- }
- services {
- ssh;
- }
- syslog {
- archive size 100k files 3;
- user * {
- any emergency;
- }
- file messages {
- any critical;
- authorization info;
- }
- file interactive-commands {
- interactive-commands error;
- }
- }
- max-configurations-on-flash 20;
- max-configuration-rollbacks 20;
- license {
- autoupdate {
- url https://ae1.juniper.net/junos/key_retrieval;
- }
- }
- ntp {
- server xxxxxxxxxxxxxxxxxxxxx;
- }
- }
- chassis {
- cluster {
- control-link-recovery;
- reth-count 3;
- heartbeat-interval 2000;
- heartbeat-threshold 8;
- redundancy-group 0 {
- node 0 priority 254;
- node 1 priority 1;
- }
- redundancy-group 1 {
- node 0 priority 254;
- node 1 priority 1;
- }
- }
- }
- interfaces {
- ge-0/0/0 {
- gigether-options {
- redundant-parent reth0;
- }
- }
- ge-0/0/2 {
- gigether-options {
- redundant-parent reth1;
- }
- }
- ge-0/0/3 {
- gigether-options {
- redundant-parent reth2;
- }
- }
- ge-3/0/0 {
- gigether-options {
- redundant-parent reth0;
- }
- }
- ge-3/0/2 {
- gigether-options {
- redundant-parent reth1;
- }
- }
- ge-3/0/3 {
- gigether-options {
- redundant-parent reth2;
- }
- }
- fab0 {
- fabric-options {
- member-interfaces {
- ge-0/0/5;
- }
- }
- }
- fab1 {
- fabric-options {
- member-interfaces {
- ge-3/0/5;
- }
- }
- }
- lo0 {
- unit 0 {
- family inet {
- address 127.0.0.1/32;
- }
- }
- }
- reth0 {
- redundant-ether-options {
- redundancy-group 1;
- }
- unit 0 {
- family inet {
- inactive: filter {
- input LAN-IN;
- }
- address 192.168.253.10/24;
- }
- }
- }
- reth1 {
- redundant-ether-options {
- redundancy-group 1;
- }
- unit 0 {
- family inet {
- address xxxxxxxxxxxxxxxxxxx
- }
- }
- }
- reth2 {
- redundant-ether-options {
- redundancy-group 1;
- }
- unit 0 {
- family inet {
- address xxxxxxxxxxxxxxxxxxxxxxxxxx;
- }
- }
- }
- st0 {
- unit 0 {
- family inet {
- address 172.16.0.2/30;
- }
- }
- unit 1 {
- family inet {
- address 172.16.1.2/30;
- }
- }
- }
- }
- snmp {
- location Herakles;
- contact "dscott98@gmail.com";
- community egia-public {
- authorization read-only;
- clients {
- 192.168.252.0/24;
- 192.168.20.0/24;
- 0.0.0.0/0 restrict;
- }
- }
- }
- routing-options {
- interface-routes {
- rib-group inet IMPORT-PHY;
- }
- static {
- route 0.0.0.0/0 {
- next-hop xxxxxxxxxxxxxxx;
- inactive: qualified-next-hop 207.231.77.101 {
- preference 10;
- }
- qualified-next-hop xxxxxxxxxxxxxxxxxxxx {
- preference 10;
- }
- }
- route 192.168.254.0/24 next-hop 192.168.253.233;
- route 192.168.10.0/24 {
- next-hop st0.0;
- qualified-next-hop st0.1 {
- preference 10;
- }
- }
- route 192.168.11.0/24 {
- next-hop st0.0;
- qualified-next-hop st0.1 {
- preference 10;
- }
- }
- route 192.168.12.0/24 {
- next-hop st0.0;
- qualified-next-hop st0.1 {
- preference 10;
- }
- }
- route 192.168.20.0/24 {
- next-hop st0.0;
- qualified-next-hop st0.1 {
- preference 10;
- }
- }
- route 192.168.252.0/24 {
- next-hop st0.0;
- qualified-next-hop st0.1 {
- preference 10;
- }
- }
- }
- rib-groups {
- IMPORT-PHY {
- import-rib [ inet.0 INTEGRA-1.inet.0 CONSOLIDATED-1.inet.0 ];
- }
- }
- }
- protocols {
- stp;
- }
- security {
- ike {
- respond-bad-spi 5;
- proposal IKE-PROPOSAL {
- authentication-method pre-shared-keys;
- dh-group group2;
- authentication-algorithm sha-256;
- encryption-algorithm aes-256-cbc;
- }
- policy IKE-POLICY {
- mode main;
- proposals IKE-PROPOSAL;
- pre-shared-key ascii-text "xxxxxxxxxxxxxxxxxxxxxxxxxx"; ## SECRET-DATA
- }
- gateway IKE-GATEWAY {
- ike-policy IKE-POLICY;
- address xxxxxxxxxxxxxxxxxxxx;
- dead-peer-detection {
- interval 10;
- threshold 5;
- }
- external-interface reth1.0;
- }
- gateway IKE-GATEWAY-secondary {
- ike-policy IKE-POLICY;
- address xxxxxxxxxxxxxxxxxxxx;
- dead-peer-detection {
- interval 10;
- threshold 5;
- }
- external-interface reth2.0;
- }
- }
- ipsec {
- vpn-monitor-options {
- interval 5;
- threshold 7;
- }
- proposal IPSEC-PROPOSAL {
- protocol esp;
- authentication-algorithm hmac-md5-96;
- encryption-algorithm aes-256-cbc;
- }
- policy IPSEC-POLICY {
- proposals IPSEC-PROPOSAL;
- }
- vpn HERAKLES {
- bind-interface st0.0;
- vpn-monitor {
- optimized;
- }
- ike {
- gateway IKE-GATEWAY;
- ipsec-policy IPSEC-POLICY;
- }
- establish-tunnels immediately;
- }
- vpn HERAKLES-secondary {
- bind-interface st0.1;
- vpn-monitor {
- optimized;
- }
- ike {
- gateway IKE-GATEWAY-secondary;
- ipsec-policy IPSEC-POLICY;
- }
- establish-tunnels immediately;
- }
- }
- alg {
- sql disable;
- }
- flow {
- tcp-mss {
- ipsec-vpn {
- mss 1350;
- }
- }
- }
- screen {
- ids-option untrust-screen {
- icmp {
- ping-death;
- }
- ip {
- source-route-option;
- tear-drop;
- }
- tcp {
- syn-flood {
- alarm-threshold 1024;
- attack-threshold 200;
- source-threshold 1024;
- destination-threshold 2048;
- timeout 20;
- }
- land;
- }
- }
- }
- nat {
- source {
- rule-set trust-to-untrust {
- from zone trust;
- to zone untrust;
- rule source-nat-rule {
- match {
- source-address 0.0.0.0/0;
- }
- then {
- source-nat {
- interface;
- }
- }
- }
- }
- }
- destination {
- pool WHITE {
- address 192.168.253.25/32 port 25;
- }
- rule-set dest_nat_R1 {
- from zone untrust;
- rule WHITE_smtp {
- match {
- destination-address xxxxxxxxxxxxxxxx;
- destination-port 25;
- }
- then {
- destination-nat pool WHITE;
- }
- }
- }
- }
- static {
- inactive: rule-set R1 {
- from zone untrust;
- rule WHITE {
- match {
- destination-address xxxxxxxxxxxxxxxxx;
- }
- then {
- static-nat {
- prefix {
- 192.168.253.35/32;
- }
- }
- }
- }
- }
- }
- }
- policies {
- from-zone HERAKLESVPN to-zone trust {
- policy default-permit {
- match {
- source-address any;
- destination-address any;
- application any;
- }
- then {
- permit;
- }
- }
- }
- from-zone trust to-zone HERAKLESVPN {
- policy default-permit {
- match {
- source-address any;
- destination-address any;
- application any;
- }
- then {
- permit;
- }
- }
- }
- from-zone trust to-zone untrust {
- policy trust-to-untrust {
- match {
- source-address any;
- destination-address any;
- application any;
- }
- then {
- permit;
- }
- }
- }
- from-zone untrust to-zone trust {
- policy Surewest-white-exchange-incoming {
- match {
- source-address any;
- destination-address WHITE-EXCHANGE;
- application [ junos-smtp junos-icmp-all ];
- }
- then {
- permit;
- }
- }
- }
- from-zone trust to-zone trust {
- policy VOIP_NETWORK_ACCESS {
- match {
- source-address any;
- destination-address VOIP_NETWORK;
- application any;
- }
- then {
- permit;
- }
- }
- }
- }
- zones {
- security-zone trust {
- tcp-rst;
- address-book {
- address WHITE-EXCHANGE 192.168.253.25/32;
- address VOIP_NETWORK 192.168.254.0/24;
- }
- host-inbound-traffic {
- system-services {
- all;
- }
- protocols {
- all;
- }
- }
- interfaces {
- reth0.0;
- lo0.0 {
- host-inbound-traffic {
- system-services {
- all;
- }
- protocols {
- all;
- }
- }
- }
- }
- }
- security-zone untrust {
- screen untrust-screen;
- host-inbound-traffic {
- system-services {
- ssh;
- ike;
- ping;
- }
- }
- interfaces {
- reth2.0 {
- host-inbound-traffic {
- system-services {
- ping;
- ssh;
- ike;
- }
- }
- }
- reth1.0 {
- host-inbound-traffic {
- system-services {
- rpm;
- }
- }
- }
- }
- }
- security-zone HERAKLESVPN {
- interfaces {
- st0.0 {
- host-inbound-traffic {
- system-services {
- all;
- }
- protocols {
- all;
- }
- }
- }
- st0.1 {
- host-inbound-traffic {
- system-services {
- all;
- }
- protocols {
- all;
- }
- }
- }
- }
- }
- }
- }
- firewall {
- policer bandwidth-control-512k {
- if-exceeding {
- bandwidth-limit 5m;
- burst-size-limit 256k;
- }
- then discard;
- }
- filter ISP-in {
- term filter-management-traffic {
- from {
- source-address {
- 0.0.0.0/0;
- xxxxxxxxxxxx/32 except;
- xxxxxxxxxxxxx/32 except;
- xxxxxxxxxxxxx/32 except;
- }
- protocol tcp;
- source-port 1024-65535;
- destination-port ssh;
- }
- then {
- discard;
- }
- }
- term incoming-internet-access {
- from {
- destination-address {
- xxxxxxxxxxxx/25;
- }
- }
- then accept;
- }
- term forwared-to-flow-processing {
- then accept;
- }
- }
- filter ISP-out {
- term rate-limit-host {
- from {
- source-address {
- 192.168.253.0/24;
- }
- }
- then {
- policer bandwidth-control-512k;
- accept;
- }
- }
- term catch-all {
- then accept;
- }
- }
- filter LAN-IN {
- inactive: term web-traffic {
- from {
- destination-address {
- 0.0.0.0/0;
- 192.168.252.0/24 except;
- 192.168.10.0/24 except;
- 192.168.11.0/24 except;
- 192.168.12.0/24 except;
- 192.168.20.0/24 except;
- 192.168.254.0/24 except;
- }
- destination-port [ 80 443 ];
- }
- then {
- routing-instance CONSOLIDATED-1;
- }
- }
- term default {
- from {
- destination-address {
- 0.0.0.0/0;
- 192.168.252.0/24 except;
- 192.168.10.0/24 except;
- 192.168.11.0/24 except;
- 192.168.12.0/24 except;
- 192.168.20.0/24 except;
- 192.168.254.0/24 except;
- }
- }
- then {
- routing-instance CONSOLIDATED-1;
- }
- }
- term catch-all {
- then accept;
- }
- }
- }
- routing-instances {
- CONSOLIDATED-1 {
- instance-type forwarding;
- routing-options {
- static {
- route 0.0.0.0/0 next-hop 207.231.77.101;
- }
- }
- }
- INTEGRA-1 {
- instance-type forwarding;
- routing-options {
- static {
- route 0.0.0.0/0 next-hop 70.98.111.169;
- }
- }
- }
- }
- services {
- rpm {
- probe CONSOLIDATED-PRIMARY {
- test DNS1 {
- probe-type icmp-ping;
- target address 8.8.8.8;
- probe-count 10;
- probe-interval 5;
- test-interval 10;
- thresholds {
- successive-loss 10;
- total-loss 5;
- }
- destination-interface reth1.0;
- next-hop 207.231.77.101;
- }
- test DNS2 {
- probe-type icmp-ping;
- target address 4.2.2.2;
- probe-count 10;
- probe-interval 5;
- test-interval 10;
- thresholds {
- successive-loss 10;
- total-loss 5;
- }
- destination-interface reth1.0;
- next-hop xxxxxxxxxxxxxxx;
- }
- }
- probe INTEGRA-PRIMARY {
- test DNS1 {
- probe-type icmp-ping;
- target address 8.8.8.8;
- probe-count 10;
- probe-interval 5;
- test-interval 10;
- thresholds {
- successive-loss 10;
- total-loss 5;
- }
- destination-interface reth2.0;
- next-hop 70.98.111.169;
- }
- test DNS2 {
- probe-type icmp-ping;
- target address 4.2.2.2;
- probe-count 10;
- probe-interval 5;
- test-interval 10;
- thresholds {
- successive-loss 10;
- total-loss 5;
- }
- destination-interface reth2.0;
- next-hop xxxxxxxxxxxxxxxxxxx;
- }
- }
- }
- ip-monitoring {
- policy INTEGRA-PRIMARY-TRACKING {
- match {
- rpm-probe INTEGRA-PRIMARY;
- }
- then {
- preferred-route {
- routing-instances INTEGRA-1 {
- route 0.0.0.0/0 {
- next-hop xxxxxxxxxxxxxxx;
- }
- }
- }
- }
- }
- policy CONSOLIDATED-PRIMARY-TRACKING {
- match {
- rpm-probe CONSOLIDATED-PRIMARY;
- }
- then {
- preferred-route {
- routing-instances CONSOLIDATED-1 {
- route 0.0.0.0/0 {
- next-hop xxxxxxxxxxxxxxxxxxx;
- }
- }
- }
- }
- }
- }
- }
- ________________________________
- 192.168.252.x config:
- login as: root
- root@192.168.252.10's password:
- --- JUNOS 11.4R10.3 built 2013-11-15 06:56:20 UTC
- root@EGIAFW01% cli
- {primary:node0}
- root@EGIAFW01> configure
- warning: Clustering enabled; using private edit
- warning: uncommitted changes will be discarded on exit
- Entering configuration mode
- {primary:node0}[edit]
- root@EGIAFW01# show run
- ^
- syntax error.
- root@EGIAFW01# show run
- ^
- syntax error.
- root@EGIAFW01# show
- ## Last changed: 2016-05-23 14:12:34 PDT
- version 11.4R10.3;
- groups {
- node0 {
- system {
- host-name EGIAFW01;
- }
- interfaces {
- fxp0 {
- unit 0 {
- family inet {
- address 192.168.250.2/24;
- }
- }
- }
- }
- }
- node1 {
- system {
- host-name EGIAFW02;
- }
- interfaces {
- fxp0 {
- unit 0 {
- family inet {
- address 192.168.250.3/24;
- }
- }
- }
- }
- }
- global {
- system {
- services {
- ssh {
- protocol-version v2;
- }
- }
- }
- }
- }
- apply-groups "${node}";
- system {
- time-zone America/Los_Angeles;
- root-authentication {
- encrypted-password "xxxxxxxxxxxxxxxxxxxxxxxxxx0"; ## SECRET-DATA
- }
- name-server {
- 208.67.222.222;
- 208.67.220.220;
- }
- login {
- user dscott {
- full-name "Dustin Scott";
- uid 4000;
- class super-user;
- authentication {
- encrypted-password "xxxxxxxxxxxxxxxxxxxxxxxx"; ## SECRET-DATA
- }
- }
- }
- services {
- ssh;
- telnet;
- xnm-clear-text;
- web-management {
- http {
- interface [ fxp0.0 reth0.0 ];
- }
- https {
- system-generated-certificate;
- interface [ fxp0.0 reth0.0 ];
- }
- }
- }
- syslog {
- archive size 100k files 3;
- user * {
- any emergency;
- }
- file messages {
- any critical;
- authorization info;
- }
- file interactive-commands {
- interactive-commands error;
- }
- file kmd-logs {
- daemon info;
- match KMD;
- }
- }
- max-configurations-on-flash 5;
- max-configuration-rollbacks 5;
- license {
- autoupdate {
- url https://ae1.juniper.net/junos/key_retrieval;
- }
- }
- ntp {
- server xxxxxxxxxxxxxxxxxx;
- }
- }
- chassis {
- cluster {
- reth-count 3;
- redundancy-group 0 {
- node 0 priority 100;
- node 1 priority 1;
- }
- redundancy-group 1 {
- node 0 priority 100;
- node 1 priority 1;
- interface-monitor {
- ge-0/0/0 weight 255;
- ge-2/0/0 weight 255;
- fe-0/0/2 weight 255;
- fe-2/0/2 weight 255;
- }
- }
- redundancy-group 2 {
- node 0 priority 100;
- node 1 priority 1;
- interface-monitor {
- ge-0/0/1 weight 255;
- ge-2/0/1 weight 255;
- }
- }
- }
- }
- interfaces {
- ge-0/0/0 {
- gigether-options {
- redundant-parent reth0;
- }
- }
- ge-0/0/1 {
- gigether-options {
- redundant-parent reth2;
- }
- }
- fe-0/0/2 {
- speed 100m;
- link-mode full-duplex;
- fastether-options {
- redundant-parent reth1;
- }
- }
- ge-2/0/0 {
- gigether-options {
- redundant-parent reth0;
- }
- }
- ge-2/0/1 {
- gigether-options {
- redundant-parent reth2;
- }
- }
- fe-2/0/2 {
- speed 100m;
- link-mode full-duplex;
- fastether-options {
- redundant-parent reth1;
- }
- }
- fab0 {
- fabric-options {
- member-interfaces {
- fe-0/0/5;
- }
- }
- }
- fab1 {
- fabric-options {
- member-interfaces {
- fe-2/0/5;
- }
- }
- }
- lo0 {
- unit 0 {
- family inet {
- address 127.0.0.1/32;
- }
- }
- }
- reth0 {
- redundant-ether-options {
- redundancy-group 1;
- }
- unit 0 {
- description "Herakles LAN";
- family inet {
- inactive: sampling {
- input;
- output;
- }
- address 192.168.252.10/24;
- }
- }
- }
- reth1 {
- redundant-ether-options {
- redundancy-group 1;
- }
- unit 0 {
- description "Herakles WAN";
- family inet {
- filter {
- input Herakles-in;
- output Herakles-out;
- }
- inactive: sampling {
- input;
- output;
- }
- address xxxxxxxxxxxxxxxxxxx;
- }
- }
- }
- reth2 {
- description "Datacenter LAN";
- vlan-tagging;
- redundant-ether-options {
- redundancy-group 2;
- }
- unit 10 {
- description DMZ;
- vlan-id 10;
- family inet {
- address 192.168.10.1/24;
- }
- }
- unit 11 {
- description APP;
- vlan-id 11;
- family inet {
- address 192.168.11.1/24;
- }
- }
- unit 12 {
- description DATA;
- vlan-id 12;
- family inet {
- address 192.168.12.1/24;
- }
- }
- unit 20 {
- description MGMT;
- vlan-id 20;
- family inet {
- address 192.168.20.1/24;
- }
- }
- }
- st0 {
- unit 0 {
- family inet {
- address 172.16.0.1/30;
- }
- }
- unit 1 {
- family inet {
- address 172.16.1.1/30;
- }
- }
- unit 2 {
- description "VLAB MONITORING";
- family inet {
- address 172.31.255.253/30;
- }
- }
- }
- }
- forwarding-options {
- inactive: sampling {
- input {
- rate 1;
- run-length 0;
- max-packets-per-second 50000;
- }
- family inet {
- output {
- flow-server 192.168.252.52 {
- port 9996;
- autonomous-system-type origin;
- no-local-dump;
- version 5;
- }
- }
- }
- }
- helpers {
- bootp {
- relay-agent-option;
- description "Global DHCP Forwarder";
- server 192.168.252.102;
- interface {
- reth2.10;
- reth2.11;
- reth2.12;
- reth2.20;
- }
- }
- }
- }
- snmp {
- location Herakles;
- contact "dscott98@gmail.com";
- community egia-public {
- authorization read-only;
- clients {
- 192.168.252.0/24;
- 0.0.0.0/0 restrict;
- }
- }
- }
- routing-options {
- static {
- route 0.0.0.0/0 next-hop 65.74.160.194;
- route 192.168.253.0/24 {
- next-hop st0.0;
- qualified-next-hop st0.1 {
- preference 10;
- }
- }
- }
- }
- protocols {
- stp;
- }
- security {
- ike {
- proposal IKE-PROPOSAL {
- authentication-method pre-shared-keys;
- dh-group group2;
- authentication-algorithm sha-256;
- encryption-algorithm aes-256-cbc;
- }
- policy IKE-POLICY {
- mode main;
- proposals IKE-PROPOSAL;
- pre-shared-key ascii-text "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; ## SECRET-DATA
- }
- policy DYNAMIC-IKE {
- mode aggressive;
- proposals IKE-PROPOSAL;
- pre-shared-key ascii-text "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; ## SECRET-DATA
- }
- gateway IKE-GATEWAY {
- ike-policy IKE-POLICY;
- address 207.231.77.102;
- dead-peer-detection;
- external-interface reth1.0;
- }
- gateway IKE-GATEWAY-Secondary {
- ike-policy IKE-POLICY;
- address 70.98.111.172;
- dead-peer-detection;
- external-interface reth1.0;
- }
- gateway VLAB-MONITOR {
- ike-policy DYNAMIC-IKE;
- dynamic user-at-hostname "monitor@vlab.local";
- dead-peer-detection;
- local-identity user-at-hostname "qts@egia.com";
- external-interface reth1.0;
- }
- }
- ipsec {
- vpn-monitor-options {
- interval 5;
- threshold 7;
- }
- proposal IPSEC-PROPOSAL {
- protocol esp;
- authentication-algorithm hmac-md5-96;
- encryption-algorithm aes-256-cbc;
- }
- policy IPSEC-POLICY {
- proposals IPSEC-PROPOSAL;
- }
- vpn OFFICE {
- bind-interface st0.0;
- vpn-monitor {
- optimized;
- }
- ike {
- gateway IKE-GATEWAY;
- ipsec-policy IPSEC-POLICY;
- }
- establish-tunnels immediately;
- }
- vpn OFFICE-secondary {
- bind-interface st0.1;
- vpn-monitor {
- optimized;
- }
- ike {
- gateway IKE-GATEWAY-Secondary;
- ipsec-policy IPSEC-POLICY;
- }
- establish-tunnels immediately;
- }
- vpn VLAB-MONITOR {
- bind-interface st0.2;
- vpn-monitor {
- optimized;
- }
- ike {
- gateway VLAB-MONITOR;
- ipsec-policy IPSEC-POLICY;
- }
- establish-tunnels immediately;
- }
- }
- alg {
- msrpc disable;
- sql disable;
- }
- flow {
- tcp-mss {
- ipsec-vpn {
- mss 1350;
- }
- }
- }
- nat {
- source {
- rule-set interface-nat-out {
- from zone Trust;
- to zone Herakles;
- rule interface-nat-out {
- match {
- source-address 0.0.0.0/0;
- }
- then {
- source-nat {
- interface;
- }
- }
- }
- }
- rule-set DMZ_NAT {
- from zone DMZ;
- to zone Herakles;
- rule DMZ_INTERFACE_NAT {
- match {
- source-address 192.168.10.0/24;
- }
- then {
- source-nat {
- interface;
- }
- }
- }
- }
- rule-set APP_NAT {
- from zone APP;
- to zone Herakles;
- rule APP_INTERFACE_NAT {
- match {
- source-address 192.168.11.0/24;
- }
- then {
- source-nat {
- interface;
- }
- }
- }
- }
- rule-set MGMT_NAT {
- from zone MGMT;
- to zone Herakles;
- rule MGMT_INTERFACE_NAT {
- match {
- source-address 192.168.20.0/24;
- }
- then {
- source-nat {
- interface;
- }
- }
- }
- }
- }
- destination {
- pool EGIA-VPN-Trust {
- address 192.168.252.9/32 port 1723;
- }
- pool STAGE-WEB-Trust {
- address 192.168.252.211/32 port 80;
- }
- pool EGIAPRDWEB1 {
- address 192.168.252.53/32;
- }
- pool EGIAWEB2 {
- address 192.168.252.35/32;
- }
- pool EGIAFTP1 {
- address 192.168.252.80/32;
- }
- pool TEMP_VPN_RDP {
- address 192.168.252.5/32 port 3389;
- }
- rule-set Herakles-to-Trust {
- from zone Herakles;
- rule PGE_SFTP {
- match {
- source-address [ xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ];
- destination-address xxxxxxxxxxxxxxxxxxxxxxxxxxxxx;
- destination-port 22;
- }
- then {
- destination-nat pool EGIAFTP1;
- }
- }
- rule Herakles-EGIA-VPN-in {
- match {
- source-address 0.0.0.0/0;
- destination-address xxxxxxxxxxxxxxxxxxxx;
- destination-port 1723;
- }
- then {
- destination-nat pool EGIA-VPN-Trust;
- }
- }
- rule Herakles-STAGE-Web-in {
- match {
- source-address 0.0.0.0/0;
- destination-address xxxxxxxxxxxxxxxxxxxxxxxxxxxx;
- destination-port 80;
- }
- then {
- destination-nat pool STAGE-WEB-Trust;
- }
- }
- rule Herakles-EGIAPRDWEB1-in {
- match {
- source-address 0.0.0.0/0;
- destination-address xxxxxxxxxxxxxxxxxxxxxxxxxxx;
- }
- then {
- destination-nat pool EGIAPRDWEB1;
- }
- }
- rule TEMP_RDP {
- match {
- source-address xxxxxxxxxxxxxxxxxxxxx;
- destination-address xxxxxxxxxxxxxxxxxxxx;
- }
- then {
- destination-nat pool TEMP_VPN_RDP;
- }
- }
- rule EGIA-WEB {
- match {
- destination-address xxxxxxxxxxxxxxxxxx; ------------ BAD ------------------
- }
- then {
- destination-nat pool EGIAWEB2;
- }
- }
- }
- }
- static {
- rule-set rs1 {
- from zone Herakles;
- inactive: rule r197 {
- match {
- destination-address xxxxxxxxxxxxxxxxxxxx;
- }
- then {
- static-nat {
- prefix {
- 192.168.252.35/32;
- }
- }
- }
- }
- rule r198 {
- match {
- destination-address xxxxxxxxxxxxxxxxxxxxxx;
- }
- then {
- static-nat {
- prefix {
- 192.168.252.12/32;
- }
- }
- }
- }
- rule r201 {
- match {
- destination-address xxxxxxxxxxxxxxxxxxxxxx;
- }
- then {
- static-nat {
- prefix {
- 192.168.10.244/32;
- }
- }
- }
- }
- rule r202 {
- match {
- destination-address xxxxxxxxxxxxxxxxxxxxxx;
- }
- then {
- static-nat {
- prefix {
- 192.168.252.67/32;
- }
- }
- }
- }
- rule r203 {
- match {
- destination-address xxxxxxxxxxxxxxxxxxxxxxxx;
- }
- then {
- static-nat {
- prefix {
- 192.168.10.253/32;
- }
- }
- }
- }
- rule r204 {
- match {
- destination-address xxxxxxxxxxxxxxxxxxx;
- }
- then {
- static-nat {
- prefix {
- 192.168.252.80/32;
- }
- }
- }
- }
- rule 205 {
- match {
- destination-address xxxxxxxxxxxxxxxxxx;
- }
- then {
- static-nat {
- prefix {
- 192.168.10.252/32;
- }
- }
- }
- }
- rule 206 {
- match {
- destination-address xxxxxxxxxxxxxxxxxxxx;
- }
- then {
- static-nat {
- prefix {
- 192.168.10.251/32;
- }
- }
- }
- }
- rule 221 {
- match {
- destination-address xxxxxxxxxxxxxxxxxxxx/32;
- }
- then {
- static-nat {
- prefix {
- 192.168.252.87/32;
- }
- }
- }
- }
- rule 220 {
- match {
- destination-address xxxxxxxxxxxxxxxx;
- }
- then {
- static-nat {
- prefix {
- 192.168.252.88/32;
- }
- }
- }
- }
- rule 219 {
- match {
- destination-address xxxxxxxxxxxxxxxxxxxxxx;
- }
- then {
- static-nat {
- prefix {
- 192.168.10.250/32;
- }
- }
- }
- }
- rule 218 {
- match {
- destination-address xxxxxxxxxxxxxxxxxxxx;
- }
- then {
- static-nat {
- prefix {
- 192.168.10.249/32;
- }
- }
- }
- }
- rule r207 {
- match {
- destination-address xxxxxxxxxxxxxxxxxxx;
- }
- then {
- static-nat {
- prefix {
- 192.168.10.248/32;
- }
- }
- }
- }
- rule r217 {
- match {
- destination-address xxxxxxxxxxxxxxxxxxxxxxxxx;
- }
- then {
- static-nat {
- prefix {
- 192.168.10.247/32;
- }
- }
- }
- }
- rule r216 {
- match {
- destination-address xxxxxxxxxxxxxxxxxx;
- }
- then {
- static-nat {
- prefix {
- 192.168.10.243/32;
- }
- }
- }
- }
- rule r215 {
- match {
- destination-address xxxxxxxxxxxxxxxxxxx;
- }
- then {
- static-nat {
- prefix {
- 192.168.10.246/32;
- }
- }
- }
- }
- rule r208 {
- match {
- destination-address xxxxxxxxxxxxxxxxxxxx;
- }
- then {
- static-nat {
- prefix {
- 192.168.10.245/32;
- }
- }
- }
- }
- rule r209 {
- match {
- destination-address xxxxxxxxxxxxxxxxxxx;
- }
- then {
- static-nat {
- prefix {
- 192.168.10.254/32;
- }
- }
- }
- }
- rule r210 {
- match {
- destination-address xxxxxxxxxxxxxxxxxxxxx;
- }
- then {
- static-nat {
- prefix {
- 192.168.10.240/32;
- }
- }
- }
- }
- rule r211 {
- match {
- destination-address xxxxxxxxxxxxxxxx;
- }
- then {
- static-nat {
- prefix {
- 192.168.10.239/32;
- }
- }
- }
- }
- rule r212 {
- match {
- destination-address xxxxxxxxxxxxxxx;
- }
- then {
- static-nat {
- prefix {
- 192.168.10.238/32;
- }
- }
- }
- }
- rule r213 {
- match {
- destination-address xxxxxxxxxxxxxxxxxx;
- }
- then {
- static-nat {
- prefix {
- 192.168.10.237/32;
- }
- }
- }
- }
- rule r214 {
- match {
- destination-address xxxxxxxxxxxxxxxxxxxxxxx;
- }
- then {
- static-nat {
- prefix {
- 192.168.252.99/32;
- }
- }
- }
- }
- }
- }
- proxy-arp {
- interface reth1.0 {
- address {
- xxxxxxxxxxxxxxxxxxxxxxxxxxx
- }
- }
- }
- }
- policies {
- from-zone Trust to-zone Herakles {
- policy Trust-out {
- match {
- source-address any;
- destination-address any;
- application any;
- }
- then {
- permit;
- }
- }
- }
- from-zone Herakles to-zone Trust {
- policy Herakles-web-incoming {
- match {
- source-address any;
- destination-address [ EGIA-WEB-server CONSERVATIONREBATES-WEB-server STAGE-WEB-server EGIAPRDWEB1 EGIAPRDWEB5 EGIAQAWEB2 PGE_VIRTUAL_IP EGIAQWEB4 NICOR_VIRTUAL_IP EGIARPS_VIRTUAL_IP SWG_EGIAPRDWEB1 CCNG_EGIAPRDWEB1 RECOL_VIRTUAL_IP AGL_VIRTUAL_IP CNGC_VIRTUAL_IP DKNG_VIRTUAL_IP SOCALGAS_VIRTUAL_IP MWDTURF_VIRTUAL_IP SDBX_VIRTUAL_IP SCGA_VIRTUAL_IP NICOR_REVIEW_VIRTUAL_IP EGIA_99 ];
- application [ junos-http junos-https ];
- }
- then {
- permit;
- }
- }
- policy Herakles-sftp-incomfing {
- match {
- source-address any;
- destination-address [ EGIA-WEB-server EGIAFTP1 ];
- application [ junos-ftp junos-ssh ];
- }
- then {
- permit;
- }
- }
- policy Herakles-VPN-incoming {
- match {
- source-address any;
- destination-address EGIA-VPN-server;
- application junos-pptp;
- }
- then {
- permit;
- }
- }
- policy Herakles-ping {
- match {
- source-address any;
- destination-address any;
- application junos-icmp-ping;
- }
- then {
- permit;
- }
- }
- policy Dustin_RDP {
- match {
- source-address Dustin;
- destination-address [ EGIA-VPN-server VC1 ];
- application any;
- }
- then {
- permit;
- }
- }
- }
- from-zone OFFICEVPN to-zone Trust {
- policy default-permit {
- match {
- source-address any;
- destination-address any;
- application any;
- }
- then {
- permit;
- }
- }
- }
- from-zone Trust to-zone OFFICEVPN {
- policy default-permit {
- match {
- source-address any;
- destination-address any;
- application any;
- }
- then {
- permit;
- }
- }
- }
- from-zone APP to-zone Trust {
- policy DHCP-REQUEST {
- match {
- source-address APP_LAN;
- destination-address EGIADC02;
- application any;
- }
- then {
- permit;
- }
- }
- policy APP_TO_TRUST {
- match {
- source-address APP_LAN;
- destination-address any;
- application [ ORACLE_APP_IGNORE junos-nfs ];
- }
- then {
- permit;
- }
- }
- }
- from-zone DMZ to-zone Trust {
- policy DHCP-REQUEST {
- match {
- source-address DMZ_LAN;
- destination-address EGIADC02;
- application any;
- }
- then {
- permit;
- }
- }
- policy DMZ-WEB-ACCESS {
- match {
- source-address DMZ_LAN;
- destination-address any;
- application junos-http;
- }
- then {
- permit;
- }
- }
- }
- from-zone DATA to-zone Trust {
- policy DHCP-REQUEST {
- match {
- source-address DATA_LAN;
- destination-address EGIADC02;
- application any;
- }
- then {
- permit;
- }
- }
- }
- from-zone Trust to-zone DATA {
- policy DHCP-REPLY {
- match {
- source-address EGIADC02;
- destination-address DATA_LAN;
- application any;
- }
- then {
- permit;
- }
- }
- policy RDC {
- match {
- source-address any;
- destination-address DATA_LAN;
- application RDC;
- }
- then {
- permit;
- }
- }
- }
- from-zone Trust to-zone DMZ {
- policy DHCP-REPLY {
- match {
- source-address EGIADC02;
- destination-address DMZ_LAN;
- application any;
- }
- then {
- permit;
- }
- }
- policy Trust_TO_DMZ {
- match {
- source-address any;
- destination-address DMZ_LAN;
- application [ junos-ssh junos-http junos-https ];
- }
- then {
- permit;
- }
- }
- }
- from-zone Trust to-zone APP {
- policy DHCP-REPLY {
- match {
- source-address EGIADC02;
- destination-address APP_LAN;
- application any;
- }
- then {
- permit;
- }
- }
- policy Trust_TO_APP {
- match {
- source-address any;
- destination-address APP_LAN;
- application [ junos-ssh junos-http junos-https ];
- }
- then {
- permit;
- }
- }
- }
- from-zone DMZ to-zone Herakles {
- policy DMZ_TO_Herakles {
- match {
- source-address DMZ_LAN;
- destination-address any;
- application [ junos-ssh junos-http junos-https junos-icmp-ping ];
- }
- then {
- permit;
- }
- }
- }
- from-zone Herakles to-zone DMZ {
- policy DMZ-WEB-ACCESS {
- match {
- source-address any;
- destination-address DMZ_LAN;
- application [ junos-http junos-https ];
- }
- then {
- permit;
- }
- }
- }
- from-zone OFFICEVPN to-zone DMZ {
- policy OFFICE_TO_DMZ {
- match {
- source-address any;
- destination-address DMZ_LAN;
- application [ junos-ssh junos-http junos-https ];
- }
- then {
- permit;
- }
- }
- }
- from-zone APP to-zone DMZ {
- policy APP_TO_PROXY {
- match {
- source-address APP_LAN;
- destination-address EGIAPROXY01;
- application SQUID;
- }
- then {
- permit;
- }
- }
- policy APP_TO_DMZ {
- match {
- source-address APP_LAN;
- destination-address DMZ_LAN;
- application [ junos-http junos-https junos-ftp ];
- }
- then {
- permit;
- }
- }
- }
- from-zone DMZ to-zone APP {
- policy DMZ_WEB_ACCESS {
- match {
- source-address DMZ_LAN;
- destination-address APP_LAN;
- application junos-http;
- }
- then {
- permit;
- }
- }
- }
- from-zone Trust to-zone MGMT {
- policy trust_to_mgmt {
- match {
- source-address any;
- destination-address MGMT_LAN;
- application any;
- }
- then {
- permit;
- }
- }
- }
- from-zone MGMT to-zone Trust {
- policy mgmt_to_trust {
- match {
- source-address MGMT_LAN;
- destination-address any;
- application any;
- }
- then {
- permit;
- }
- }
- }
- from-zone MGMT to-zone Herakles {
- inactive: policy MGMT_TO_HERAKLES {
- match {
- source-address MGMT_LAN;
- destination-address any;
- application [ junos-http junos-https junos-dns-tcp junos-dns-udp junos-ftp BARRACUDA ];
- }
- then {
- permit;
- }
- }
- policy MGMT_TEMP {
- match {
- source-address MGMT_LAN;
- destination-address any;
- application any;
- }
- then {
- permit;
- }
- }
- }
- from-zone OFFICEVPN to-zone MGMT {
- policy Office_to_mgmt {
- match {
- source-address any;
- destination-address MGMT_LAN;
- application [ junos-http junos-https junos-cifs ];
- }
- then {
- permit;
- }
- }
- }
- from-zone DATA to-zone DMZ {
- policy DATA_TO_PROXY {
- match {
- source-address DATA_LAN;
- destination-address EGIAPROXY01;
- application SQUID;
- }
- then {
- permit;
- }
- }
- }
- from-zone OFFICEVPN to-zone APP {
- policy OFFICE_TO_APP {
- match {
- source-address any;
- destination-address APP_LAN;
- application [ junos-ssh junos-http junos-https junos-ftp junos-icmp-ping ];
- }
- then {
- permit;
- }
- }
- }
- from-zone APP to-zone Herakles {
- policy APP_TO_Herakles {
- match {
- source-address APP_LAN;
- destination-address any;
- application [ junos-http junos-https junos-ftp ];
- }
- then {
- permit;
- }
- }
- }
- from-zone MGMT to-zone OFFICEVPN {
- policy default-permit {
- match {
- source-address any;
- destination-address any;
- application any;
- }
- then {
- permit;
- }
- }
- }
- }
- zones {
- security-zone Trust {
- tcp-rst;
- address-book {
- address EGIA-WEB-server 192.168.252.35/32;
- address CONSERVATIONREBATES-WEB-server 192.168.252.12/32;
- address EGIA-VPN-server 192.168.252.9/32;
- address STAGE-WEB-server 192.168.252.211/32;
- address EGIAPRDWEB1 192.168.252.53/32;
- address EGIAPRDWEB5 192.168.252.57/32;
- address EGIAQAWEB2 192.168.252.67/32;
- address PGE_VIRTUAL_IP 192.168.252.100/32;
- address EGIAFTP1 192.168.252.80/32;
- address EGIAQWEB4 192.168.252.61/32;
- address NICOR_VIRTUAL_IP 192.168.252.101/32;
- address EGIARPS_VIRTUAL_IP 192.168.252.103/32;
- address SWG_EGIAPRDWEB1 192.168.252.87/32;
- address CCNG_EGIAPRDWEB1 192.168.252.88/32;
- address RECOL_VIRTUAL_IP 192.168.252.104/32;
- address AGL_VIRTUAL_IP 192.168.252.105/32;
- address CNGC_VIRTUAL_IP 192.168.252.106/32;
- address DKNG_VIRTUAL_IP 192.168.252.108/32;
- address VC1 192.168.252.5/32;
- address SOCALGAS_VIRTUAL_IP 192.168.252.109/32;
- address MWDTURF_VIRTUAL_IP 192.168.252.110/32;
- address SDBX_VIRTUAL_IP 192.168.252.111/32;
- address SCGA_VIRTUAL_IP 192.168.252.112/32;
- address NICOR_REVIEW_VIRTUAL_IP 192.168.252.113/32;
- address EGIADC02 192.168.252.102/32;
- address EGIA_99 192.168.252.99/32;
- }
- interfaces {
- reth0.0 {
- host-inbound-traffic {
- system-services {
- all;
- }
- protocols {
- all;
- }
- }
- }
- lo0.0 {
- host-inbound-traffic {
- system-services {
- all;
- }
- protocols {
- all;
- }
- }
- }
- }
- }
- security-zone Herakles {
- address-book {
- address Dustin1 99.89.113.240/32;
- address Dustin2 32.158.121.9/32;
- address-set Dustin {
- address Dustin1;
- address Dustin2;
- }
- }
- host-inbound-traffic {
- system-services {
- ike;
- }
- }
- interfaces {
- reth1.0 {
- host-inbound-traffic {
- system-services {
- ping;
- ike;
- }
- }
- }
- }
- }
- security-zone OFFICEVPN {
- host-inbound-traffic {
- system-services {
- all;
- }
- protocols {
- all;
- }
- }
- interfaces {
- st0.0;
- st0.1;
- }
- }
- security-zone APP {
- address-book {
- address APP_LAN 192.168.11.0/24;
- }
- interfaces {
- reth2.11 {
- host-inbound-traffic {
- system-services {
- ping;
- dhcp;
- }
- }
- }
- }
- }
- security-zone DATA {
- address-book {
- address DATA_LAN 192.168.12.0/24;
- }
- interfaces {
- reth2.12 {
- host-inbound-traffic {
- system-services {
- ping;
- dhcp;
- }
- }
- }
- }
- }
- security-zone DMZ {
- address-book {
- address DMZ_LAN 192.168.10.0/24;
- address EGIAPROXY01 192.168.10.12/32;
- }
- interfaces {
- reth2.10 {
- host-inbound-traffic {
- system-services {
- ping;
- dhcp;
- }
- }
- }
- }
- }
- security-zone MGMT {
- address-book {
- address MGMT_LAN 192.168.20.0/24;
- }
- interfaces {
- reth2.20 {
- host-inbound-traffic {
- system-services {
- ping;
- dhcp;
- ssh;
- }
- }
- }
- }
- }
- security-zone VPN {
- interfaces {
- st0.2 {
- host-inbound-traffic {
- system-services {
- ping;
- snmp;
- }
- }
- }
- }
- }
- }
- }
- firewall {
- policer bandwidth-control-512k {
- if-exceeding {
- bandwidth-limit 512k;
- burst-size-limit 128k;
- }
- then discard;
- }
- policer bandwidth-control-1024k {
- if-exceeding {
- bandwidth-limit 1024000;
- burst-size-limit 128k;
- }
- then discard;
- }
- policer bandwidth-control-2048k {
- if-exceeding {
- bandwidth-limit 2048000;
- burst-size-limit 512k;
- }
- then discard;
- }
- filter Herakles-in {
- term incoming-internet-access {
- from {
- destination-address {
- xxxxxxxxxxxxx7;
- }
- }
- then accept;
- }
- }
- filter Herakles-out {
- term rackspace_traffic {
- from {
- destination-address {
- xxxxxxxxxxxxxxxxxxxx;
- }
- destination-port [ http https ];
- }
- then accept;
- }
- term rate-limit-web-traffic {
- from {
- source-address {
- 192.168.252.7/32;
- }
- destination-port [ http https ];
- }
- then accept;
- }
- term catch-all {
- then accept;
- }
- }
- }
- applications {
- application ORACLE_APP_IGNORE {
- term t1 alg ignore protocol tcp destination-port 1521;
- }
- application SQUID {
- term t1 protocol tcp destination-port 3128;
- }
- application RDC {
- term t1 protocol tcp destination-port 3389;
- }
- application BARRACUDA {
- term t1 protocol tcp destination-port 1194;
- term t2 protocol udp destination-port 1194;
- term t3 protocol tcp destination-port 5120-5129;
- term t4 protocol udp destination-port 5120-5129;
- }
- }
- {primary:node0}[edit]
- root@EGIAFW01# ot
- ^
- _____________________________
- 192.168.20.x config:
- login as: root
- root@192.168.20.1's password:
- Access denied
- root@192.168.20.1's password:
- pam_unix: pam_sm_authenticate: UNIX authentication refused
- --- JUNOS 11.4R10.3 built 2013-11-15 06:56:20 UTC
- root@EGIAFW01> show chassis hardware
- node0:
- --------------------------------------------------------------------------
- Hardware inventory:
- Item Version Part number Serial number Description
- Chassis AD2610AA0247 SRX210H
- Routing Engine REV 40 750-021779 AABT6622 RE-SRX210H
- FPC 0 FPC
- PIC 0 2x GE, 6x FE, 1x 3G
- Power Supply 0
- node1:
- --------------------------------------------------------------------------
- Hardware inventory:
- Item Version Part number Serial number Description
- Chassis AD2610AA0310 SRX210H
- Routing Engine REV 40 750-021779 AABT6469 RE-SRX210H
- FPC 0 FPC
- PIC 0 2x GE, 6x FE, 1x 3G
- Power Supply 0
- {primary:node0}
- root@EGIAFW01% cli
- {primary:node0}
- root@EGIAFW01> configure
- warning: Clustering enabled; using private edit
- warning: uncommitted changes will be discarded on exit
- Entering configuration mode
- {primary:node0}[edit]
- root@EGIAFW01# show
- ## Last changed: 2016-05-23 14:12:34 PDT
- version 11.4R10.3;
- groups {
- node0 {
- system {
- host-name EGIAFW01;
- }
- interfaces {
- fxp0 {
- unit 0 {
- family inet {
- address 192.168.250.2/24;
- }
- }
- }
- }
- }
- node1 {
- system {
- host-name EGIAFW02;
- }
- interfaces {
- fxp0 {
- unit 0 {
- family inet {
- address 192.168.250.3/24;
- }
- }
- }
- }
- }
- global {
- system {
- services {
- ssh {
- protocol-version v2;
- }
- }
- }
- }
- }
- apply-groups "${node}";
- system {
- time-zone America/Los_Angeles;
- root-authentication {
- encrypted-password "xxxxxxxxxxxxxxxxxxxxxxxxxx"; ## SECRET-DATA
- }
- name-server {
- 208.67.222.222;
- 208.67.220.220;
- }
- login {
- user dscott {
- full-name "Dustin Scott";
- uid 4000;
- class super-user;
- authentication {
- encrypted-password "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; ## SECRET-DATA
- }
- }
- }
- services {
- ssh;
- telnet;
- xnm-clear-text;
- web-management {
- http {
- interface [ fxp0.0 reth0.0 ];
- }
- https {
- system-generated-certificate;
- interface [ fxp0.0 reth0.0 ];
- }
- }
- }
- syslog {
- archive size 100k files 3;
- user * {
- any emergency;
- }
- file messages {
- any critical;
- authorization info;
- }
- file interactive-commands {
- interactive-commands error;
- }
- file kmd-logs {
- daemon info;
- match KMD;
- }
- }
- max-configurations-on-flash 5;
- max-configuration-rollbacks 5;
- license {
- autoupdate {
- url https://ae1.juniper.net/junos/key_retrieval;
- }
- }
- ntp {
- server xxxxxxxxxxxxxxxxxxxxxx;
- }
- }
- chassis {
- cluster {
- reth-count 3;
- redundancy-group 0 {
- node 0 priority 100;
- node 1 priority 1;
- }
- redundancy-group 1 {
- node 0 priority 100;
- node 1 priority 1;
- interface-monitor {
- ge-0/0/0 weight 255;
- ge-2/0/0 weight 255;
- fe-0/0/2 weight 255;
- fe-2/0/2 weight 255;
- }
- }
- redundancy-group 2 {
- node 0 priority 100;
- node 1 priority 1;
- interface-monitor {
- ge-0/0/1 weight 255;
- ge-2/0/1 weight 255;
- }
- }
- }
- }
- interfaces {
- ge-0/0/0 {
- gigether-options {
- redundant-parent reth0;
- }
- }
- ge-0/0/1 {
- gigether-options {
- redundant-parent reth2;
- }
- }
- fe-0/0/2 {
- speed 100m;
- link-mode full-duplex;
- fastether-options {
- redundant-parent reth1;
- }
- }
- ge-2/0/0 {
- gigether-options {
- redundant-parent reth0;
- }
- }
- ge-2/0/1 {
- gigether-options {
- redundant-parent reth2;
- }
- }
- fe-2/0/2 {
- speed 100m;
- link-mode full-duplex;
- fastether-options {
- redundant-parent reth1;
- }
- }
- fab0 {
- fabric-options {
- member-interfaces {
- fe-0/0/5;
- }
- }
- }
- fab1 {
- fabric-options {
- member-interfaces {
- fe-2/0/5;
- }
- }
- }
- lo0 {
- unit 0 {
- family inet {
- address 127.0.0.1/32;
- }
- }
- }
- reth0 {
- redundant-ether-options {
- redundancy-group 1;
- }
- unit 0 {
- description "Herakles LAN";
- family inet {
- inactive: sampling {
- input;
- output;
- }
- address 192.168.252.10/24;
- }
- }
- }
- reth1 {
- redundant-ether-options {
- redundancy-group 1;
- }
- unit 0 {
- description "Herakles WAN";
- family inet {
- filter {
- input Herakles-in;
- output Herakles-out;
- }
- inactive: sampling {
- input;
- output;
- }
- address xxxxxxxxxxxxxxxxxxxxxx;
- }
- }
- }
- reth2 {
- description "Datacenter LAN";
- vlan-tagging;
- redundant-ether-options {
- redundancy-group 2;
- }
- unit 10 {
- description DMZ;
- vlan-id 10;
- family inet {
- address 192.168.10.1/24;
- }
- }
- unit 11 {
- description APP;
- vlan-id 11;
- family inet {
- address 192.168.11.1/24;
- }
- }
- unit 12 {
- description DATA;
- vlan-id 12;
- family inet {
- address 192.168.12.1/24;
- }
- }
- unit 20 {
- description MGMT;
- vlan-id 20;
- family inet {
- address 192.168.20.1/24;
- }
- }
- }
- st0 {
- unit 0 {
- family inet {
- address 172.16.0.1/30;
- }
- }
- unit 1 {
- family inet {
- address 172.16.1.1/30;
- }
- }
- unit 2 {
- description "VLAB MONITORING";
- family inet {
- address 172.31.255.253/30;
- }
- }
- }
- }
- forwarding-options {
- inactive: sampling {
- input {
- rate 1;
- run-length 0;
- max-packets-per-second 50000;
- }
- family inet {
- output {
- flow-server 192.168.252.52 {
- port 9996;
- autonomous-system-type origin;
- no-local-dump;
- version 5;
- }
- }
- }
- }
- helpers {
- bootp {
- relay-agent-option;
- description "Global DHCP Forwarder";
- server 192.168.252.102;
- interface {
- reth2.10;
- reth2.11;
- reth2.12;
- reth2.20;
- }
- }
- }
- }
- snmp {
- location Herakles;
- contact "dscott98@gmail.com";
- community egia-public {
- authorization read-only;
- clients {
- 192.168.252.0/24;
- 0.0.0.0/0 restrict;
- }
- }
- }
- routing-options {
- static {
- route 0.0.0.0/0 next-hop 65.74.160.194;
- route 192.168.253.0/24 {
- next-hop st0.0;
- qualified-next-hop st0.1 {
- preference 10;
- }
- }
- }
- }
- protocols {
- stp;
- }
- security {
- ike {
- proposal IKE-PROPOSAL {
- authentication-method pre-shared-keys;
- dh-group group2;
- authentication-algorithm sha-256;
- encryption-algorithm aes-256-cbc;
- }
- policy IKE-POLICY {
- mode main;
- proposals IKE-PROPOSAL;
- pre-shared-key ascii-text "xxxxxxxxxxxxxxxxxxxxxxxxxxxb"; ## SECRET-DATA
- }
- policy DYNAMIC-IKE {
- mode aggressive;
- proposals IKE-PROPOSAL;
- pre-shared-key ascii-text "xxxxxxxxxxxxxxxxxxxxxxxxxx"; ## SECRET-DATA
- }
- gateway IKE-GATEWAY {
- ike-policy IKE-POLICY;
- address 207.231.77.102;
- dead-peer-detection;
- external-interface reth1.0;
- }
- gateway IKE-GATEWAY-Secondary {
- ike-policy IKE-POLICY;
- address 70.98.111.172;
- dead-peer-detection;
- external-interface reth1.0;
- }
- gateway VLAB-MONITOR {
- ike-policy DYNAMIC-IKE;
- dynamic user-at-hostname "monitor@vlab.local";
- dead-peer-detection;
- local-identity user-at-hostname "qts@egia.com";
- external-interface reth1.0;
- }
- }
- ipsec {
- vpn-monitor-options {
- interval 5;
- threshold 7;
- }
- proposal IPSEC-PROPOSAL {
- protocol esp;
- authentication-algorithm hmac-md5-96;
- encryption-algorithm aes-256-cbc;
- }
- policy IPSEC-POLICY {
- proposals IPSEC-PROPOSAL;
- }
- vpn OFFICE {
- bind-interface st0.0;
- vpn-monitor {
- optimized;
- }
- ike {
- gateway IKE-GATEWAY;
- ipsec-policy IPSEC-POLICY;
- }
- establish-tunnels immediately;
- }
- vpn OFFICE-secondary {
- bind-interface st0.1;
- vpn-monitor {
- optimized;
- }
- ike {
- gateway IKE-GATEWAY-Secondary;
- ipsec-policy IPSEC-POLICY;
- }
- establish-tunnels immediately;
- }
- vpn VLAB-MONITOR {
- bind-interface st0.2;
- vpn-monitor {
- optimized;
- }
- ike {
- gateway VLAB-MONITOR;
- ipsec-policy IPSEC-POLICY;
- }
- establish-tunnels immediately;
- }
- }
- alg {
- msrpc disable;
- sql disable;
- }
- flow {
- tcp-mss {
- ipsec-vpn {
- mss 1350;
- }
- }
- }
- nat {
- source {
- rule-set interface-nat-out {
- from zone Trust;
- to zone Herakles;
- rule interface-nat-out {
- match {
- source-address 0.0.0.0/0;
- }
- then {
- source-nat {
- interface;
- }
- }
- }
- }
- rule-set DMZ_NAT {
- from zone DMZ;
- to zone Herakles;
- rule DMZ_INTERFACE_NAT {
- match {
- source-address 192.168.10.0/24;
- }
- then {
- source-nat {
- interface;
- }
- }
- }
- }
- rule-set APP_NAT {
- from zone APP;
- to zone Herakles;
- rule APP_INTERFACE_NAT {
- match {
- source-address 192.168.11.0/24;
- }
- then {
- source-nat {
- interface;
- }
- }
- }
- }
- rule-set MGMT_NAT {
- from zone MGMT;
- to zone Herakles;
- rule MGMT_INTERFACE_NAT {
- match {
- source-address 192.168.20.0/24;
- }
- then {
- source-nat {
- interface;
- }
- }
- }
- }
- }
- destination {
- pool EGIA-VPN-Trust {
- address 192.168.252.9/32 port 1723;
- }
- pool STAGE-WEB-Trust {
- address 192.168.252.211/32 port 80;
- }
- pool EGIAPRDWEB1 {
- address 192.168.252.53/32;
- }
- pool EGIAWEB2 {
- address 192.168.252.35/32;
- }
- pool EGIAFTP1 {
- address 192.168.252.80/32;
- }
- pool TEMP_VPN_RDP {
- address 192.168.252.5/32 port 3389;
- }
- rule-set Herakles-to-Trust {
- from zone Herakles;
- rule PGE_SFTP {
- match {
- xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
- }
- then {
- destination-nat pool EGIAFTP1;
- }
- }
- rule Herakles-EGIA-VPN-in {
- match {
- source-address 0.0.0.0/0;
- destination-address xxxxxxxxxxxxxxxx;
- destination-port 1723;
- }
- then {
- destination-nat pool EGIA-VPN-Trust;
- }
- }
- rule Herakles-STAGE-Web-in {
- match {
- source-address 0.0.0.0/0;
- destination-address xxxxxxxxxxxxxxxxx;
- destination-port 80;
- }
- then {
- destination-nat pool STAGE-WEB-Trust;
- }
- }
- rule Herakles-EGIAPRDWEB1-in {
- match {
- source-address 0.0.0.0/0;
- destination-address xxxxxxxxxxxxxxxxxxxx;
- }
- then {
- destination-nat pool EGIAPRDWEB1;
- }
- }
- rule TEMP_RDP {
- match {
- source-address 32.158.121.9/32;
- destination-address xxxxxxxxxxxxxxxxxxxxxx;
- }
- then {
- destination-nat pool TEMP_VPN_RDP;
- }
- }
- rule EGIA-WEB {
- match {
- destination-address xxxxxxxxxxxxxxxxx2;
- }
- then {
- destination-nat pool EGIAWEB2;
- }
- }
- }
- }
- static {
- rule-set rs1 {
- from zone Herakles;
- inactive: rule r197 {
- match {xxxxxxxx;
- }
- then {
- static-nat {
- prefix {
- 192.168.252.35/32;
- }
- }
- }
- }
- rule r198 {
- match {
- destination-address xxxxxxxxxxxxxx;
- }
- then {
- static-nat {
- prefix {
- 192.168.252.12/32;
- }
- }
- }
- }
- rule r201 {
- match {
- destination-address xxxxxxxxxxxxxxxxxx;
- }
- then {
- static-nat {
- prefix {
- 192.168.10.244/32;
- }
- }
- }
- }
- rule r202 {
- match {
- destination-address xxxxxxxxxxxxxxxxxxxxxxx;
- }
- then {
- static-nat {
- prefix {
- 192.168.252.67/32;
- }
- }
- }
- }
- rule r203 {
- match {
- destination-address xxxxxxxxxxxxxxxxxxxxxxx;
- }
- then {
- static-nat {
- prefix {
- 192.168.10.253/32;
- }
- }
- }
- }
- rule r204 {
- match {
- destination-address xxxxxxxxxxxxxxxxxx2;
- }
- then {
- static-nat {
- prefix {
- 192.168.252.80/32;
- }
- }
- }
- }
- rule 205 {
- match {
- destination-address xxxxxxxxxxxxxx;
- }
- then {
- static-nat {
- prefix {
- 192.168.10.252/32;
- }
- }
- }
- }
- rule 206 {
- match {
- destination-address xxxxxxxxxxxxxxxxxx;
- }
- then {
- static-nat {
- prefix {
- 192.168.10.251/32;
- }
- }
- }
- }
- rule 221 {
- match {
- destination-address xxxxxxxxxxxxxxxxxxxxx;
- }
- then {
- static-nat {
- prefix {
- 192.168.252.87/32;
- }
- }
- }
- }
- rule 220 {
- match {
- destination-address xxxxxxxxxxxxxxxxxxxxxxx;
- }
- then {
- static-nat {
- prefix {
- 192.168.252.88/32;
- }
- }
- }
- }
- rule 219 {
- match {
- destination-address xxxxxxxxxxxxxxxxxxxxx;
- }
- then {
- static-nat {
- prefix {
- 192.168.10.250/32;
- }
- }
- }
- }
- rule 218 {
- match {
- destination-address xxxxxxxxxxxxxxxxxxx;
- }
- then {
- static-nat {
- prefix {
- 192.168.10.249/32;
- }
- }
- }
- }
- rule r207 {
- match {
- destination-address xxxxxxxxxxxxxxx2;
- }
- then {
- static-nat {
- prefix {
- 192.168.10.248/32;
- }
- }
- }
- }
- rule r217 {
- match {
- destination-address 65.74.160.217/32;
- }
- then {
- static-nat {
- prefix {
- 192.168.10.247/32;
- }
- }
- }
- }
- rule r216 {
- match {
- destination-address sssssssssssssssssssssss
- }
- then {
- static-nat {
- prefix {
- 192.168.10.243/32;
- }
- }
- }
- }
- rule r215 {
- match {
- destination-address xxxxxxxxxxxxxxxxxxxxxxxx;
- }
- then {
- static-nat {
- prefix {
- 192.168.10.246/32;
- }
- }
- }
- }
- rule r208 {
- match {
- destination-address xxxxxxxxxxxxxx;
- }
- then {
- static-nat {
- prefix {
- 192.168.10.245/32;
- }
- }
- }
- }
- rule r209 {
- match {
- destination-address xxxxxxxxxxxxxxx
- }
- then {
- static-nat {
- prefix {
- 192.168.10.254/32;
- }
- }
- }
- }
- rule r210 {
- match {
- destination-address xxxxxxxxxxxxxxxxxxxx
- }
- then {
- static-nat {
- prefix {
- 192.168.10.240/32;
- }
- }
- }
- }
- rule r211 {
- match {
- destination-address xxxxxxxxxxxx;
- }
- then {
- static-nat {
- prefix {
- 192.168.10.239/32;
- }
- }
- }
- }
- rule r212 {
- match {
- destination-address xxxxxxxxxxxxxx
- }
- then {
- static-nat {
- prefix {
- 192.168.10.238/32;
- }
- }
- }
- }
- rule r213 {
- match {
- destination-address xxxxxxxxxxxxxxxx
- then {
- static-nat {
- prefix {
- 192.168.10.237/32;
- }
- }
- }
- }
- rule r214 {
- match {
- destination-address xxxxxxxxxxxx
- then {
- static-nat {
- prefix {
- 192.168.252.99/32;
- }
- }
- }
- }
- }
- }
- proxy-arp {
- interface reth1.0 {
- address {
- xxxxxxxxxxxxxxxx
- }
- }
- }
- policies {
- from-zone Trust to-zone Herakles {
- policy Trust-out {
- match {
- source-address any;
- destination-address any;
- application any;
- }
- then {
- permit;
- }
- }
- }
- from-zone Herakles to-zone Trust {
- policy Herakles-web-incoming {
- match {
- source-address any;
- destination-address [ EGIA-WEB-server CONSERVATIONREBATES-WEB-server STAGE-WEB-server EGIAPRDWEB1 EGIAPRDWEB5 EGIAQAWEB2 PGE_VIRTUAL_IP EGIAQWEB4 NICOR_VIRTUAL_IP EGIARPS_VIRTUAL_IP SWG_EGIAPRDWEB1 CCNG_EGIAPRDWEB1 RECOL_VIRTUAL_IP AGL_VIRTUAL_IP CNGC_VIRTUAL_IP DKNG_VIRTUAL_IP SOCALGAS_VIRTUAL_IP MWDTURF_VIRTUAL_IP SDBX_VIRTUAL_IP SCGA_VIRTUAL_IP NICOR_REVIEW_VIRTUAL_IP EGIA_99 ];
- application [ junos-http junos-https ];
- }
- then {
- permit;
- }
- }
- policy Herakles-sftp-incomfing {
- match {
- source-address any;
- destination-address [ EGIA-WEB-server EGIAFTP1 ];
- application [ junos-ftp junos-ssh ];
- }
- then {
- permit;
- }
- }
- policy Herakles-VPN-incoming {
- match {
- source-address any;
- destination-address EGIA-VPN-server;
- application junos-pptp;
- }
- then {
- permit;
- }
- }
- policy Herakles-ping {
- match {
- source-address any;
- destination-address any;
- application junos-icmp-ping;
- }
- then {
- permit;
- }
- }
- policy Dustin_RDP {
- match {
- source-address Dustin;
- destination-address [ EGIA-VPN-server VC1 ];
- application any;
- }
- then {
- permit;
- }
- }
- }
- from-zone OFFICEVPN to-zone Trust {
- policy default-permit {
- match {
- source-address any;
- destination-address any;
- application any;
- }
- then {
- permit;
- }
- }
- }
- from-zone Trust to-zone OFFICEVPN {
- policy default-permit {
- match {
- source-address any;
- destination-address any;
- application any;
- }
- then {
- permit;
- }
- }
- }
- from-zone APP to-zone Trust {
- policy DHCP-REQUEST {
- match {
- source-address APP_LAN;
- destination-address EGIADC02;
- application any;
- }
- then {
- permit;
- }
- }
- policy APP_TO_TRUST {
- match {
- source-address APP_LAN;
- destination-address any;
- application [ ORACLE_APP_IGNORE junos-nfs ];
- }
- then {
- permit;
- }
- }
- }
- from-zone DMZ to-zone Trust {
- policy DHCP-REQUEST {
- match {
- source-address DMZ_LAN;
- destination-address EGIADC02;
- application any;
- }
- then {
- permit;
- }
- }
- policy DMZ-WEB-ACCESS {
- match {
- source-address DMZ_LAN;
- destination-address any;
- application junos-http;
- }
- then {
- permit;
- }
- }
- }
- from-zone DATA to-zone Trust {
- policy DHCP-REQUEST {
- match {
- source-address DATA_LAN;
- destination-address EGIADC02;
- application any;
- }
- then {
- permit;
- }
- }
- }
- from-zone Trust to-zone DATA {
- policy DHCP-REPLY {
- match {
- source-address EGIADC02;
- destination-address DATA_LAN;
- application any;
- }
- then {
- permit;
- }
- }
- policy RDC {
- match {
- source-address any;
- destination-address DATA_LAN;
- application RDC;
- }
- then {
- permit;
- }
- }
- }
- from-zone Trust to-zone DMZ {
- policy DHCP-REPLY {
- match {
- source-address EGIADC02;
- destination-address DMZ_LAN;
- application any;
- }
- then {
- permit;
- }
- }
- policy Trust_TO_DMZ {
- match {
- source-address any;
- destination-address DMZ_LAN;
- application [ junos-ssh junos-http junos-https ];
- }
- then {
- permit;
- }
- }
- }
- from-zone Trust to-zone APP {
- policy DHCP-REPLY {
- match {
- source-address EGIADC02;
- destination-address APP_LAN;
- application any;
- }
- then {
- permit;
- }
- }
- policy Trust_TO_APP {
- match {
- source-address any;
- destination-address APP_LAN;
- application [ junos-ssh junos-http junos-https ];
- }
- then {
- permit;
- }
- }
- }
- from-zone DMZ to-zone Herakles {
- policy DMZ_TO_Herakles {
- match {
- source-address DMZ_LAN;
- destination-address any;
- application [ junos-ssh junos-http junos-https junos-icmp-ping ];
- }
- then {
- permit;
- }
- }
- }
- from-zone Herakles to-zone DMZ {
- policy DMZ-WEB-ACCESS {
- match {
- source-address any;
- destination-address DMZ_LAN;
- application [ junos-http junos-https ];
- }
- then {
- permit;
- }
- }
- }
- from-zone OFFICEVPN to-zone DMZ {
- policy OFFICE_TO_DMZ {
- match {
- source-address any;
- destination-address DMZ_LAN;
- application [ junos-ssh junos-http junos-https ];
- }
- then {
- permit;
- }
- }
- }
- from-zone APP to-zone DMZ {
- policy APP_TO_PROXY {
- match {
- source-address APP_LAN;
- destination-address EGIAPROXY01;
- application SQUID;
- }
- then {
- permit;
- }
- }
- policy APP_TO_DMZ {
- match {
- source-address APP_LAN;
- destination-address DMZ_LAN;
- application [ junos-http junos-https junos-ftp ];
- }
- then {
- permit;
- }
- }
- }
- from-zone DMZ to-zone APP {
- policy DMZ_WEB_ACCESS {
- match {
- source-address DMZ_LAN;
- destination-address APP_LAN;
- application junos-http;
- }
- then {
- permit;
- }
- }
- }
- from-zone Trust to-zone MGMT {
- policy trust_to_mgmt {
- match {
- source-address any;
- destination-address MGMT_LAN;
- application any;
- }
- then {
- permit;
- }
- }
- }
- from-zone MGMT to-zone Trust {
- policy mgmt_to_trust {
- match {
- source-address MGMT_LAN;
- destination-address any;
- application any;
- }
- then {
- permit;
- }
- }
- }
- from-zone MGMT to-zone Herakles {
- inactive: policy MGMT_TO_HERAKLES {
- match {
- source-address MGMT_LAN;
- destination-address any;
- application [ junos-http junos-https junos-dns-tcp junos-dns-udp junos-ftp BARRACUDA ];
- }
- then {
- permit;
- }
- }
- policy MGMT_TEMP {
- match {
- source-address MGMT_LAN;
- destination-address any;
- application any;
- }
- then {
- permit;
- }
- }
- }
- from-zone OFFICEVPN to-zone MGMT {
- policy Office_to_mgmt {
- match {
- source-address any;
- destination-address MGMT_LAN;
- application [ junos-http junos-https junos-cifs ];
- }
- then {
- permit;
- }
- }
- }
- from-zone DATA to-zone DMZ {
- policy DATA_TO_PROXY {
- match {
- source-address DATA_LAN;
- destination-address EGIAPROXY01;
- application SQUID;
- }
- then {
- permit;
- }
- }
- }
- from-zone OFFICEVPN to-zone APP {
- policy OFFICE_TO_APP {
- match {
- source-address any;
- destination-address APP_LAN;
- application [ junos-ssh junos-http junos-https junos-ftp junos-icmp-ping ];
- }
- then {
- permit;
- }
- }
- }
- from-zone APP to-zone Herakles {
- policy APP_TO_Herakles {
- match {
- source-address APP_LAN;
- destination-address any;
- application [ junos-http junos-https junos-ftp ];
- }
- then {
- permit;
- }
- }
- }
- from-zone MGMT to-zone OFFICEVPN {
- policy default-permit {
- match {
- source-address any;
- destination-address any;
- application any;
- }
- then {
- permit;
- }
- }
- }
- }
- zones {
- security-zone Trust {
- tcp-rst;
- address-book {
- address EGIA-WEB-server 192.168.252.35/32;
- address CONSERVATIONREBATES-WEB-server 192.168.252.12/32;
- address EGIA-VPN-server 192.168.252.9/32;
- address STAGE-WEB-server 192.168.252.211/32;
- address EGIAPRDWEB1 192.168.252.53/32;
- address EGIAPRDWEB5 192.168.252.57/32;
- address EGIAQAWEB2 192.168.252.67/32;
- address PGE_VIRTUAL_IP 192.168.252.100/32;
- address EGIAFTP1 192.168.252.80/32;
- address EGIAQWEB4 192.168.252.61/32;
- address NICOR_VIRTUAL_IP 192.168.252.101/32;
- address EGIARPS_VIRTUAL_IP 192.168.252.103/32;
- address SWG_EGIAPRDWEB1 192.168.252.87/32;
- address CCNG_EGIAPRDWEB1 192.168.252.88/32;
- address RECOL_VIRTUAL_IP 192.168.252.104/32;
- address AGL_VIRTUAL_IP 192.168.252.105/32;
- address CNGC_VIRTUAL_IP 192.168.252.106/32;
- address DKNG_VIRTUAL_IP 192.168.252.108/32;
- address VC1 192.168.252.5/32;
- address SOCALGAS_VIRTUAL_IP 192.168.252.109/32;
- address MWDTURF_VIRTUAL_IP 192.168.252.110/32;
- address SDBX_VIRTUAL_IP 192.168.252.111/32;
- address SCGA_VIRTUAL_IP 192.168.252.112/32;
- address NICOR_REVIEW_VIRTUAL_IP 192.168.252.113/32;
- address EGIADC02 192.168.252.102/32;
- address EGIA_99 192.168.252.99/32;
- }
- interfaces {
- reth0.0 {
- host-inbound-traffic {
- system-services {
- all;
- }
- protocols {
- all;
- }
- }
- }
- lo0.0 {
- host-inbound-traffic {
- system-services {
- all;
- }
- protocols {
- all;
- }
- }
- }
- }
- }
- security-zone Herakles {
- address-book {
- address Dustin1 99.89.113.240/32;
- address Dustin2 32.158.121.9/32;
- address-set Dustin {
- address Dustin1;
- address Dustin2;
- }
- }
- host-inbound-traffic {
- system-services {
- ike;
- }
- }
- interfaces {
- reth1.0 {
- host-inbound-traffic {
- system-services {
- ping;
- ike;
- }
- }
- }
- }
- }
- security-zone OFFICEVPN {
- host-inbound-traffic {
- system-services {
- all;
- }
- protocols {
- all;
- }
- }
- interfaces {
- st0.0;
- st0.1;
- }
- }
- security-zone APP {
- address-book {
- address APP_LAN 192.168.11.0/24;
- }
- interfaces {
- reth2.11 {
- host-inbound-traffic {
- system-services {
- ping;
- dhcp;
- }
- }
- }
- }
- }
- security-zone DATA {
- address-book {
- address DATA_LAN 192.168.12.0/24;
- }
- interfaces {
- reth2.12 {
- host-inbound-traffic {
- system-services {
- ping;
- dhcp;
- }
- }
- }
- }
- }
- security-zone DMZ {
- address-book {
- address DMZ_LAN 192.168.10.0/24;
- address EGIAPROXY01 192.168.10.12/32;
- }
- interfaces {
- reth2.10 {
- host-inbound-traffic {
- system-services {
- ping;
- dhcp;
- }
- }
- }
- }
- }
- security-zone MGMT {
- address-book {
- address MGMT_LAN 192.168.20.0/24;
- }
- interfaces {
- reth2.20 {
- host-inbound-traffic {
- system-services {
- ping;
- dhcp;
- ssh;
- }
- }
- }
- }
- }
- security-zone VPN {
- interfaces {
- st0.2 {
- host-inbound-traffic {
- system-services {
- ping;
- snmp;
- }
- }
- }
- }
- }
- }
- }
- firewall {
- policer bandwidth-control-512k {
- if-exceeding {
- bandwidth-limit 512k;
- burst-size-limit 128k;
- }
- then discard;
- }
- policer bandwidth-control-1024k {
- if-exceeding {
- bandwidth-limit 1024000;
- burst-size-limit 128k;
- }
- then discard;
- }
- policer bandwidth-control-2048k {
- if-exceeding {
- bandwidth-limit 2048000;
- burst-size-limit 512k;
- }
- then discard;
- }
- filter Herakles-in {
- term incoming-internet-access {
- from {
- destination-address {
- xxxxxxxxxxxxxxxxxx
- }
- }
- then accept;
- }
- }
- filter Herakles-out {
- term rackspace_traffic {
- from {
- destination-address {
- xxxxxxxxxxxxxxxxxxxxx
- }
- destination-port [ http https ];
- }
- then accept;
- }
- term rate-limit-web-traffic {
- from {
- source-address {
- 192.168.252.7/32;
- }
- destination-port [ http https ];
- }
- then accept;
- }
- term catch-all {
- then accept;
- }
- }
- }
- applications {
- application ORACLE_APP_IGNORE {
- term t1 alg ignore protocol tcp destination-port 1521;
- }
- application SQUID {
- term t1 protocol tcp destination-port 3128;
- }
- application RDC {
- term t1 protocol tcp destination-port 3389;
- }
- application BARRACUDA {
- term t1 protocol tcp destination-port 1194;
- term t2 protocol udp destination-port 1194;
- term t3 protocol tcp destination-port 5120-5129;
- term t4 protocol udp destination-port 5120-5129;
- }
- }
- {primary:node0}[edit]
- root@EGIAFW01#
- _______________________________
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement