API tools faq
paste
Advertisement
demoss

cfg_wan2

demoss
Apr 1st, 2013
182
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 15.02 KB | None | 0 0
raw download clone embed print report
  1.  
  2. ## Last changed: 2013-04-02 02:51:51 GMT+4
  3. version 11.4R7.5;
  4. system {
  5. host-name godnet;
  6. time-zone GMT+4;
  7. root-authentication {
  8. encrypted-password "$1$VefloaO/$sKiqNrllv5T5n6e.TdXMT0";
  9. }
  10. name-server {
  11. 10.0.10.254;
  12. 10.0.1.254;
  13. 8.8.8.8;
  14. 8.8.4.4;
  15. }
  16. services {
  17. ssh;
  18. telnet;
  19. xnm-clear-text;
  20. web-management {
  21. http {
  22. interface [ vlan.0 vlan.1 vlan.2 vlan.3 fxp2.0 lo0.16384 ];
  23. }
  24. https {
  25. system-generated-certificate;
  26. }
  27. }
  28. dhcp {
  29. pool 192.168.1.0/24 {
  30. address-range low 192.168.1.2 high 192.168.1.254;
  31. router {
  32. 192.168.1.1;
  33. }
  34. propagate-settings vlan.0;
  35. }
  36. pool 192.168.11.0/24 {
  37. address-range low 192.168.11.1 high 192.168.11.253;
  38. maximum-lease-time 86400;
  39. default-lease-time 86400;
  40. router {
  41. 192.168.11.254;
  42. }
  43. propagate-settings vlan.1;
  44. }
  45. pool 192.168.22.0/24 {
  46. address-range low 192.168.22.1 high 192.168.22.253;
  47. maximum-lease-time 86400;
  48. router {
  49. 192.168.22.254;
  50. }
  51. propagate-settings vlan.2;
  52. }
  53. pool 192.168.33.0/24 {
  54. address-range low 192.168.33.1 high 192.168.33.253;
  55. maximum-lease-time 86400;
  56. domain-name cbuh.karelia.pro;
  57. router {
  58. 192.168.33.254;
  59. }
  60. propagate-settings vlan.3;
  61. }
  62. }
  63. }
  64. syslog {
  65. archive size 100k files 3;
  66. user * {
  67. any emergency;
  68. }
  69. file messages {
  70. any critical;
  71. authorization info;
  72. }
  73. file interactive-commands {
  74. interactive-commands error;
  75. }
  76. }
  77. max-configurations-on-flash 5;
  78. max-configuration-rollbacks 20;
  79. license {
  80. autoupdate {
  81. url https://ae1.juniper.net/junos/key_retrieval;
  82. }
  83. }
  84. }
  85. interfaces {
  86. ge-0/0/0 {
  87. unit 0 {
  88. family inet {
  89. address 178.19.246.153/29;
  90. }
  91. }
  92. }
  93. ge-0/0/1 {
  94. unit 0 {
  95. family inet {
  96. address 178.19.242.225/29;
  97. }
  98. }
  99. }
  100. ge-0/0/2 {
  101. unit 0 {
  102. family ethernet-switching {
  103. port-mode access;
  104. }
  105. }
  106. }
  107. ge-0/0/3 {
  108. unit 0 {
  109. family ethernet-switching {
  110. vlan {
  111. members vlan-trust;
  112. }
  113. }
  114. }
  115. }
  116. ge-0/0/4 {
  117. unit 0 {
  118. family ethernet-switching {
  119. vlan {
  120. members server;
  121. }
  122. }
  123. }
  124. }
  125. ge-0/0/5 {
  126. unit 0 {
  127. family ethernet-switching {
  128. vlan {
  129. members minedu;
  130. }
  131. }
  132. }
  133. }
  134. ge-0/0/6 {
  135. unit 0 {
  136. family ethernet-switching {
  137. vlan {
  138. members cbedu;
  139. }
  140. }
  141. }
  142. }
  143. ge-0/0/7 {
  144. unit 0 {
  145. family ethernet-switching {
  146. vlan {
  147. members vlan-trust;
  148. }
  149. }
  150. }
  151. }
  152. ge-0/0/8 {
  153. unit 0 {
  154. family ethernet-switching {
  155. vlan {
  156. members vlan-trust;
  157. }
  158. }
  159. }
  160. }
  161. ge-0/0/9 {
  162. unit 0 {
  163. family ethernet-switching {
  164. vlan {
  165. members vlan-trust;
  166. }
  167. }
  168. }
  169. }
  170. ge-0/0/10 {
  171. unit 0 {
  172. family ethernet-switching {
  173. vlan {
  174. members vlan-trust;
  175. }
  176. }
  177. }
  178. }
  179. ge-0/0/11 {
  180. unit 0 {
  181. family ethernet-switching {
  182. vlan {
  183. members vlan-trust;
  184. }
  185. }
  186. }
  187. }
  188. ge-0/0/12 {
  189. unit 0 {
  190. family ethernet-switching {
  191. vlan {
  192. members vlan-trust;
  193. }
  194. }
  195. }
  196. }
  197. ge-0/0/13 {
  198. unit 0 {
  199. family ethernet-switching {
  200. vlan {
  201. members vlan-trust;
  202. }
  203. }
  204. }
  205. }
  206. ge-0/0/14 {
  207. unit 0 {
  208. family ethernet-switching {
  209. vlan {
  210. members vlan-trust;
  211. }
  212. }
  213. }
  214. }
  215. ge-0/0/15 {
  216. unit 0 {
  217. family inet {
  218. address 192.168.26.237/24;
  219. }
  220. }
  221. }
  222. vlan {
  223. unit 0 {
  224. family inet {
  225. address 192.168.1.1/24;
  226. }
  227. }
  228. unit 1 {
  229. family inet {
  230. address 192.168.11.254/24;
  231. }
  232. }
  233. unit 2 {
  234. family inet {
  235. address 192.168.22.254/24;
  236. }
  237. }
  238. unit 3 {
  239. family inet {
  240. address 192.168.33.254/24;
  241. }
  242. }
  243. }
  244. }
  245. routing-options {
  246. static {
  247. route 0.0.0.0/0 next-hop 178.19.246.158;
  248. route 192.168.26.0/24 next-hop 192.168.11.254;
  249. }
  250. }
  251. protocols {
  252. stp;
  253. }
  254. security {
  255. certificates {
  256. local {
  257. remote {
  258. "r-sys-adm\n ";
  259. }
  260. }
  261. }
  262. address-book {
  263. global {
  264. address srv-ad-11 192.168.11.11/32;
  265. address isp-1-ip-1 178.19.242.225/32;
  266. address srv-net 192.168.11.0/24;
  267. address minedu-net 192.168.22.0/24;
  268. address edubuh-net 192.168.33.0/24;
  269. address isp-1-ip-2 178.19.242.226/32;
  270. address isp-1-pl-1 {
  271. range-address 178.19.246.153 {
  272. to {
  273. 178.19.246.156;
  274. }
  275. }
  276. }
  277. address old-net 192.168.26.0/24;
  278. address sp1-pl1-ip1 178.19.246.153/32;
  279. }
  280. }
  281. flow {
  282. allow-dns-reply;
  283. }
  284. screen {
  285. ids-option untrust-screen {
  286. icmp {
  287. ping-death;
  288. }
  289. ip {
  290. source-route-option;
  291. tear-drop;
  292. }
  293. tcp {
  294. syn-flood {
  295. alarm-threshold 1024;
  296. attack-threshold 200;
  297. source-threshold 1024;
  298. destination-threshold 2048;
  299. timeout 20;
  300. }
  301. land;
  302. }
  303. }
  304. }
  305. nat {
  306. source {
  307. pool snat-pool1 {
  308. address {
  309. 178.19.246.153/32 to 178.19.246.156/32;
  310. }
  311. }
  312. pool snat-pool2 {
  313. address {
  314. 217.77.50.129/32 to 217.77.50.131/32;
  315. }
  316. }
  317. rule-set trust-to-untrust {
  318. from zone trust;
  319. to zone untrust;
  320. rule source-nat-rule {
  321. match {
  322. source-address 0.0.0.0/0;
  323. }
  324. then {
  325. source-nat {
  326. pool {
  327. snat-pool1;
  328. }
  329. }
  330. }
  331. }
  332. }
  333. rule-set srv-untrast {
  334. from zone server;
  335. to zone untrust;
  336. rule srv-pool2 {
  337. match {
  338. source-address 192.168.11.0/24;
  339. destination-address 0.0.0.0/0;
  340. }
  341. then {
  342. source-nat {
  343. pool {
  344. snat-pool1;
  345. }
  346. }
  347. }
  348. }
  349. }
  350. rule-set srv-trust {
  351. from zone server;
  352. to interface ge-0/0/15.0;
  353. rule srv-trust {
  354. match {
  355. source-address 192.168.11.0/24;
  356. destination-address 192.168.26.0/24;
  357. }
  358. then {
  359. source-nat {
  360. interface;
  361. }
  362. }
  363. }
  364. }
  365. }
  366. destination {
  367. pool srv-main {
  368. address 192.168.11.11/32 port 3389;
  369. }
  370. rule-set srv-rdp-isp1-pl1 {
  371. from zone untrust;
  372. rule isp-1-pl-1-to-srv {
  373. match {
  374. source-address 0.0.0.0/0;
  375. destination-address-name sp1-pl1-ip1;
  376. destination-port 3389;
  377. }
  378. then {
  379. destination-nat pool srv-main;
  380. }
  381. }
  382. }
  383. }
  384. proxy-arp {
  385. interface ge-0/0/0.0 {
  386. address {
  387. 178.19.246.154/32 to 178.19.246.156/32;
  388. }
  389. }
  390. }
  391. }
  392. policies {
  393. from-zone trust to-zone untrust {
  394. policy trust-to-untrust {
  395. match {
  396. source-address any;
  397. destination-address any;
  398. application any;
  399. }
  400. then {
  401. permit;
  402. }
  403. }
  404. }
  405. from-zone server to-zone untrust {
  406. policy srv-untrast {
  407. match {
  408. source-address srv-net;
  409. destination-address any;
  410. application any;
  411. }
  412. then {
  413. permit;
  414. }
  415. }
  416. }
  417. from-zone minedu to-zone untrust {
  418. policy min-untrast {
  419. match {
  420. source-address minedu-net;
  421. destination-address any;
  422. application any;
  423. }
  424. then {
  425. permit;
  426. }
  427. }
  428. }
  429. from-zone edubuh to-zone untrust {
  430. policy buh-untrast {
  431. match {
  432. source-address edubuh-net;
  433. destination-address any;
  434. application any;
  435. }
  436. then {
  437. permit;
  438. }
  439. }
  440. }
  441. from-zone server to-zone trust {
  442. policy srv-trust {
  443. match {
  444. source-address any;
  445. destination-address old-net;
  446. application any;
  447. }
  448. then {
  449. permit;
  450. }
  451. }
  452. }
  453. from-zone untrust to-zone server {
  454. policy srv-rdp2 {
  455. match {
  456. source-address sp1-pl1-ip1;
  457. destination-address srv-ad-11;
  458. application any;
  459. }
  460. then {
  461. permit;
  462. }
  463. }
  464. }
  465. from-zone untrust to-zone untrust {
  466. policy un-to-un {
  467. match {
  468. source-address any;
  469. destination-address any;
  470. application any;
  471. }
  472. then {
  473. permit;
  474. }
  475. }
  476. }
  477. }
  478. zones {
  479. security-zone trust {
  480. host-inbound-traffic {
  481. system-services {
  482. all;
  483. }
  484. protocols {
  485. all;
  486. }
  487. }
  488. interfaces {
  489. vlan.0;
  490. ge-0/0/15.0;
  491. }
  492. }
  493. security-zone untrust {
  494. screen untrust-screen;
  495. interfaces {
  496. ge-0/0/0.0 {
  497. host-inbound-traffic {
  498. system-services {
  499. tftp;
  500. http;
  501. ping;
  502. ssh;
  503. }
  504. protocols {
  505. bgp;
  506. ospf;
  507. rip;
  508. }
  509. }
  510. }
  511. ge-0/0/1.0 {
  512. host-inbound-traffic {
  513. system-services {
  514. tftp;
  515. http;
  516. ping;
  517. ssh;
  518. dns;
  519. rlogin;
  520. }
  521. protocols {
  522. bgp;
  523. ospf;
  524. rip;
  525. }
  526. }
  527. }
  528. ge-0/0/2.0;
  529. }
  530. }
  531. security-zone server {
  532. host-inbound-traffic {
  533. system-services {
  534. all;
  535. }
  536. protocols {
  537. all;
  538. }
  539. }
  540. interfaces {
  541. vlan.1;
  542. }
  543. }
  544. security-zone minedu {
  545. host-inbound-traffic {
  546. system-services {
  547. all;
  548. }
  549. protocols {
  550. all;
  551. }
  552. }
  553. interfaces {
  554. vlan.2;
  555. }
  556. }
  557. security-zone edubuh {
  558. host-inbound-traffic {
  559. system-services {
  560. all;
  561. }
  562. protocols {
  563. all;
  564. }
  565. }
  566. interfaces {
  567. vlan.3;
  568. }
  569. }
  570. }
  571. }
  572. applications {
  573. application rdp {
  574. protocol tcp;
  575. destination-port 3389;
  576. }
  577. }
  578. vlans {
  579. cbedu {
  580. vlan-id 33;
  581. l3-interface vlan.3;
  582. }
  583. minedu {
  584. vlan-id 22;
  585. l3-interface vlan.2;
  586. }
  587. server {
  588. vlan-id 11;
  589. l3-interface vlan.1;
  590. }
  591. vlan-trust {
  592. vlan-id 3;
  593. l3-interface vlan.0;
  594. }
  595. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!