API tools faq
paste
Guest User

Untitled

a guest
Nov 17th, 2018
107
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 12.99 KB | None | 0 0
raw download clone embed print report
  1. ## Last changed: 2012-09-10 12:27:26 UTC
  2. version 12.1R2.9;
  3. system {
  4. host-name gate101;
  5. domain-name xxxxxxxxx;
  6. root-authentication {
  7. encrypted-password "$1$n/hU9xO6$XDcjEKVvT3KXCPNsDUtmK1";
  8. }
  9. login {
  10. user guys {
  11. uid 2002;
  12. class super-user;
  13. authentication {
  14. encrypted-password "$1$JF6cPLr3$X10sEr/w3m2GMN5JWGMvT/";
  15. }
  16. }
  17. }
  18. services {
  19. ssh;
  20. telnet;
  21. web-management {
  22. http;
  23. }
  24. }
  25. syslog {
  26. file ids {
  27. any any;
  28. match RT_IDS;
  29. archive world-readable;
  30. structured-data;
  31. }
  32. file traffic-log {
  33. any any;
  34. match RT_FLOW_SESSION;
  35. }
  36. }
  37. }
  38. interfaces {
  39. ge-0/0/0 {
  40. vlan-tagging;
  41. gigether-options {
  42. auto-negotiation;
  43. }
  44. unit 826 {
  45. vlan-id 826;
  46. family inet {
  47. address 8x.xx.76.1xx/28;
  48. }
  49. }
  50. }
  51. ge-0/0/2 {
  52. unit 0 {
  53. family inet {
  54. address 192.168.1.1/24;
  55. }
  56. }
  57. }
  58. ge-0/0/4 {
  59. gigether-options {
  60. no-auto-negotiation;
  61. }
  62. unit 0 {
  63. family inet {
  64. address 10.3.0.125/24;
  65. }
  66. }
  67. }
  68. ge-0/0/5 {
  69. description trunkport;
  70. vlan-tagging;
  71. gigether-options {
  72. no-auto-negotiation;
  73. }
  74. unit 55 {
  75. description "Link to Cisc0";
  76. vlan-id 55;
  77. family inet {
  78. address 172.16.2.1/24;
  79. }
  80. }
  81. }
  82. ge-0/0/6 {
  83. unit 0 {
  84. family inet {
  85. address 10.41.0.125/24;
  86. }
  87. }
  88. }
  89. ge-0/0/8 {
  90. vlan-tagging;
  91. gigether-options {
  92. auto-negotiation;
  93. }
  94. unit 10 {
  95. vlan-id 10;
  96. family inet {
  97. address 10.1.0.125/24;
  98. }
  99. }
  100. }
  101. ge-0/0/15 {
  102. unit 0 {
  103. family inet {
  104. address 10.0.0.146/24;
  105. }
  106. }
  107. }
  108. }
  109. routing-options {
  110. static {
  111. route 0.0.0.0/0 next-hop 82.xx.xx.x30;
  112. route 10.22.0.0/24 next-hop 10.41.0.254;
  113. route 10.0.0.0/24 next-hop 10.41.0.254;
  114. route 10.2.0.0/24 next-hop 10.41.0.254;
  115. route 10.20.0.0/24 next-hop 10.41.0.254;
  116. }
  117. }
  118. security {
  119. log {
  120. mode event;
  121. }
  122. application-tracking {
  123. first-update;
  124. }
  125. screen {
  126. ids-option UNTRUST {
  127. icmp {
  128. ip-sweep threshold 2000;
  129. fragment;
  130. large;
  131. flood threshold 2000;
  132. ping-death;
  133. }
  134. ip {
  135. spoofing;
  136. block-frag;
  137. tear-drop;
  138. }
  139. tcp {
  140. syn-fin;
  141. fin-no-ack;
  142. tcp-no-flag;
  143. syn-frag;
  144. port-scan threshold 2000;
  145. syn-ack-ack-proxy threshold 512;
  146. syn-flood {
  147. alarm-threshold 512;
  148. attack-threshold 500;
  149. source-threshold 4000;
  150. destination-threshold 4000;
  151. timeout 20;
  152. }
  153. land;
  154. winnuke;
  155. }
  156. udp {
  157. flood threshold 2000;
  158. }
  159. }
  160. }
  161. nat {
  162. source {
  163. rule-set Outbound_NAT {
  164. from zone [ DMZ LAN SETUP VPN_DMZ ];
  165. to zone UNTRUST;
  166. rule Outbound_NAT {
  167. match {
  168. source-address 10.55.0.1/24;
  169. destination-port 1024 to 65535;
  170. }
  171. then {
  172. source-nat {
  173. interface;
  174. }
  175. }
  176. }
  177. }
  178. }
  179. destination {
  180. pool Inbound_VPN {
  181. address 10.3.0.192/32 port 1723;
  182. }
  183. pool Inbound_DNS {
  184. address 10.1.0.191/32 port 53;
  185. }
  186. pool Inbound_Mail {
  187. address 10.1.0.163/32 port 25;
  188. }
  189. pool Inbound_TLS {
  190. address 10.1.0.163/32 port 587;
  191. }
  192. pool Inbound_Web_1 {
  193. address 10.1.0.202/32 port 80;
  194. }
  195. pool Inbound_SWEB_1 {
  196. address 10.1.0.202/32 port 443;
  197. }
  198. pool Inbound_Web_2 {
  199. address 10.1.0.138/32 port 80;
  200. }
  201. pool Inbound_SWEB_2 {
  202. address 10.1.0.138/32 port 443;
  203. }
  204. pool Inbound_Web_3 {
  205. address 10.1.0.134/32 port 80;
  206. }
  207. pool Inbound_SWEB_3 {
  208. address 10.1.0.134/32 port 443;
  209. }
  210. }
  211. static {
  212. rule-set Inbound_NAT {
  213. from zone UNTRUST;
  214. rule VPN {
  215. match {
  216. destination-address 8x.xx.xx.xxx/32;
  217. }
  218. then {
  219. static-nat prefix 10.3.0.192/32;
  220. }
  221. }
  222. rule DNS {
  223. match {
  224. destination-address 8xx.xx.7.1xxx/32;
  225. }
  226. then {
  227. static-nat prefix 10.1.0.191/32;
  228. }
  229. }
  230. rule MAIL {
  231. match {
  232. destination-address 8xx.xx.xxx.xx/32;
  233. }
  234. then {
  235. static-nat prefix 10.1.0.163/32;
  236. }
  237. }
  238. rule WEB1 {
  239. match {
  240. destination-address 8xx.xx.xxx.xx/32;
  241. }
  242. then {
  243. static-nat prefix 10.1.0.202/32;
  244. }
  245. }
  246. rule WEB2 {
  247. match {
  248. destination-address 8xx.xx.xxx.xx/32;
  249. }
  250. then {
  251. static-nat prefix 10.1.0.198/32;
  252. }
  253. }
  254. rule WEB3 {
  255. match {
  256. destination-address 8xx.xx.xxx.xx/32/32;
  257. }
  258. then {
  259. static-nat prefix 10.1.0.138/32;
  260. }
  261. }
  262. rule WEB4 {
  263. match {
  264. destination-address 8xx.xx.xxx.xx/32/32;
  265. }
  266. then {
  267. static-nat prefix 10.1.0.134/32;
  268. }
  269. }
  270. }
  271. }
  272. proxy-arp {
  273. interface ge-0/0/0.0 {
  274. address {
  275. 8xx.xx.xxx.xx/32 to 8xx.xx.xxx.xx/32;
  276. 8xx.xx.xxx.xx/32 to 8xx.xx.xxx.xx/32;
  277. 8xx.xx.xxx.xx/32 to 8xx.xx.xxx.xx/32;
  278.  
  279. }
  280. }
  281. }
  282. }
  283. policies {
  284. from-zone UNTRUST to-zone DMZ {
  285. policy Inbound_Web {
  286. description "HTTP and HTTPS inbound to Web Servers";
  287. match {
  288. source-address any;
  289. destination-address [ Web_1 Web_2 Web_3 Web_4 ];
  290. application [ junos-http junos-https junos-ping ];
  291. }
  292. then {
  293. permit;
  294. log {
  295. session-init;
  296. session-close;
  297. }
  298. }
  299. }
  300. policy Inbound_Mail {
  301. description "SMTP and TLS inbound to Mail Server";
  302. match {
  303. source-address any;
  304. destination-address MAIL;
  305. application [ junos-mail tls junos-ping ];
  306. }
  307. then {
  308. permit;
  309. log {
  310. session-init;
  311. session-close;
  312. }
  313. }
  314. }
  315. policy Inbound_DNS {
  316. description "DNS inbound to Name Server";
  317. match {
  318. source-address any;
  319. destination-address Name_Server;
  320. application [ junos-dns-udp junos-dns-tcp junos-ping ];
  321. }
  322. then {
  323. permit;
  324. log {
  325. session-init;
  326. session-close;
  327. }
  328. }
  329. }
  330. }
  331. from-zone UNTRUST to-zone VPN_DMZ {
  332. policy Inbound_VPN {
  333. description "Inbound to VPN Server";
  334. match {
  335. source-address any;
  336. destination-address VPN_Server;
  337. application [ junos-pptp junos-gre ];
  338. }
  339. then {
  340. permit;
  341. log {
  342. session-init;
  343. session-close;
  344. }
  345. }
  346. }
  347. }
  348. from-zone DMZ to-zone UNTRUST {
  349. policy Outbound_Allow {
  350. description "Allowing all traffic outbound from DMZ to the internet";
  351. match {
  352. source-address any;
  353. destination-address any;
  354. application any;
  355. }
  356. then {
  357. permit;
  358. log {
  359. session-init;
  360. session-close;
  361. }
  362. }
  363. }
  364. }
  365. from-zone LAN to-zone UNTRUST {
  366. policy LAN_Allow {
  367. description "Allowing all traffic outbound from LAN to the internet";
  368. match {
  369. source-address any;
  370. destination-address any;
  371. application any;
  372. }
  373. then {
  374. permit;
  375. log {
  376. session-init;
  377. session-close;
  378. }
  379. }
  380. }
  381. }
  382. }
  383. zones {
  384. security-zone UNTRUST {
  385. screen UNTRUST;
  386. host-inbound-traffic {
  387. system-services {
  388. ping;
  389. }
  390. }
  391. interfaces {
  392. ge-0/0/0.826;
  393. }
  394. application-tracking;
  395. }
  396. security-zone SETUP {
  397. host-inbound-traffic {
  398. system-services {
  399. telnet;
  400. ssh;
  401. http;
  402. ping;
  403. }
  404. }
  405. interfaces {
  406. ge-0/0/2.0;
  407. }
  408. }
  409. security-zone VPN_DMZ {
  410. address-book {
  411. address VPN_Server 10.3.0.192/32;
  412. }
  413. host-inbound-traffic {
  414. system-services {
  415. telnet;
  416. ssh;
  417. http;
  418. ping;
  419. }
  420. }
  421. interfaces {
  422. ge-0/0/4.0;
  423. }
  424. application-tracking;
  425. }
  426. security-zone LAN {
  427. host-inbound-traffic {
  428. system-services {
  429. telnet;
  430. ssh;
  431. http;
  432. ping;
  433. }
  434. }
  435. interfaces {
  436. ge-0/0/6.0;
  437. ge-0/0/15.0;
  438. ge-0/0/5.55;
  439. }
  440. application-tracking;
  441. }
  442. security-zone DMZ {
  443. address-book {
  444. address Web_1 10.1.0.202/32;
  445. address Web_2 10.1.0.198/32;
  446. address Web_3 10.1.0.138/32;
  447. address MAIL 10.1.0.163/32;
  448. address Name_Server 10.1.0.191/32;
  449. address Web_4 10.1.0.134/32;
  450. }
  451. host-inbound-traffic {
  452. system-services {
  453. telnet;
  454. ssh;
  455. http;
  456. ping;
  457. https;
  458. }
  459. }
  460. interfaces {
  461. ge-0/0/8.10;
  462. }
  463. application-tracking;
  464. }
  465. }
  466. }
  467. applications {
  468. application tls {
  469. protocol tcp;
  470. destination-port 587;
  471. }
  472. }
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!