Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- set version 12.3X48-D105.4
- set system host-name FW01
- set system domain-name domain.cz
- set system time-zone Europe/Prague
- set system name-server 193.17.47.1
- set system name-server 185.43.135.1
- set system services ssh
- set system services xnm-clear-text
- set system services dns dns-proxy cache server.domain.cz inet 10.0.1.4
- set system services web-management http
- set system services web-management https system-generated-certificate
- set system services web-management https interface ae1.1100
- set system services dhcp name-server 193.17.47.1
- set system services dhcp name-server 185.43.135.1
- set system services dhcp pool 10.0.0.0/28 address-range low 10.0.0.4
- set system services dhcp pool 10.0.0.0/28 address-range high 10.0.0.14
- set system services dhcp pool 10.0.0.0/28 exclude-address 10.0.0.4
- set system services dhcp pool 10.0.0.0/28 router 10.0.0.1
- set system services dhcp pool 10.0.4.0/23 address-range low 10.0.4.51
- set system services dhcp pool 10.0.4.0/23 address-range high 10.0.5.254
- set system services dhcp pool 10.0.4.0/23 router 10.0.4.1
- set system services dhcp pool 10.0.6.0/24 address-range low 10.0.6.11
- set system services dhcp pool 10.0.6.0/24 address-range high 10.0.6.254
- set system services dhcp pool 10.0.6.0/24 router 10.0.6.1
- set system services dhcp pool 10.0.7.0/26 address-range low 10.0.7.2
- set system services dhcp pool 10.0.7.0/26 address-range high 10.0.7.62
- set system services dhcp pool 10.0.7.0/26 router 10.0.7.1
- set system services dhcp static-binding f0:de:f1:8a:05:be fixed-address 10.0.0.10
- set system services dhcp static-binding f0:de:f1:8a:05:be host-name W520_LAN
- set system services dhcp static-binding c4:ad:34:ff:07:d6 fixed-address 10.0.0.6
- set system services dhcp static-binding c4:ad:34:ff:07:d6 host-name AP01_Po1.1100
- set system services dhcp static-binding d4:ca:6d:07:37:b0 fixed-address 10.0.0.7
- set system services dhcp static-binding d4:ca:6d:07:37:b0 host-name AP02_Eth1.1100
- set system syslog archive size 64m
- set system syslog archive files 3
- set system syslog user * any emergency
- set system syslog file messages any error
- set system syslog file messages authorization info
- set system syslog file interactive-commands interactive-commands error
- set system syslog file traffic-log any any
- set system syslog file traffic-log match RT_FLOW_SESSION
- set system max-configurations-on-flash 5
- set system max-configuration-rollbacks 5
- set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
- set system ntp server 195.113.144.201
- set system ntp server 195.113.144.238
- set chassis aggregated-devices ethernet device-count 3
- set security log mode event
- set security screen ids-option untrust-screen icmp ping-death
- set security screen ids-option untrust-screen ip source-route-option
- set security screen ids-option untrust-screen ip tear-drop
- set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
- set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
- set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
- set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
- set security screen ids-option untrust-screen tcp syn-flood timeout 20
- set security screen ids-option untrust-screen tcp land
- set security nat source rule-set SNAT_DMZ_to_INET description "Source NAT for DMZ to Internet via Egress interface IP"
- set security nat source rule-set SNAT_DMZ_to_INET from zone DMZ
- set security nat source rule-set SNAT_DMZ_to_INET to zone untrust
- set security nat source rule-set SNAT_DMZ_to_INET rule SNAT_DMZ_to_INET description "Source NAT for DMZ to Internet via Egress interface IP"
- set security nat source rule-set SNAT_DMZ_to_INET rule SNAT_DMZ_to_INET match source-address 0.0.0.0/0
- set security nat source rule-set SNAT_DMZ_to_INET rule SNAT_DMZ_to_INET match destination-address 0.0.0.0/0
- set security nat source rule-set SNAT_DMZ_to_INET rule SNAT_DMZ_to_INET then source-nat interface
- set security nat source rule-set SNAT_Trust_to_INET description "Source NAT for Trust to Internet via Egress interface IP"
- set security nat source rule-set SNAT_Trust_to_INET from zone trust
- set security nat source rule-set SNAT_Trust_to_INET to zone untrust
- set security nat source rule-set SNAT_Trust_to_INET rule SNAT_Trust_to_INET description "Source NAT for Trust to Internet via Egress interface IP"
- set security nat source rule-set SNAT_Trust_to_INET rule SNAT_Trust_to_INET match source-address 0.0.0.0/0
- set security nat source rule-set SNAT_Trust_to_INET rule SNAT_Trust_to_INET match destination-address 0.0.0.0/0
- set security nat source rule-set SNAT_Trust_to_INET rule SNAT_Trust_to_INET then source-nat interface
- set security nat destination pool SERVER01_HTTP description "SERVER01 HTTP"
- set security nat destination pool SERVER01_HTTP routing-instance default
- set security nat destination pool SERVER01_HTTP address 10.0.1.4/32
- set security nat destination pool SERVER01_HTTP address port 80
- set security nat destination pool SERVER01_HTTPS description "SERVER01 HTTPS"
- set security nat destination pool SERVER01_HTTPS address 10.0.1.4/32
- set security nat destination pool SERVER01_HTTPS address port 443
- set security nat destination pool SERVER01_Torrent description SERVER01_Torrent
- set security nat destination pool SERVER01_Torrent routing-instance default
- set security nat destination pool SERVER01_Torrent address 10.0.1.4/32
- set security nat destination pool SERVER01_Torrent address port 9091
- set security nat destination pool SERVER01_Minecraft description SERVER01_Minecraft
- set security nat destination pool SERVER01_Minecraft routing-instance default
- set security nat destination pool SERVER01_Minecraft address 10.0.1.4/32
- set security nat destination pool SERVER01_Minecraft address port 25565
- set security nat destination pool SERVER01_Dynmap description SERVER01_Dynmap
- set security nat destination pool SERVER01_Dynmap routing-instance default
- set security nat destination pool SERVER01_Dynmap address 10.0.1.4/32
- set security nat destination pool SERVER01_Dynmap address port 8123
- set security nat destination rule-set SERVER01 description "Port forwardings (DNAT) for SERVER01"
- set security nat destination rule-set SERVER01 from zone untrust
- set security nat destination rule-set SERVER01 rule SERVER01_HTTP description "HTTP port forwarding to SERVER01"
- set security nat destination rule-set SERVER01 rule SERVER01_HTTP match source-address 0.0.0.0/0
- set security nat destination rule-set SERVER01 rule SERVER01_HTTP match destination-address 0.0.0.0/0
- set security nat destination rule-set SERVER01 rule SERVER01_HTTP match destination-port 80
- set security nat destination rule-set SERVER01 rule SERVER01_HTTP match protocol tcp
- set security nat destination rule-set SERVER01 rule SERVER01_HTTP then destination-nat pool SERVER01_HTTP
- set security nat destination rule-set SERVER01 rule SERVER01_HTTPS description "HTTPS port forwarding to SERVER01"
- set security nat destination rule-set SERVER01 rule SERVER01_HTTPS match source-address 0.0.0.0/0
- set security nat destination rule-set SERVER01 rule SERVER01_HTTPS match destination-address 0.0.0.0/0
- set security nat destination rule-set SERVER01 rule SERVER01_HTTPS match destination-port 443
- set security nat destination rule-set SERVER01 rule SERVER01_HTTPS match protocol tcp
- set security nat destination rule-set SERVER01 rule SERVER01_HTTPS then destination-nat pool SERVER01_HTTPS
- set security nat destination rule-set SERVER01 rule SERVER01_Minecraft description "Minecraft port forwarding to SERVER01"
- set security nat destination rule-set SERVER01 rule SERVER01_Minecraft match source-address 0.0.0.0/0
- set security nat destination rule-set SERVER01 rule SERVER01_Minecraft match destination-address 0.0.0.0/0
- set security nat destination rule-set SERVER01 rule SERVER01_Minecraft match destination-port 25565
- set security nat destination rule-set SERVER01 rule SERVER01_Minecraft match protocol tcp
- set security nat destination rule-set SERVER01 rule SERVER01_Minecraft then destination-nat pool SERVER01_Minecraft
- set security nat destination rule-set SERVER01 rule SERVER01_Torrent description "Torrent port forwarding to SERVER01"
- set security nat destination rule-set SERVER01 rule SERVER01_Torrent match source-address 0.0.0.0/0
- set security nat destination rule-set SERVER01 rule SERVER01_Torrent match destination-address 0.0.0.0/0
- set security nat destination rule-set SERVER01 rule SERVER01_Torrent match destination-port 9091
- set security nat destination rule-set SERVER01 rule SERVER01_Torrent match protocol tcp
- set security nat destination rule-set SERVER01 rule SERVER01_Torrent then destination-nat pool SERVER01_Torrent
- set security nat destination rule-set SERVER01 rule SERVER01_Dynmap description "Dynmap port forwarding to SERVER01"
- set security nat destination rule-set SERVER01 rule SERVER01_Dynmap match source-address 0.0.0.0/0
- set security nat destination rule-set SERVER01 rule SERVER01_Dynmap match destination-address 0.0.0.0/0
- set security nat destination rule-set SERVER01 rule SERVER01_Dynmap match destination-port 8123
- set security nat destination rule-set SERVER01 rule SERVER01_Dynmap match protocol tcp
- set security nat destination rule-set SERVER01 rule SERVER01_Dynmap then destination-nat pool SERVER01_Dynmap
- set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
- set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
- set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
- set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
- set security policies from-zone trust to-zone untrust policy trust-to-untrust then log session-close
- set security policies from-zone trust to-zone untrust policy trust-to-untrust then count
- set security policies from-zone trust to-zone trust policy Access_to_Mgmt description "Allowing access from LAN to Management"
- set security policies from-zone trust to-zone trust policy Access_to_Mgmt match source-address LAN1_10.0.4.0/23
- set security policies from-zone trust to-zone trust policy Access_to_Mgmt match destination-address MGMT_10.0.0.0/28
- set security policies from-zone trust to-zone trust policy Access_to_Mgmt match application junos-ssh
- set security policies from-zone trust to-zone trust policy Access_to_Mgmt match application junos-http
- set security policies from-zone trust to-zone trust policy Access_to_Mgmt match application junos-https
- set security policies from-zone trust to-zone trust policy Access_to_Mgmt then permit
- set security policies from-zone trust to-zone trust policy Access_to_Mgmt then log session-close
- set security policies from-zone trust to-zone trust policy Access_to_Mgmt then count
- set security policies from-zone trust to-zone trust policy Trust_to_WiFI_Guest description "All Trust networks access to Wifi Guest"
- set security policies from-zone trust to-zone trust policy Trust_to_WiFI_Guest match source-address LAN1_10.0.4.0/23
- set security policies from-zone trust to-zone trust policy Trust_to_WiFI_Guest match source-address WIFI1_10.0.6.0/24
- set security policies from-zone trust to-zone trust policy Trust_to_WiFI_Guest match destination-address WIFI2_GUEST_10.0.7.0/26
- set security policies from-zone trust to-zone trust policy Trust_to_WiFI_Guest match application any
- set security policies from-zone trust to-zone trust policy Trust_to_WiFI_Guest then permit
- set security policies from-zone trust to-zone trust policy Trust_to_WiFI_Guest then log session-close
- set security policies from-zone trust to-zone trust policy Trust_to_WiFI_Guest then count
- set security policies from-zone trust to-zone DMZ policy Trust_to_SERVER01 description "Access from Trust to SERVER01"
- set security policies from-zone trust to-zone DMZ policy Trust_to_SERVER01 match source-address LAN1_10.0.4.0/23
- set security policies from-zone trust to-zone DMZ policy Trust_to_SERVER01 match source-address WIFI1_10.0.6.0/24
- set security policies from-zone trust to-zone DMZ policy Trust_to_SERVER01 match destination-address host_10.0.1.4_SERVER01
- set security policies from-zone trust to-zone DMZ policy Trust_to_SERVER01 match application junos-ssh
- set security policies from-zone trust to-zone DMZ policy Trust_to_SERVER01 match application junos-https
- set security policies from-zone trust to-zone DMZ policy Trust_to_SERVER01 then permit
- set security policies from-zone trust to-zone DMZ policy Trust_to_SERVER01 then log session-close
- set security policies from-zone trust to-zone DMZ policy Trust_to_SERVER01 then count
- set security policies from-zone trust to-zone DMZ policy Wifi_Guet_To_NextCloud description "Access from WiFi Guest to Nextcloud"
- set security policies from-zone trust to-zone DMZ policy Wifi_Guet_To_NextCloud match source-address WIFI2_GUEST_10.0.7.0/26
- set security policies from-zone trust to-zone DMZ policy Wifi_Guet_To_NextCloud match destination-address host_10.0.1.4_SERVER01
- set security policies from-zone trust to-zone DMZ policy Wifi_Guet_To_NextCloud match application junos-https
- set security policies from-zone trust to-zone DMZ policy Wifi_Guet_To_NextCloud then permit
- set security policies from-zone trust to-zone DMZ policy Wifi_Guet_To_NextCloud then log session-close
- set security policies from-zone trust to-zone DMZ policy Wifi_Guet_To_NextCloud then count
- set security policies from-zone DMZ to-zone untrust policy DMZ_to_Internet description "Access from DMZ to Internet"
- set security policies from-zone DMZ to-zone untrust policy DMZ_to_Internet match source-address DMZ1_10.0.1.0/29
- set security policies from-zone DMZ to-zone untrust policy DMZ_to_Internet match source-address DMZ2_10.0.1.8/29
- set security policies from-zone DMZ to-zone untrust policy DMZ_to_Internet match destination-address any
- set security policies from-zone DMZ to-zone untrust policy DMZ_to_Internet match application junos-http
- set security policies from-zone DMZ to-zone untrust policy DMZ_to_Internet match application junos-https
- set security policies from-zone DMZ to-zone untrust policy DMZ_to_Internet match application Torrent
- set security policies from-zone DMZ to-zone untrust policy DMZ_to_Internet then permit
- set security policies from-zone DMZ to-zone untrust policy DMZ_to_Internet then log session-close
- set security policies from-zone DMZ to-zone untrust policy DMZ_to_Internet then count
- set security policies from-zone untrust to-zone DMZ policy Nextcloud description "Access to Nextcloud server."
- set security policies from-zone untrust to-zone DMZ policy Nextcloud match source-address any
- set security policies from-zone untrust to-zone DMZ policy Nextcloud match destination-address host_10.0.1.4_SERVER01
- set security policies from-zone untrust to-zone DMZ policy Nextcloud match application junos-http
- set security policies from-zone untrust to-zone DMZ policy Nextcloud match application junos-https
- set security policies from-zone untrust to-zone DMZ policy Nextcloud then permit
- set security policies from-zone untrust to-zone DMZ policy Nextcloud then log session-close
- set security policies from-zone untrust to-zone DMZ policy Nextcloud then count
- set security policies from-zone untrust to-zone DMZ policy Torrent description "Access to Torrent server"
- set security policies from-zone untrust to-zone DMZ policy Torrent match source-address any
- set security policies from-zone untrust to-zone DMZ policy Torrent match destination-address host_10.0.1.4_SERVER01
- set security policies from-zone untrust to-zone DMZ policy Torrent match application Torrent
- set security policies from-zone untrust to-zone DMZ policy Torrent then permit
- set security policies from-zone untrust to-zone DMZ policy Torrent then log session-close
- set security policies from-zone untrust to-zone DMZ policy Torrent then count
- set security policies from-zone untrust to-zone DMZ policy Minecraft description "Access to Minecraft server"
- set security policies from-zone untrust to-zone DMZ policy Minecraft match source-address any
- set security policies from-zone untrust to-zone DMZ policy Minecraft match destination-address host_10.0.1.4_SERVER01
- set security policies from-zone untrust to-zone DMZ policy Minecraft match application Minecraft
- set security policies from-zone untrust to-zone DMZ policy Minecraft then permit
- set security policies from-zone untrust to-zone DMZ policy Minecraft then log session-close
- set security policies from-zone untrust to-zone DMZ policy Minecraft then count
- set security policies from-zone untrust to-zone DMZ policy Dynmap description "Access to Minecradt Dynmap"
- set security policies from-zone untrust to-zone DMZ policy Dynmap match source-address any
- set security policies from-zone untrust to-zone DMZ policy Dynmap match destination-address host_10.0.1.4_SERVER01
- set security policies from-zone untrust to-zone DMZ policy Dynmap match application Dynmap
- set security policies from-zone untrust to-zone DMZ policy Dynmap then permit
- set security policies from-zone untrust to-zone DMZ policy Dynmap then log session-close
- set security policies from-zone untrust to-zone DMZ policy Dynmap then count
- set security policies default-policy deny-all
- set security zones security-zone trust description "Internal networks"
- set security zones security-zone trust address-book address LAN1_10.0.4.0/23 10.0.4.0/23
- set security zones security-zone trust address-book address MGMT_10.0.0.0/28 10.0.0.0/28
- set security zones security-zone trust address-book address WIFI1_10.0.6.0/24 10.0.6.0/24
- set security zones security-zone trust address-book address WIFI2_GUEST_10.0.7.0/26 10.0.7.0/26
- set security zones security-zone trust host-inbound-traffic system-services all
- set security zones security-zone trust interfaces ae1.1200
- set security zones security-zone trust interfaces ae1.1100
- set security zones security-zone trust interfaces ae1.1300
- set security zones security-zone trust interfaces ae1.1400
- set security zones security-zone untrust description Internet
- set security zones security-zone untrust screen untrust-screen
- set security zones security-zone untrust interfaces pp0.0
- set security zones security-zone untrust interfaces ge-0/0/7.848
- set security zones security-zone DMZ description DMZ
- set security zones security-zone DMZ address-book address DMZ1_10.0.1.0/29 10.0.1.0/29
- set security zones security-zone DMZ address-book address DMZ2_10.0.1.8/29 10.0.1.8/29
- set security zones security-zone DMZ address-book address host_10.0.1.4_SERVER01 10.0.1.4/32
- set security zones security-zone DMZ address-book address host_10.0.1.12_RB01 10.0.1.12/32
- set security zones security-zone DMZ host-inbound-traffic system-services ping
- set security zones security-zone DMZ host-inbound-traffic system-services dns
- set security zones security-zone DMZ host-inbound-traffic system-services dhcp
- set security zones security-zone DMZ interfaces ae2.100
- set security zones security-zone DMZ interfaces ae2.200
- set interfaces ge-0/0/0 description "SW01_Gi1/0/41 (Po1); ae1 member"
- set interfaces ge-0/0/0 gigether-options 802.3ad ae1
- set interfaces ge-0/0/1 description "SW01_Gi1/0/42 (Po1); ae1 member"
- set interfaces ge-0/0/1 gigether-options 802.3ad ae1
- set interfaces ge-0/0/2 description "SW01_Gi1/0/43 (Po1); ae1 member"
- set interfaces ge-0/0/2 gigether-options 802.3ad ae1
- set interfaces ge-0/0/3 description "SW01_Gi1/0/44 (Po1); ae1 member"
- set interfaces ge-0/0/3 gigether-options 802.3ad ae1
- set interfaces ge-0/0/4 description "SW01_Gi1/0/45 (Po2); ae2 member"
- set interfaces ge-0/0/4 gigether-options 802.3ad ae2
- set interfaces ge-0/0/5 description "SW01_Gi1/0/46 (Po2); ae2 member"
- set interfaces ge-0/0/5 gigether-options 802.3ad ae2
- set interfaces ge-0/0/6 description "SW01_Gi1/0/47 (Po2); ae2 member"
- set interfaces ge-0/0/6 gigether-options 802.3ad ae2
- set interfaces ge-0/0/7 description "INTERNET via SW01_Gi1/0/48"
- set interfaces ge-0/0/7 vlan-tagging
- set interfaces ge-0/0/7 unit 848 description INTERNET
- set interfaces ge-0/0/7 unit 848 encapsulation ppp-over-ether
- set interfaces ge-0/0/7 unit 848 vlan-id 848
- set interfaces ae1 description "SW01_Po1; INSIDE"
- set interfaces ae1 vlan-tagging
- set interfaces ae1 aggregated-ether-options link-speed 1g
- set interfaces ae1 aggregated-ether-options lacp active
- set interfaces ae1 unit 1100 description WIFI_MGMT_10.0.0.0/28
- set interfaces ae1 unit 1100 vlan-id 1100
- set interfaces ae1 unit 1100 family inet address 10.0.0.1/28
- set interfaces ae1 unit 1200 description LAN1_10.0.4.0/23
- set interfaces ae1 unit 1200 vlan-id 1200
- set interfaces ae1 unit 1200 family inet address 10.0.4.1/23
- set interfaces ae1 unit 1300 description WIFI1_10.0.6.0/24
- set interfaces ae1 unit 1300 vlan-id 1300
- set interfaces ae1 unit 1300 family inet address 10.0.6.1/24
- set interfaces ae1 unit 1400 description WIFI2_GUEST_10.0.7.0/26
- set interfaces ae1 unit 1400 vlan-id 1400
- set interfaces ae1 unit 1400 family inet address 10.0.7.1/26
- set interfaces ae2 description "SW01_Po2; OUTSIDE"
- set interfaces ae2 vlan-tagging
- set interfaces ae2 aggregated-ether-options link-speed 1g
- set interfaces ae2 aggregated-ether-options lacp active
- set interfaces ae2 unit 100 description DMZ1_10.0.1.0/29
- set interfaces ae2 unit 100 vlan-id 100
- set interfaces ae2 unit 100 family inet address 10.0.1.1/29
- set interfaces ae2 unit 200 description DMZ2_10.0.1.8/29
- set interfaces ae2 unit 200 vlan-id 200
- set interfaces ae2 unit 200 family inet address 10.0.1.9/29
- set interfaces pp0 unit 0 ppp-options pap local-name O2
- set interfaces pp0 unit 0 ppp-options pap no-rfc2486
- set interfaces pp0 unit 0 ppp-options pap local-password "******"
- set interfaces pp0 unit 0 ppp-options pap passive
- set interfaces pp0 unit 0 pppoe-options underlying-interface ge-0/0/7.848
- set interfaces pp0 unit 0 pppoe-options idle-timeout 0
- set interfaces pp0 unit 0 pppoe-options auto-reconnect 10
- set interfaces pp0 unit 0 pppoe-options client
- set interfaces pp0 unit 0 family inet mtu 1492
- set interfaces pp0 unit 0 family inet negotiate-address
- set routing-options static route 0.0.0.0/0 next-hop pp0.0
- set routing-options static route 0.0.0.0/0 qualified-next-hop pp0.1
- set routing-options static route 0.0.0.0/0 metric 0
- set protocols lldp interface all
- set protocols stp
- set applications application Minecraft protocol tcp
- set applications application Minecraft destination-port 25565
- set applications application Minecraft description "Minecraft server"
- set applications application Dynmap protocol tcp
- set applications application Dynmap destination-port 8123
- set applications application Dynmap description "Dynmap for Minecraft"
- set applications application Torrent protocol tcp
- set applications application Torrent destination-port 9091
- set applications application Torrent description "Torrent server"
- set vlans DMZ1_10.0.2.0_m29 vlan-id 100
- set vlans DMZ2_10.0.2.8_m29 vlan-id 200
- set vlans INTERNET vlan-id 848
- set vlans LAN1_10.0.4.0_m23 vlan-id 1200
- set vlans MGMT_10.0.0.0_m24 vlan-id 1100
- set vlans WIFI1_10.0.6.0_m24 vlan-id 1300
- set vlans WIFI2_GUEST_10.0.7.0_m27 vlan-id 1400
Add Comment
Please, Sign In to add comment