Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- root@srx-0> show configuration
- ## Last commit: 2019-12-13 11:21:05 UTC by root
- version 12.1X44-D35.5;
- groups {
- node0 {
- system {
- host-name srx-0;
- }
- interfaces {
- fxp0 {
- unit 0 {
- family inet {
- address 192.168.3.200/24;
- }
- }
- }
- }
- }
- node1 {
- system {
- host-name srx-1;
- backup-router 192.168.3.254 destination 192.168.3.201/32;
- }
- interfaces {
- fxp0 {
- unit 0 {
- family inet {
- address 192.168.3.201/32;
- }
- }
- }
- }
- }
- sys;
- }
- apply-groups "${node}";
- system {
- root-authentication {
- encrypted-password "$1$VPyDDQxr7TdYasd5xuAZfhgPu6qlad676yfddkerewr/"; ## SECRET-DATA
- }
- services {
- ssh;
- web-management {
- http {
- interface reth1.1337;
- }
- https {
- system-generated-certificate;
- interface [ fxp0.0 reth1.0 ];
- }
- }
- }
- }
- chassis {
- cluster {
- reth-count 2;
- redundancy-group 0 {
- node 0 priority 100;
- node 1 priority 1;
- }
- redundancy-group 1 {
- node 0 priority 100;
- node 1 priority 1;
- preempt;
- interface-monitor {
- ge-0/0/3 weight 255;
- ge-0/0/4 weight 255;
- ge-9/0/3 weight 255;
- ge-9/0/4 weight 255;
- }
- }
- }
- }
- interfaces {
- ge-0/0/3 {
- gigether-options {
- redundant-parent reth0;
- }
- }
- ge-0/0/4 {
- gigether-options {
- redundant-parent reth1;
- }
- }
- ge-9/0/3 {
- gigether-options {
- redundant-parent reth0;
- }
- }
- ge-9/0/4 {
- gigether-options {
- redundant-parent reth1;
- }
- }
- fab0 {
- fabric-options {
- member-interfaces {
- ge-0/0/2;
- }
- }
- }
- fab1 {
- fabric-options {
- member-interfaces {
- ge-9/0/2;
- }
- }
- }
- reth0 {
- redundant-ether-options {
- redundancy-group 1;
- }
- unit 0 {
- family inet {
- address 187.131.15.250/22;
- }
- }
- }
- reth1 {
- vlan-tagging;
- redundant-ether-options {
- redundancy-group 1;
- }
- unit 1337 {
- vlan-id 1337;
- family inet {
- address 10.10.10.10/24;
- }
- }
- }
- st0 {
- unit 1 {
- family inet {
- mtu 1436;
- address 161.252.77.10/30;
- }
- }
- unit 2 {
- family inet {
- mtu 1436;
- address 161.252.26.26/30;
- }
- }
- }
- }
- routing-options {
- static {
- route 0.0.0.0/0 next-hop 187.131.15.1;
- route 10.10.10.0/24 next-hop 10.10.10.10;
- route 192.168.3.0/24 next-hop 192.168.3.254;
- }
- }
- protocols {
- bgp {
- group ebgp {
- type external;
- neighbor 161.252.77.9 {
- hold-time 30;
- export EXPORT-DEFAULT;
- peer-as 64543;
- local-as 65110;
- }
- neighbor 161.252.26.25 {
- hold-time 30;
- export EXPORT-DEFAULT;
- peer-as 64543;
- local-as 65110;
- }
- }
- }
- }
- policy-options {
- policy-statement EXPORT-DEFAULT {
- term default {
- from {
- route-filter 10.10.10.0/24 exact;
- }
- then accept;
- }
- term reject {
- then reject;
- }
- }
- }
- security {
- log {
- mode event;
- }
- application-tracking;
- flow {
- traceoptions {
- packet-filter FILTER-TEST {
- source-prefix 10.10.10.100/32;
- }
- }
- tcp-mss {
- ipsec-vpn {
- mss 1379;
- }
- }
- }
- nat {
- source {
- rule-set TRUST-TO-UNTRUST {
- from zone trusted;
- to zone untrusted;
- rule TRUST-TO-INTERNET {
- match {
- source-address 10.10.10.0/24;
- destination-address 0.0.0.0/0;
- }
- then {
- source-nat {
- interface;
- }
- }
- }
- }
- }
- }
- policies {
- from-zone trusted to-zone trusted {
- policy ALLOW_ALL {
- match {
- source-address any;
- destination-address any;
- application any;
- }
- then {
- permit;
- }
- }
- }
- from-zone trusted to-zone untrusted {
- policy ALLOW_ALL {
- match {
- source-address any;
- destination-address any;
- application any;
- }
- then {
- permit;
- }
- }
- }
- from-zone untrusted to-zone trusted {
- policy UNTRUSTED-TO-TRUSTED-ACCEPT-PING {
- description "Accept all ICMP ( ping ) traffic comming from zone untrusted and going to zone trusted. Sits at the top of the policies. Permits ping traffic to get through.";
- match {
- source-address any;
- destination-address any;
- application [ junos-icmp-all junos-icmp-ping ];
- }
- then {
- permit;
- }
- }
- policy UNTRUSTED-TO-TRUSTED-DENY-ALL {
- description "Deny all traffic comming from zone untrusted and going to zone trusted. Sits at the bottom of the policies. Acts as a catch-all option.";
- match {
- source-address any;
- destination-address any;
- application any;
- }
- then {
- deny;
- }
- }
- }
- from-zone untrusted to-zone untrusted {
- policy PERMIT_PING {
- match {
- source-address any;
- destination-address any;
- application [ junos-icmp-ping junos-pingv6 junos-ping ];
- }
- then {
- permit;
- }
- }
- }
- }
- zones {
- security-zone trusted {
- host-inbound-traffic {
- system-services {
- all;
- }
- protocols {
- bgp;
- all;
- }
- }
- interfaces {
- st0.1;
- st0.2;
- reth1.1337 {
- host-inbound-traffic {
- system-services {
- all;
- }
- }
- }
- }
- application-tracking;
- }
- security-zone untrusted {
- host-inbound-traffic {
- system-services {
- ping;
- ike;
- }
- protocols {
- bgp;
- }
- }
- interfaces {
- reth0.0 {
- host-inbound-traffic {
- system-services {
- ping;
- ike;
- }
- protocols {
- bgp;
- }
- }
- }
- }
- application-tracking;
- }
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement