API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Dec 13th, 2019
374
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.34 KB | None | 0 0
raw download clone embed print report
  1. root@srx-0> show configuration
  2. ## Last commit: 2019-12-13 11:21:05 UTC by root
  3. version 12.1X44-D35.5;
  4. groups {
  5. node0 {
  6. system {
  7. host-name srx-0;
  8. }
  9. interfaces {
  10. fxp0 {
  11. unit 0 {
  12. family inet {
  13. address 192.168.3.200/24;
  14. }
  15. }
  16. }
  17. }
  18. }
  19. node1 {
  20. system {
  21. host-name srx-1;
  22. backup-router 192.168.3.254 destination 192.168.3.201/32;
  23. }
  24. interfaces {
  25. fxp0 {
  26. unit 0 {
  27. family inet {
  28. address 192.168.3.201/32;
  29. }
  30. }
  31. }
  32. }
  33. }
  34. sys;
  35. }
  36. apply-groups "${node}";
  37. system {
  38. root-authentication {
  39. encrypted-password "$1$VPyDDQxr7TdYasd5xuAZfhgPu6qlad676yfddkerewr/"; ## SECRET-DATA
  40. }
  41. services {
  42. ssh;
  43. web-management {
  44. http {
  45. interface reth1.1337;
  46. }
  47. https {
  48. system-generated-certificate;
  49. interface [ fxp0.0 reth1.0 ];
  50. }
  51. }
  52. }
  53. }
  54. chassis {
  55. cluster {
  56. reth-count 2;
  57. redundancy-group 0 {
  58. node 0 priority 100;
  59. node 1 priority 1;
  60. }
  61. redundancy-group 1 {
  62. node 0 priority 100;
  63. node 1 priority 1;
  64. preempt;
  65. interface-monitor {
  66. ge-0/0/3 weight 255;
  67. ge-0/0/4 weight 255;
  68. ge-9/0/3 weight 255;
  69. ge-9/0/4 weight 255;
  70. }
  71. }
  72. }
  73. }
  74. interfaces {
  75. ge-0/0/3 {
  76. gigether-options {
  77. redundant-parent reth0;
  78. }
  79. }
  80. ge-0/0/4 {
  81. gigether-options {
  82. redundant-parent reth1;
  83. }
  84. }
  85. ge-9/0/3 {
  86. gigether-options {
  87. redundant-parent reth0;
  88. }
  89. }
  90. ge-9/0/4 {
  91. gigether-options {
  92. redundant-parent reth1;
  93. }
  94. }
  95. fab0 {
  96. fabric-options {
  97. member-interfaces {
  98. ge-0/0/2;
  99. }
  100. }
  101. }
  102. fab1 {
  103. fabric-options {
  104. member-interfaces {
  105. ge-9/0/2;
  106. }
  107. }
  108. }
  109. reth0 {
  110. redundant-ether-options {
  111. redundancy-group 1;
  112. }
  113. unit 0 {
  114. family inet {
  115. address 187.131.15.250/22;
  116. }
  117. }
  118. }
  119. reth1 {
  120. vlan-tagging;
  121. redundant-ether-options {
  122. redundancy-group 1;
  123. }
  124. unit 1337 {
  125. vlan-id 1337;
  126. family inet {
  127. address 10.10.10.10/24;
  128. }
  129. }
  130. }
  131. st0 {
  132. unit 1 {
  133. family inet {
  134. mtu 1436;
  135. address 161.252.77.10/30;
  136. }
  137. }
  138. unit 2 {
  139. family inet {
  140. mtu 1436;
  141. address 161.252.26.26/30;
  142. }
  143. }
  144. }
  145. }
  146. routing-options {
  147. static {
  148. route 0.0.0.0/0 next-hop 187.131.15.1;
  149. route 10.10.10.0/24 next-hop 10.10.10.10;
  150. route 192.168.3.0/24 next-hop 192.168.3.254;
  151. }
  152. }
  153. protocols {
  154. bgp {
  155. group ebgp {
  156. type external;
  157. neighbor 161.252.77.9 {
  158. hold-time 30;
  159. export EXPORT-DEFAULT;
  160. peer-as 64543;
  161. local-as 65110;
  162. }
  163. neighbor 161.252.26.25 {
  164. hold-time 30;
  165. export EXPORT-DEFAULT;
  166. peer-as 64543;
  167. local-as 65110;
  168. }
  169. }
  170. }
  171. }
  172. policy-options {
  173. policy-statement EXPORT-DEFAULT {
  174. term default {
  175. from {
  176. route-filter 10.10.10.0/24 exact;
  177. }
  178. then accept;
  179. }
  180. term reject {
  181. then reject;
  182. }
  183. }
  184. }
  185. security {
  186. log {
  187. mode event;
  188. }
  189. application-tracking;
  190. flow {
  191. traceoptions {
  192. packet-filter FILTER-TEST {
  193. source-prefix 10.10.10.100/32;
  194. }
  195. }
  196. tcp-mss {
  197. ipsec-vpn {
  198. mss 1379;
  199. }
  200. }
  201. }
  202. nat {
  203. source {
  204. rule-set TRUST-TO-UNTRUST {
  205. from zone trusted;
  206. to zone untrusted;
  207. rule TRUST-TO-INTERNET {
  208. match {
  209. source-address 10.10.10.0/24;
  210. destination-address 0.0.0.0/0;
  211. }
  212. then {
  213. source-nat {
  214. interface;
  215. }
  216. }
  217. }
  218. }
  219. }
  220. }
  221. policies {
  222. from-zone trusted to-zone trusted {
  223. policy ALLOW_ALL {
  224. match {
  225. source-address any;
  226. destination-address any;
  227. application any;
  228. }
  229. then {
  230. permit;
  231. }
  232. }
  233. }
  234. from-zone trusted to-zone untrusted {
  235. policy ALLOW_ALL {
  236. match {
  237. source-address any;
  238. destination-address any;
  239. application any;
  240. }
  241. then {
  242. permit;
  243. }
  244. }
  245. }
  246. from-zone untrusted to-zone trusted {
  247. policy UNTRUSTED-TO-TRUSTED-ACCEPT-PING {
  248. description "Accept all ICMP ( ping ) traffic comming from zone untrusted and going to zone trusted. Sits at the top of the policies. Permits ping traffic to get through.";
  249. match {
  250. source-address any;
  251. destination-address any;
  252. application [ junos-icmp-all junos-icmp-ping ];
  253. }
  254. then {
  255. permit;
  256. }
  257. }
  258. policy UNTRUSTED-TO-TRUSTED-DENY-ALL {
  259. description "Deny all traffic comming from zone untrusted and going to zone trusted. Sits at the bottom of the policies. Acts as a catch-all option.";
  260. match {
  261. source-address any;
  262. destination-address any;
  263. application any;
  264. }
  265. then {
  266. deny;
  267. }
  268. }
  269. }
  270. from-zone untrusted to-zone untrusted {
  271. policy PERMIT_PING {
  272. match {
  273. source-address any;
  274. destination-address any;
  275. application [ junos-icmp-ping junos-pingv6 junos-ping ];
  276. }
  277. then {
  278. permit;
  279. }
  280. }
  281. }
  282. }
  283. zones {
  284. security-zone trusted {
  285. host-inbound-traffic {
  286. system-services {
  287. all;
  288. }
  289. protocols {
  290. bgp;
  291. all;
  292. }
  293. }
  294. interfaces {
  295. st0.1;
  296. st0.2;
  297. reth1.1337 {
  298. host-inbound-traffic {
  299. system-services {
  300. all;
  301. }
  302. }
  303. }
  304. }
  305. application-tracking;
  306. }
  307. security-zone untrusted {
  308. host-inbound-traffic {
  309. system-services {
  310. ping;
  311. ike;
  312. }
  313. protocols {
  314. bgp;
  315. }
  316. }
  317. interfaces {
  318. reth0.0 {
  319. host-inbound-traffic {
  320. system-services {
  321. ping;
  322. ike;
  323. }
  324. protocols {
  325. bgp;
  326. }
  327. }
  328. }
  329. }
  330. application-tracking;
  331. }
  332. }
  333. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!