Configuration details for our network devices in production SRX - Firewall Sebastian - Cisco Switch 3750 Steve - Cisco Switch 4989
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

174 lines
14 KiB

  1. set version 12.1X46-D40.2
  2. set system host-name cerberus
  3. set system time-zone GMT
  4. set system name-server 208.67.222.222
  5. set system name-server 208.67.220.220
  6. set system name-resolution no-resolve-on-input
  7. set system login message "#############################################################################################################################\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t All connections are monitored and recorded \t\t \n\t\t Disconnect IMMEDIATELY if you are not an authorized user!\t\t\t\t\t\t\t\t\t \n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t \n##############################################################################################################################"
  8. set system services ssh
  9. set system syslog archive size 100k
  10. set system syslog archive files 3
  11. set system syslog user * any emergency
  12. set system syslog host log.internal explicit-priority
  13. set system syslog host log.internal structured-data brief
  14. set system syslog file messages any critical
  15. set system syslog file messages authorization info
  16. set system syslog file interactive-commands interactive-commands error
  17. set system syslog source-address 192.168.0.30
  18. set system max-configurations-on-flash 49
  19. set system max-configuration-rollbacks 49
  20. set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
  21. set system ntp server time.dcu.ie
  22. set interfaces ge-0/0/0 description "Link to DCU Core"
  23. set interfaces ge-0/0/0 unit 0 family inet address 136.206.33.142/26
  24. set interfaces ge-0/0/1 description "Trunk Link to Sebastian"
  25. set interfaces ge-0/0/1 vlan-tagging
  26. set interfaces ge-0/0/1 unit 0 vlan-id 0
  27. set interfaces ge-0/0/1 unit 1 vlan-id 3
  28. set interfaces ge-0/0/1 unit 1 family inet address 192.168.0.254/24
  29. set interfaces ge-0/0/1 unit 2 vlan-id 4
  30. set interfaces ge-0/0/1 unit 2 family inet address 192.168.1.254/24
  31. set interfaces ge-0/0/1 unit 16 vlan-id 16
  32. set interfaces ge-0/0/1 unit 16 family inet address 136.206.16.254/24
  33. set interfaces ge-0/0/1 unit 122 vlan-id 122
  34. set interfaces ge-0/0/1 unit 122 family inet address 136.206.15.254/24
  35. set interfaces ge-0/0/1 unit 999 vlan-id 999
  36. set interfaces ge-0/0/1 unit 999 family inet address 172.168.1.1/24
  37. set interfaces ge-0/0/5 description "VPN Management"
  38. set interfaces ge-0/0/5 unit 0 family inet address 136.206.16.254/24
  39. set interfaces ge-0/0/7 vlan-tagging
  40. set interfaces ge-0/0/7 unit 0 vlan-id 0
  41. set interfaces ge-0/0/7 unit 30 vlan-id 30
  42. set interfaces ge-0/0/7 unit 30 family inet address 1.1.1.1/24
  43. set routing-options static route 0.0.0.0/0 next-hop 136.206.33.190
  44. set routing-options resolution
  45. set protocols lldp interface all
  46. set security screen ids-option untrust-screen icmp ping-death
  47. set security screen ids-option untrust-screen ip source-route-option
  48. set security screen ids-option untrust-screen ip tear-drop
  49. set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
  50. set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
  51. set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
  52. set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
  53. set security screen ids-option untrust-screen tcp syn-flood timeout 20
  54. set security screen ids-option untrust-screen tcp land
  55. set security nat source pool nat_EMAIL address 136.206.15.5/32
  56. set security nat source rule-set OUT-TEST from zone trust
  57. set security nat source rule-set OUT-TEST to zone WAN
  58. set security nat source rule-set OUT-TEST rule EMAIL_OUT match source-address 192.168.0.135/32
  59. set security nat source rule-set OUT-TEST rule EMAIL_OUT then source-nat pool nat_EMAIL
  60. set security nat source rule-set OUT-TEST rule r1 match source-address 172.168.1.0/24
  61. set security nat source rule-set OUT-TEST rule r1 match source-address 192.168.0.1/24
  62. set security nat source rule-set OUT-TEST rule r1 then source-nat interface
  63. deactivate security nat source rule-set OUT-TEST rule r1
  64. set security nat destination pool nat_Test address 192.168.0.135/32
  65. set security nat destination rule-set rs1 from interface ge-0/0/0.0
  66. set security nat destination rule-set rs1 rule r1 match destination-address 136.206.15.5/32
  67. set security nat destination rule-set rs1 rule r1 then destination-nat pool nat_Test
  68. set security policies from-zone WAN to-zone ServersPublic policy dcu_access match source-address dcu_supernet
  69. set security policies from-zone WAN to-zone ServersPublic policy dcu_access match destination-address redbrick_primary_subnet
  70. set security policies from-zone WAN to-zone ServersPublic policy dcu_access match application junos-http
  71. set security policies from-zone WAN to-zone ServersPublic policy dcu_access match application junos-https
  72. set security policies from-zone WAN to-zone ServersPublic policy dcu_access match application junos-dns-udp
  73. set security policies from-zone WAN to-zone ServersPublic policy dcu_access match application junos-dns-tcp
  74. set security policies from-zone WAN to-zone ServersPublic policy dcu_access match application junos-ldap
  75. set security policies from-zone WAN to-zone ServersPublic policy dcu_access match application LDAPS
  76. set security policies from-zone WAN to-zone ServersPublic policy dcu_access then permit
  77. set security policies from-zone WAN to-zone ServersPublic policy MOSH match source-address any
  78. set security policies from-zone WAN to-zone ServersPublic policy MOSH match destination-address MOSH_ACCESS
  79. set security policies from-zone WAN to-zone ServersPublic policy MOSH match application junos-ssh
  80. set security policies from-zone WAN to-zone ServersPublic policy MOSH then permit
  81. deactivate security policies from-zone WAN to-zone ServersPublic policy MOSH
  82. set security policies from-zone WAN to-zone ServersPublic policy GAME_SOC_ACCESS match source-address any
  83. set security policies from-zone WAN to-zone ServersPublic policy GAME_SOC_ACCESS match destination-address GAME_SOC_SERVER
  84. set security policies from-zone WAN to-zone ServersPublic policy GAME_SOC_ACCESS match application any
  85. set security policies from-zone WAN to-zone ServersPublic policy GAME_SOC_ACCESS then permit
  86. set security policies from-zone WAN to-zone ServersPublic policy internet_access match source-address any
  87. set security policies from-zone WAN to-zone ServersPublic policy internet_access match destination-address redbrick_primary_subnet
  88. set security policies from-zone WAN to-zone ServersPublic policy internet_access match application junos-http
  89. set security policies from-zone WAN to-zone ServersPublic policy internet_access match application junos-https
  90. set security policies from-zone WAN to-zone ServersPublic policy internet_access match application junos-ssh
  91. set security policies from-zone WAN to-zone ServersPublic policy internet_access match application junos-smtp
  92. set security policies from-zone WAN to-zone ServersPublic policy internet_access match application junos-pop3
  93. set security policies from-zone WAN to-zone ServersPublic policy internet_access match application junos-imap
  94. set security policies from-zone WAN to-zone ServersPublic policy internet_access match application junos-imaps
  95. set security policies from-zone WAN to-zone ServersPublic policy internet_access match application junos-dns-tcp
  96. set security policies from-zone WAN to-zone ServersPublic policy internet_access match application junos-dns-udp
  97. set security policies from-zone WAN to-zone ServersPublic policy internet_access match application irc_peering_tcp_6668
  98. set security policies from-zone WAN to-zone ServersPublic policy internet_access match application irc_tls_tcp_6697
  99. set security policies from-zone WAN to-zone ServersPublic policy internet_access match application irc_tcp_6667
  100. set security policies from-zone WAN to-zone ServersPublic policy internet_access match application pop3s_tcp_995
  101. set security policies from-zone WAN to-zone ServersPublic policy internet_access match application tcp_465
  102. set security policies from-zone WAN to-zone ServersPublic policy internet_access then permit
  103. set security policies from-zone WAN to-zone ServersPublic policy drop_and_log match source-address any
  104. set security policies from-zone WAN to-zone ServersPublic policy drop_and_log match destination-address any
  105. set security policies from-zone WAN to-zone ServersPublic policy drop_and_log match application any
  106. set security policies from-zone WAN to-zone ServersPublic policy drop_and_log then deny
  107. set security policies from-zone WAN to-zone ServersPublic policy drop_and_log then log session-init
  108. set security policies from-zone WAN to-zone ServersPublic policy drop_and_log then log session-close
  109. set security policies from-zone ServersPublic to-zone WAN policy DENY_MOSH match source-address MOSH_ACCESS
  110. set security policies from-zone ServersPublic to-zone WAN policy DENY_MOSH match destination-address any
  111. set security policies from-zone ServersPublic to-zone WAN policy DENY_MOSH match application junos-ssh
  112. set security policies from-zone ServersPublic to-zone WAN policy DENY_MOSH then permit
  113. set security policies from-zone ServersPublic to-zone WAN policy Internet match source-address any
  114. set security policies from-zone ServersPublic to-zone WAN policy Internet match destination-address any
  115. set security policies from-zone ServersPublic to-zone WAN policy Internet match application any
  116. set security policies from-zone ServersPublic to-zone WAN policy Internet then permit
  117. set security policies from-zone trust to-zone WAN policy Allow-All match source-address any
  118. set security policies from-zone trust to-zone WAN policy Allow-All match destination-address any
  119. set security policies from-zone trust to-zone WAN policy Allow-All match application any
  120. set security policies from-zone trust to-zone WAN policy Allow-All then permit
  121. set security policies from-zone WAN to-zone trust policy test_inbound match source-address any
  122. set security policies from-zone WAN to-zone trust policy test_inbound match destination-address test
  123. set security policies from-zone WAN to-zone trust policy test_inbound match application any
  124. set security policies from-zone WAN to-zone trust policy test_inbound then permit
  125. set security policies from-zone WAN to-zone trust policy test_inbound then log session-close
  126. set security policies from-zone VPN to-zone WAN policy Management_ACCESS match source-address any
  127. set security policies from-zone VPN to-zone WAN policy Management_ACCESS match destination-address any
  128. set security policies from-zone VPN to-zone WAN policy Management_ACCESS match application any
  129. set security policies from-zone VPN to-zone WAN policy Management_ACCESS then permit
  130. set security policies from-zone VPN to-zone WAN policy Management_ACCESS then log session-close
  131. set security policies from-zone WAN to-zone VPN policy VPN_IN match source-address any
  132. set security policies from-zone WAN to-zone VPN policy VPN_IN match destination-address any
  133. set security policies from-zone WAN to-zone VPN policy VPN_IN match application any
  134. set security policies from-zone WAN to-zone VPN policy VPN_IN then permit
  135. set security policies from-zone WAN to-zone VPN policy VPN_IN then log session-close
  136. set security zones security-zone ServersPublic address-book address redbrick_primary_subnet 136.206.15.0/24
  137. set security zones security-zone ServersPublic address-book address GAME_SOC_SERVER 136.206.15.41/32
  138. set security zones security-zone ServersPublic address-book address MOSH_ACCESS 136.206.15.73/32
  139. set security zones security-zone ServersPublic interfaces ge-0/0/1.0 host-inbound-traffic system-services ping
  140. set security zones security-zone ServersPublic interfaces ge-0/0/1.122
  141. set security zones security-zone ServersPublic interfaces ge-0/0/1.16
  142. set security zones security-zone WAN address-book address dcu_supernet 136.206.0.0/16
  143. set security zones security-zone WAN address-book address GAME_SOC_SERVER 136.206.15.41/32
  144. set security zones security-zone WAN address-book address MOSH_ACCESS 136.206.15.73/32
  145. set security zones security-zone WAN interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh
  146. set security zones security-zone WAN interfaces ge-0/0/0.0 host-inbound-traffic system-services ping
  147. set security zones security-zone trust address-book address test 192.168.0.135/32
  148. set security zones security-zone trust host-inbound-traffic system-services ping
  149. set security zones security-zone trust host-inbound-traffic system-services ssh
  150. set security zones security-zone trust interfaces ge-0/0/1.1
  151. set security zones security-zone trust interfaces ge-0/0/1.2
  152. set security zones security-zone trust interfaces ge-0/0/1.999
  153. set security zones security-zone trust interfaces ge-0/0/7.30
  154. set security zones security-zone VPN host-inbound-traffic system-services ping
  155. set security zones security-zone VPN host-inbound-traffic system-services ssh
  156. set security zones security-zone VPN interfaces ge-0/0/5.0
  157. set applications application irc_peering_tcp_6668 protocol tcp
  158. set applications application irc_peering_tcp_6668 destination-port 6668
  159. set applications application irc_peering_tcp_6668 description "IRC Peering"
  160. set applications application irc_tcp_6667 protocol tcp
  161. set applications application irc_tcp_6667 destination-port 6667
  162. set applications application irc_tcp_6667 description IRC
  163. set applications application irc_tls_tcp_6697 protocol tcp
  164. set applications application irc_tls_tcp_6697 destination-port 6697
  165. set applications application irc_tls_tcp_6697 description "IRC TLS"
  166. set applications application tcp_465 protocol tcp
  167. set applications application tcp_465 destination-port 465
  168. set applications application tcp_465 description "Mail? d_fens requested"
  169. set applications application pop3s_tcp_995 protocol tcp
  170. set applications application pop3s_tcp_995 destination-port 995
  171. set applications application pop3s_tcp_995 description POP3S
  172. set applications application LDAPS protocol tcp
  173. set applications application LDAPS destination-port 636
  174. set applications application LDAPS description LDAPS