Configuration details for our network devices in production SRX - Firewall Sebastian - Cisco Switch 3750 Steve - Cisco Switch 4989
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

444 lines
12 KiB

  1. version 12.1X46-D40.2;
  2. system {
  3. host-name cerberus;
  4. time-zone GMT;
  5. root-authentication {
  6. encrypted-password "$1$5a81bcLc$1iBwYxR5QREg0cGBty1G.1"; ## SECRET-DATA
  7. }
  8. name-server {
  9. 208.67.222.222;
  10. 208.67.220.220;
  11. }
  12. name-resolution {
  13. no-resolve-on-input;
  14. }
  15. login {
  16. message "#############################################################################################################################\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t All connections are monitored and recorded \t\t \n\t\t Disconnect IMMEDIATELY if you are not an authorized user!\t\t\t\t\t\t\t\t\t \n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t \n##############################################################################################################################";
  17. }
  18. services {
  19. ssh;
  20. }
  21. syslog {
  22. archive size 100k files 3;
  23. user * {
  24. any emergency;
  25. }
  26. host log.internal {
  27. explicit-priority;
  28. structured-data {
  29. brief;
  30. }
  31. }
  32. file messages {
  33. any critical;
  34. authorization info;
  35. }
  36. file interactive-commands {
  37. interactive-commands error;
  38. }
  39. source-address 192.168.0.30;
  40. }
  41. max-configurations-on-flash 49;
  42. max-configuration-rollbacks 49;
  43. license {
  44. autoupdate {
  45. url https://ae1.juniper.net/junos/key_retrieval;
  46. }
  47. }
  48. ntp {
  49. server time.dcu.ie;
  50. }
  51. }
  52. interfaces {
  53. ge-0/0/0 {
  54. description "Link to DCU Core";
  55. unit 0 {
  56. family inet {
  57. address 136.206.33.142/26;
  58. }
  59. }
  60. }
  61. ge-0/0/1 {
  62. description "Trunk Link to Sebastian";
  63. vlan-tagging;
  64. unit 0 {
  65. vlan-id 0;
  66. }
  67. unit 1 {
  68. vlan-id 3;
  69. family inet {
  70. address 192.168.0.254/24;
  71. }
  72. }
  73. unit 2 {
  74. vlan-id 4;
  75. family inet {
  76. address 192.168.1.254/24;
  77. }
  78. }
  79. unit 16 {
  80. vlan-id 16;
  81. family inet {
  82. address 136.206.16.254/24;
  83. }
  84. }
  85. unit 122 {
  86. vlan-id 122;
  87. family inet {
  88. address 136.206.15.254/24;
  89. }
  90. }
  91. unit 999 {
  92. vlan-id 999;
  93. family inet {
  94. address 172.168.1.1/24;
  95. }
  96. }
  97. }
  98. ge-0/0/5 {
  99. description "VPN Management";
  100. unit 0 {
  101. family inet {
  102. address 136.206.16.254/24;
  103. }
  104. }
  105. }
  106. ge-0/0/7 {
  107. vlan-tagging;
  108. unit 0 {
  109. vlan-id 0;
  110. }
  111. unit 30 {
  112. vlan-id 30;
  113. family inet {
  114. address 1.1.1.1/24;
  115. }
  116. }
  117. }
  118. }
  119. routing-options {
  120. static {
  121. route 0.0.0.0/0 next-hop 136.206.33.190;
  122. }
  123. resolution;
  124. }
  125. protocols {
  126. lldp {
  127. interface all;
  128. }
  129. }
  130. security {
  131. screen {
  132. ids-option untrust-screen {
  133. icmp {
  134. ping-death;
  135. }
  136. ip {
  137. source-route-option;
  138. tear-drop;
  139. }
  140. tcp {
  141. syn-flood {
  142. alarm-threshold 1024;
  143. attack-threshold 200;
  144. source-threshold 1024;
  145. destination-threshold 2048;
  146. timeout 20;
  147. }
  148. land;
  149. }
  150. }
  151. }
  152. nat {
  153. source {
  154. pool nat_EMAIL {
  155. address {
  156. 136.206.15.5/32;
  157. }
  158. }
  159. rule-set OUT-TEST {
  160. from zone trust;
  161. to zone WAN;
  162. rule EMAIL_OUT {
  163. match {
  164. source-address 192.168.0.135/32;
  165. }
  166. then {
  167. source-nat {
  168. pool {
  169. nat_EMAIL;
  170. }
  171. }
  172. }
  173. }
  174. inactive: rule r1 {
  175. match {
  176. source-address [ 172.168.1.0/24 192.168.0.1/24 ];
  177. }
  178. then {
  179. source-nat {
  180. interface;
  181. }
  182. }
  183. }
  184. }
  185. }
  186. destination {
  187. pool nat_Test {
  188. address 192.168.0.135/32;
  189. }
  190. rule-set rs1 {
  191. from interface ge-0/0/0.0;
  192. rule r1 {
  193. match {
  194. destination-address 136.206.15.5/32;
  195. }
  196. then {
  197. destination-nat {
  198. pool {
  199. nat_Test;
  200. }
  201. }
  202. }
  203. }
  204. }
  205. }
  206. }
  207. policies {
  208. from-zone WAN to-zone ServersPublic {
  209. policy dcu_access {
  210. match {
  211. source-address dcu_supernet;
  212. destination-address redbrick_primary_subnet;
  213. application [ junos-http junos-https junos-dns-udp junos-dns-tcp junos-ldap LDAPS ];
  214. }
  215. then {
  216. permit;
  217. }
  218. }
  219. inactive: policy MOSH {
  220. match {
  221. source-address any;
  222. destination-address MOSH_ACCESS;
  223. application junos-ssh;
  224. }
  225. then {
  226. permit;
  227. }
  228. }
  229. policy GAME_SOC_ACCESS {
  230. match {
  231. source-address any;
  232. destination-address GAME_SOC_SERVER;
  233. application any;
  234. }
  235. then {
  236. permit;
  237. }
  238. }
  239. policy internet_access {
  240. match {
  241. source-address any;
  242. destination-address redbrick_primary_subnet;
  243. application [ junos-http junos-https junos-ssh junos-smtp junos-pop3 junos-imap junos-imaps junos-dns-tcp junos-dns-udp irc_peering_tcp_6668 irc_tls_tcp_6697 irc_tcp_6667 pop3s_tcp_995 tcp_465 ];
  244. }
  245. then {
  246. permit;
  247. }
  248. }
  249. policy drop_and_log {
  250. match {
  251. source-address any;
  252. destination-address any;
  253. application any;
  254. }
  255. then {
  256. deny;
  257. log {
  258. session-init;
  259. session-close;
  260. }
  261. }
  262. }
  263. }
  264. from-zone ServersPublic to-zone WAN {
  265. policy DENY_MOSH {
  266. match {
  267. source-address MOSH_ACCESS;
  268. destination-address any;
  269. application junos-ssh;
  270. }
  271. then {
  272. permit;
  273. }
  274. }
  275. policy Internet {
  276. match {
  277. source-address any;
  278. destination-address any;
  279. application any;
  280. }
  281. then {
  282. permit;
  283. }
  284. }
  285. }
  286. from-zone trust to-zone WAN {
  287. policy Allow-All {
  288. match {
  289. source-address any;
  290. destination-address any;
  291. application any;
  292. }
  293. then {
  294. permit;
  295. }
  296. }
  297. }
  298. from-zone WAN to-zone trust {
  299. policy test_inbound {
  300. match {
  301. source-address any;
  302. destination-address test;
  303. application any;
  304. }
  305. then {
  306. permit;
  307. log {
  308. session-close;
  309. }
  310. }
  311. }
  312. }
  313. from-zone VPN to-zone WAN {
  314. policy Management_ACCESS {
  315. match {
  316. source-address any;
  317. destination-address any;
  318. application any;
  319. }
  320. then {
  321. permit;
  322. log {
  323. session-close;
  324. }
  325. }
  326. }
  327. }
  328. from-zone WAN to-zone VPN {
  329. policy VPN_IN {
  330. match {
  331. source-address any;
  332. destination-address any;
  333. application any;
  334. }
  335. then {
  336. permit;
  337. log {
  338. session-close;
  339. }
  340. }
  341. }
  342. }
  343. }
  344. zones {
  345. security-zone ServersPublic {
  346. address-book {
  347. address redbrick_primary_subnet 136.206.15.0/24;
  348. address GAME_SOC_SERVER 136.206.15.41/32;
  349. address MOSH_ACCESS 136.206.15.73/32;
  350. }
  351. interfaces {
  352. ge-0/0/1.0 {
  353. host-inbound-traffic {
  354. system-services {
  355. ping;
  356. }
  357. }
  358. }
  359. ge-0/0/1.122;
  360. ge-0/0/1.16;
  361. }
  362. }
  363. security-zone WAN {
  364. address-book {
  365. address dcu_supernet 136.206.0.0/16;
  366. address GAME_SOC_SERVER 136.206.15.41/32;
  367. address MOSH_ACCESS 136.206.15.73/32;
  368. }
  369. interfaces {
  370. ge-0/0/0.0 {
  371. host-inbound-traffic {
  372. system-services {
  373. ssh;
  374. ping;
  375. }
  376. }
  377. }
  378. }
  379. }
  380. security-zone trust {
  381. address-book {
  382. address test 192.168.0.135/32;
  383. }
  384. host-inbound-traffic {
  385. system-services {
  386. ping;
  387. ssh;
  388. }
  389. }
  390. interfaces {
  391. ge-0/0/1.1;
  392. ge-0/0/1.2;
  393. ge-0/0/1.999;
  394. ge-0/0/7.30;
  395. }
  396. }
  397. security-zone VPN {
  398. host-inbound-traffic {
  399. system-services {
  400. ping;
  401. ssh;
  402. }
  403. }
  404. interfaces {
  405. ge-0/0/5.0;
  406. }
  407. }
  408. }
  409. }
  410. applications {
  411. application irc_peering_tcp_6668 {
  412. protocol tcp;
  413. destination-port 6668;
  414. description "IRC Peering";
  415. }
  416. application irc_tcp_6667 {
  417. protocol tcp;
  418. destination-port 6667;
  419. description IRC;
  420. }
  421. application irc_tls_tcp_6697 {
  422. protocol tcp;
  423. destination-port 6697;
  424. description "IRC TLS";
  425. }
  426. application tcp_465 {
  427. protocol tcp;
  428. destination-port 465;
  429. description "Mail? d_fens requested";
  430. }
  431. application pop3s_tcp_995 {
  432. protocol tcp;
  433. destination-port 995;
  434. description POP3S;
  435. }
  436. application LDAPS {
  437. protocol tcp;
  438. destination-port 636;
  439. description LDAPS;
  440. }
  441. }