- root# show | no-more
- ## Last changed: 2013-03-05 07:13:42 UTC
- version 12.1X44.4;
- system {
- root-authentication {
- encrypted-password "$1$ekHjG.t0$qIL8RxzwBhBiqF1IiClM/0"; ## SECRET-DATA
- }
- name-server {
- 208.67.222.222;
- 208.67.220.220;
- }
- services {
- ssh;
- telnet;
- xnm-clear-text;
- web-management {
- http {
- interface vlan.0;
- }
- https {
- system-generated-certificate;
- interface vlan.0;
- }
- }
- dhcp {
- pool 10.69.69.0/24 {
- address-range low 10.69.69.10 high 10.69.69.99;
- default-lease-time 3600;
- router {
- 10.69.69.1;
- }
- }
- }
- }
- syslog {
- archive size 100k files 3;
- user * {
- any emergency;
- }
- file messages {
- any critical;
- authorization info;
- }
- file interactive-commands {
- interactive-commands error;
- }
- file policy_session {
- any any;
- match RT_FLOW;
- archive size 5m files 2;
- }
- }
- max-configurations-on-flash 5;
- max-configuration-rollbacks 5;
- license {
- autoupdate {
- url https://ae1.juniper.net/junos/key_retrieval;
- }
- }
- }
- interfaces {
- traceoptions {
- file interface.txt size 1m files 5;
- }
- fe-0/0/0 {
- unit 0 {
- description "Rest of campus network";
- family inet {
- filter {
- input to-F5;
- output from-Webservers;
- }
- address 10.69.69.1/24;
- }
- }
- }
- fe-0/0/1 {
- vlan-tagging;
- unit 690 {
- vlan-id 690;
- family inet {
- address 1.1.1.1/24;
- }
- }
- unit 691 {
- vlan-id 691;
- family inet {
- address 1.2.3.1/24;
- }
- }
- unit 692 {
- vlan-id 692;
- family inet {
- address 1.2.4.1/24;
- }
- }
- }
- fe-0/0/2 {
- unit 0 {
- family ethernet-switching {
- vlan {
- members vlan-trust;
- }
- }
- }
- }
- fe-0/0/3 {
- unit 0 {
- family ethernet-switching {
- vlan {
- members vlan-trust;
- }
- }
- }
- }
- fe-0/0/4 {
- unit 0 {
- family ethernet-switching {
- vlan {
- members vlan-trust;
- }
- }
- }
- }
- fe-0/0/5 {
- unit 0 {
- family ethernet-switching {
- vlan {
- members vlan-trust;
- }
- }
- }
- }
- fe-0/0/6 {
- unit 0 {
- family ethernet-switching {
- vlan {
- members vlan-trust;
- }
- }
- }
- }
- fe-0/0/7 {
- unit 0 {
- family inet {
- address 10.25.25.6/23;
- }
- }
- }
- vlan {
- unit 0 {
- family inet {
- address 192.168.1.1/24;
- }
- }
- }
- }
- routing-options {
- interface-routes {
- rib-group inet fwd-direct-rib;
- }
- static {
- route 10.25.0.0/16 next-hop 10.25.24.1;
- }
- rib-groups {
- fwd-direct-rib {
- import-rib [ inet.0 F5.inet.0 ];
- import-policy f5-interface;
- }
- }
- }
- policy-options {
- policy-statement f5-interface {
- term service {
- from interface fe-0/0/1.690;
- to rib F5.inet.0;
- then accept;
- }
- term reject {
- then reject;
- }
- }
- }
- security {
- flow {
- traceoptions {
- file flow-trace;
- flag basic-datapath;
- packet-filter f0 {
- destination-prefix 0.0.0.0/0;
- source-port 80;
- }
- packet-filter f1 {
- destination-port 80;
- }
- packet-filter f2 {
- destination-prefix 1.2.3.4/32;
- }
- packet-filter f3 {
- destination-prefix 1.1.1.0/24;
- }
- packet-filter f4 {
- source-prefix 1.1.1.0/24;
- }
- }
- }
- screen {
- ids-option untrust-screen {
- icmp {
- ping-death;
- }
- ip {
- source-route-option;
- tear-drop;
- }
- tcp {
- syn-flood {
- alarm-threshold 1024;
- attack-threshold 200;
- source-threshold 1024;
- destination-threshold 2048;
- timeout 20;
- }
- land;
- }
- }
- }
- policies {
- traceoptions {
- file policy-trace size 5m;
- }
- from-zone trust to-zone untrust {
- policy trust-to-untrust {
- match {
- source-address any;
- destination-address any;
- application any;
- }
- then {
- permit;
- }
- }
- }
- from-zone untrust to-zone junos-host {
- policy untrust-to-junos {
- match {
- source-address any;
- destination-address any;
- application junos-icmp-all;
- }
- then {
- permit;
- }
- }
- }
- from-zone untrust to-zone trust {
- policy load-balancer {
- match {
- source-address any;
- destination-address any;
- application any;
- }
- then {
- permit;
- log {
- session-init;
- }
- }
- }
- }
- from-zone trust to-zone junos-host {
- policy to-router {
- match {
- source-address any;
- destination-address any;
- application any;
- }
- then {
- permit;
- }
- }
- }
- from-zone trust to-zone trust {
- policy intra-trust {
- match {
- source-address any;
- destination-address any;
- application any;
- }
- then {
- permit;
- }
- }
- }
- }
- zones {
- security-zone trust {
- host-inbound-traffic {
- system-services {
- all;
- }
- protocols {
- all;
- }
- }
- interfaces {
- vlan.0;
- fe-0/0/1.690;
- fe-0/0/1.691;
- fe-0/0/1.692;
- fe-0/0/7.0;
- fe-0/0/0.0;
- }
- }
- security-zone untrust {
- screen untrust-screen;
- }
- }
- }
- firewall {
- filter to-F5 {
- term webservers {
- from {
- destination-address {
- 1.1.1.0/24;
- }
- destination-port [ 80 443 ];
- }
- then {
- routing-instance F5;
- }
- }
- term accept {
- then accept;
- }
- }
- filter from-Webservers {
- term redirect {
- from {
- source-address {
- 1.2.3.0/24;
- }
- source-port 80;
- }
- then {
- routing-instance F5;
- }
- }
- term accept {
- then accept;
- }
- }
- }
- routing-instances {
- F5 {
- instance-type forwarding;
- routing-options {
- static {
- route 0.0.0.0/0 next-hop 1.1.1.2;
- }
- }
- }
- }
- vlans {
- vlan-trust {
- vlan-id 3;
- l3-interface vlan.0;
- }
- }
- [edit]
- root#