1. root# show | no-more
  2. ## Last changed: 2013-03-05 07:13:42 UTC
  3. version 12.1X44.4;
  4. system {
  5. root-authentication {
  6. encrypted-password "$1$ekHjG.t0$qIL8RxzwBhBiqF1IiClM/0"; ## SECRET-DATA
  7. }
  8. name-server {
  9. 208.67.222.222;
  10. 208.67.220.220;
  11. }
  12. services {
  13. ssh;
  14. telnet;
  15. xnm-clear-text;
  16. web-management {
  17. http {
  18. interface vlan.0;
  19. }
  20. https {
  21. system-generated-certificate;
  22. interface vlan.0;
  23. }
  24. }
  25. dhcp {
  26. pool 10.69.69.0/24 {
  27. address-range low 10.69.69.10 high 10.69.69.99;
  28. default-lease-time 3600;
  29. router {
  30. 10.69.69.1;
  31. }
  32. }
  33. }
  34. }
  35. syslog {
  36. archive size 100k files 3;
  37. user * {
  38. any emergency;
  39. }
  40. file messages {
  41. any critical;
  42. authorization info;
  43. }
  44. file interactive-commands {
  45. interactive-commands error;
  46. }
  47. file policy_session {
  48. any any;
  49. match RT_FLOW;
  50. archive size 5m files 2;
  51. }
  52. }
  53. max-configurations-on-flash 5;
  54. max-configuration-rollbacks 5;
  55. license {
  56. autoupdate {
  57. url https://ae1.juniper.net/junos/key_retrieval;
  58. }
  59. }
  60. }
  61. interfaces {
  62. traceoptions {
  63. file interface.txt size 1m files 5;
  64. }
  65. fe-0/0/0 {
  66. unit 0 {
  67. description "Rest of campus network";
  68. family inet {
  69. filter {
  70. input to-F5;
  71. output from-Webservers;
  72. }
  73. address 10.69.69.1/24;
  74. }
  75. }
  76. }
  77. fe-0/0/1 {
  78. vlan-tagging;
  79. unit 690 {
  80. vlan-id 690;
  81. family inet {
  82. address 1.1.1.1/24;
  83. }
  84. }
  85. unit 691 {
  86. vlan-id 691;
  87. family inet {
  88. address 1.2.3.1/24;
  89. }
  90. }
  91. unit 692 {
  92. vlan-id 692;
  93. family inet {
  94. address 1.2.4.1/24;
  95. }
  96. }
  97. }
  98. fe-0/0/2 {
  99. unit 0 {
  100. family ethernet-switching {
  101. vlan {
  102. members vlan-trust;
  103. }
  104. }
  105. }
  106. }
  107. fe-0/0/3 {
  108. unit 0 {
  109. family ethernet-switching {
  110. vlan {
  111. members vlan-trust;
  112. }
  113. }
  114. }
  115. }
  116. fe-0/0/4 {
  117. unit 0 {
  118. family ethernet-switching {
  119. vlan {
  120. members vlan-trust;
  121. }
  122. }
  123. }
  124. }
  125. fe-0/0/5 {
  126. unit 0 {
  127. family ethernet-switching {
  128. vlan {
  129. members vlan-trust;
  130. }
  131. }
  132. }
  133. }
  134. fe-0/0/6 {
  135. unit 0 {
  136. family ethernet-switching {
  137. vlan {
  138. members vlan-trust;
  139. }
  140. }
  141. }
  142. }
  143. fe-0/0/7 {
  144. unit 0 {
  145. family inet {
  146. address 10.25.25.6/23;
  147. }
  148. }
  149. }
  150. vlan {
  151. unit 0 {
  152. family inet {
  153. address 192.168.1.1/24;
  154. }
  155. }
  156. }
  157. }
  158. routing-options {
  159. interface-routes {
  160. rib-group inet fwd-direct-rib;
  161. }
  162. static {
  163. route 10.25.0.0/16 next-hop 10.25.24.1;
  164. }
  165. rib-groups {
  166. fwd-direct-rib {
  167. import-rib [ inet.0 F5.inet.0 ];
  168. import-policy f5-interface;
  169. }
  170. }
  171. }
  172. policy-options {
  173. policy-statement f5-interface {
  174. term service {
  175. from interface fe-0/0/1.690;
  176. to rib F5.inet.0;
  177. then accept;
  178. }
  179. term reject {
  180. then reject;
  181. }
  182. }
  183. }
  184. security {
  185. flow {
  186. traceoptions {
  187. file flow-trace;
  188. flag basic-datapath;
  189. packet-filter f0 {
  190. destination-prefix 0.0.0.0/0;
  191. source-port 80;
  192. }
  193. packet-filter f1 {
  194. destination-port 80;
  195. }
  196. packet-filter f2 {
  197. destination-prefix 1.2.3.4/32;
  198. }
  199. packet-filter f3 {
  200. destination-prefix 1.1.1.0/24;
  201. }
  202. packet-filter f4 {
  203. source-prefix 1.1.1.0/24;
  204. }
  205. }
  206. }
  207. screen {
  208. ids-option untrust-screen {
  209. icmp {
  210. ping-death;
  211. }
  212. ip {
  213. source-route-option;
  214. tear-drop;
  215. }
  216. tcp {
  217. syn-flood {
  218. alarm-threshold 1024;
  219. attack-threshold 200;
  220. source-threshold 1024;
  221. destination-threshold 2048;
  222. timeout 20;
  223. }
  224. land;
  225. }
  226. }
  227. }
  228. policies {
  229. traceoptions {
  230. file policy-trace size 5m;
  231. }
  232. from-zone trust to-zone untrust {
  233. policy trust-to-untrust {
  234. match {
  235. source-address any;
  236. destination-address any;
  237. application any;
  238. }
  239. then {
  240. permit;
  241. }
  242. }
  243. }
  244. from-zone untrust to-zone junos-host {
  245. policy untrust-to-junos {
  246. match {
  247. source-address any;
  248. destination-address any;
  249. application junos-icmp-all;
  250. }
  251. then {
  252. permit;
  253. }
  254. }
  255. }
  256. from-zone untrust to-zone trust {
  257. policy load-balancer {
  258. match {
  259. source-address any;
  260. destination-address any;
  261. application any;
  262. }
  263. then {
  264. permit;
  265. log {
  266. session-init;
  267. }
  268. }
  269. }
  270. }
  271. from-zone trust to-zone junos-host {
  272. policy to-router {
  273. match {
  274. source-address any;
  275. destination-address any;
  276. application any;
  277. }
  278. then {
  279. permit;
  280. }
  281. }
  282. }
  283. from-zone trust to-zone trust {
  284. policy intra-trust {
  285. match {
  286. source-address any;
  287. destination-address any;
  288. application any;
  289. }
  290. then {
  291. permit;
  292. }
  293. }
  294. }
  295. }
  296. zones {
  297. security-zone trust {
  298. host-inbound-traffic {
  299. system-services {
  300. all;
  301. }
  302. protocols {
  303. all;
  304. }
  305. }
  306. interfaces {
  307. vlan.0;
  308. fe-0/0/1.690;
  309. fe-0/0/1.691;
  310. fe-0/0/1.692;
  311. fe-0/0/7.0;
  312. fe-0/0/0.0;
  313. }
  314. }
  315. security-zone untrust {
  316. screen untrust-screen;
  317. }
  318. }
  319. }
  320. firewall {
  321. filter to-F5 {
  322. term webservers {
  323. from {
  324. destination-address {
  325. 1.1.1.0/24;
  326. }
  327. destination-port [ 80 443 ];
  328. }
  329. then {
  330. routing-instance F5;
  331. }
  332. }
  333. term accept {
  334. then accept;
  335. }
  336. }
  337. filter from-Webservers {
  338. term redirect {
  339. from {
  340. source-address {
  341. 1.2.3.0/24;
  342. }
  343. source-port 80;
  344. }
  345. then {
  346. routing-instance F5;
  347. }
  348. }
  349. term accept {
  350. then accept;
  351. }
  352. }
  353. }
  354. routing-instances {
  355. F5 {
  356. instance-type forwarding;
  357. routing-options {
  358. static {
  359. route 0.0.0.0/0 next-hop 1.1.1.2;
  360. }
  361. }
  362. }
  363. }
  364. vlans {
  365. vlan-trust {
  366. vlan-id 3;
  367. l3-interface vlan.0;
  368. }
  369. }
  371. [edit]
  372. root#