diff options
Diffstat (limited to 'examples/tg23/netconfig/natfw1.tele.tg23.gathering.org.conf')
| -rw-r--r-- | examples/tg23/netconfig/natfw1.tele.tg23.gathering.org.conf | 800 |
1 files changed, 800 insertions, 0 deletions
diff --git a/examples/tg23/netconfig/natfw1.tele.tg23.gathering.org.conf b/examples/tg23/netconfig/natfw1.tele.tg23.gathering.org.conf new file mode 100644 index 0000000..880f4f8 --- /dev/null +++ b/examples/tg23/netconfig/natfw1.tele.tg23.gathering.org.conf @@ -0,0 +1,800 @@ +## srx4600 +## Last commit: 2023-04-06 03:12:36 CEST by j +version 21.2R3-S2.9; +groups { + node0 { + system { + host-name natfw1.tele; + } + } + node1 { + system { + host-name BACKUP-NODE-natfw1.tele; + } + } + log-session-init-close { + security { + policies { + from-zone <*> to-zone <*> { + policy <*> { + then { + log { + session-init; + session-close; + } + } + } + } + } + } + } +} +apply-groups "${node}"; +system { + root-authentication { + encrypted-password "<removed>"; ## SECRET-DATA + } + login { + user api { + uid 2001; + class super-user; + authentication { + ssh-ed25519 "<removed>"; ## SECRET-DATA + } + } + user legz { + uid 2002; + class super-user; + authentication { + ssh-ed25519 "<removed>"; ## SECRET-DATA + } + } + user tech { + uid 2000; + class super-user; + authentication { + encrypted-password "<removed>"; ## SECRET-DATA + } + } + } + services { + ssh { + root-login deny; + no-tcp-forwarding; + protocol-version v2; + connection-limit 50; + } + netconf { + ssh { + port 830; + } + } + } + domain-name tg23.gathering.org; + time-zone Europe/Oslo; + no-multicast-echo; + no-redirects; + no-redirects-ipv6; + no-ping-record-route; + no-ping-time-stamp; + internet-options { + path-mtu-discovery; + ipv6-path-mtu-discovery; + } + authentication-order tacplus; + name-server { + 1.1.1.1; + } + tacplus-server { + <removed> { + port 49; + secret "<removed>"; ## SECRET-DATA + timeout 10; + single-connection; + source-address 185.110.148.2; + } + 2a02:d140:c012:1::73 { + port 49; + secret "<removed>"; ## SECRET-DATA + timeout 10; + single-connection; + source-address 2a06:5841:f:a::2; + } + } + accounting { + events [ login change-log interactive-commands ]; + destination { + tacplus { + server { + <removed> { + secret "<removed>"; ## SECRET-DATA + source-address 185.110.148.2; + } + } + } + } + } + syslog { + user * { + any emergency; + } + host log.tg23.gathering.org { + any warning; + authorization info; + daemon warning; + user warning; + change-log any; + interactive-commands any; + match "!(.*License.*)"; + allow-duplicates; + facility-override local7; + explicit-priority; + } + host oxidized.tg23.gathering.org { + interactive-commands any; + match UI_COMMIT_COMPLETED; + allow-duplicates; + source-address 185.110.148.2; + } + file firewall { + firewall any; + allow-duplicates; + } + file interactive-commands { + interactive-commands any; + match "UI_CMDLINE_READ_LINE|UI_COMMIT_COMPLETED"; + } + file messages { + any any; + authorization info; + } + } + max-configurations-on-flash 49; + inactive: archival { + configuration { + transfer-on-commit; + archive-sites { + "scp://user@host/some/folder/" password "<removed>"; ## SECRET-DATA + } + } + } + ntp { + server 2001:700:100:2::6; + } +} +chassis { + cluster { + control-link-recovery; + reth-count 1; + redundancy-group 0 { + node 0 priority 100; + node 1 priority 1; + } + redundancy-group 1 { + node 0 priority 100; + node 1 priority 1; + preempt; + interface-monitor { + et-1/0/0 weight 255; + et-8/0/0 weight 255; + } + } + } +} +security { + log { + mode stream; + format syslog; + stream LOG { + severity notice; + format syslog; + host { + 2a06:5841:f:e::134; + port 514; + } + source-address 2a06:5841:f:a::2; + } + } + ssh-known-hosts { + host 185.80.182.92 { + ecdsa-sha2-nistp256-key <removed>; + } + } + address-book { + global { + address MGMT-TG23_Infra-v4 185.110.148.0/24; + address MGMT-TG23_Infra-v6 2a06:5841:f::/48; + address TGNET1 88.92.0.0/17; + address TGNET2 151.216.128.0/17; + address TGNET3 185.110.148.0/22; + address-set MANAGEMENT { + address MGMT-Tech_Colo-v4; + address MGMT-Tech_Colo-v6; + address MGMT-TG23_Infra-v4; + address MGMT-TG23_Infra-v6; + } + address-set TGNETv4 { + address TGNET1; + address TGNET2; + address TGNET3; + } + } + } + nat { + source { + pool NAT-WIFI-POOL { + address { + 185.110.150.0/25; + } + } + pool NAT-LAN-POOL { + address { + 185.110.150.128/25; + } + } + address-persistent; + rule-set NAT-WIFI-TO-INET { + from zone NAT-WIFI; + to zone INET; + rule TG-NO-NAT-LOL { + match { + destination-address-name TGNETv4; + } + then { + source-nat { + off; + } + } + } + rule NAT-WIFI-TO-INET-RULE { + match { + source-address 0.0.0.0/0; + destination-address 0.0.0.0/0; + application any; + } + then { + source-nat { + pool { + NAT-WIFI-POOL; + } + } + } + } + } + rule-set NAT-LAN-TO-INET { + from zone NAT-LAN; + to zone INET; + rule TG-NO-NAT { + match { + destination-address-name TGNETv4; + } + then { + source-nat { + off; + } + } + } + rule NAT-LAN-TO-INET-RULE { + match { + source-address 0.0.0.0/0; + destination-address 0.0.0.0/0; + application any; + } + then { + source-nat { + pool { + NAT-LAN-POOL; + } + } + } + } + } + } + } + policies { + apply-groups log-session-init-close; + from-zone NAT-WIFI to-zone INET { + policy COUNT_IPv4 { + match { + source-address any-ipv4; + destination-address any-ipv4; + application any; + } + then { + permit; + count; + } + } + policy COUNT_IPv6 { + match { + source-address any-ipv6; + destination-address any-ipv6; + application any; + } + then { + permit; + count; + } + } + policy YESMAN { + match { + source-address any; + destination-address any; + application any; + } + then { + permit; + } + } + } + from-zone NAT-LAN to-zone INET { + policy COUNT_IPv4 { + match { + source-address any-ipv4; + destination-address any-ipv4; + application any; + } + then { + permit; + count; + } + } + policy COUNT_IPv6 { + match { + source-address any-ipv6; + destination-address any-ipv6; + application any; + } + then { + permit; + count; + } + } + policy YESMAN { + match { + source-address any; + destination-address any; + application any; + } + then { + permit; + } + } + } + from-zone INET to-zone NAT-LAN { + policy COUNT_IPv4 { + match { + source-address any-ipv4; + destination-address any-ipv4; + application any; + } + then { + permit; + count; + } + } + policy COUNT_IPv6 { + match { + source-address any-ipv6; + destination-address any-ipv6; + application any; + } + then { + permit; + count; + } + } + policy YESMAN { + match { + source-address any; + destination-address any; + application any; + } + then { + permit; + } + } + } + from-zone INET to-zone NAT-WIFI { + policy COUNT_IPv4 { + match { + source-address any-ipv4; + destination-address any-ipv4; + application any; + } + then { + permit; + count; + } + } + policy COUNT_IPv6 { + match { + source-address any-ipv6; + destination-address any-ipv6; + application any; + } + then { + permit; + count; + } + } + policy YESMAN { + match { + source-address any; + destination-address any; + application any; + } + then { + permit; + } + } + } + from-zone NAT-LAN to-zone NAT-WIFI { + policy YESMAN { + match { + source-address any; + destination-address any; + application any; + } + then { + permit; + } + } + } + from-zone NAT-WIFI to-zone NAT-LAN { + policy YESMAN { + match { + source-address any; + destination-address any; + application any; + } + then { + permit; + } + } + } + /* Fordi ellers naar man ikke lo0 fra internetttttz */ + from-zone INET to-zone LOOPBACK { + policy YESMAN { + match { + source-address any; + destination-address any; + application any; + } + then { + permit; + } + } + } + from-zone INET to-zone INET { + policy YESMAN { + match { + source-address any; + destination-address any; + application any; + } + then { + permit; + } + } + } + from-zone LOOPBACK to-zone INET { + policy YESMAN { + match { + source-address any; + destination-address any; + application any; + } + then { + permit; + } + } + } + inactive: from-zone INET to-zone junos-host { + policy ALLOW-TECH { + match { + source-address MANAGEMENT; + destination-address any; + application any; + } + then { + permit; + } + } + policy ICMP { + match { + source-address any; + destination-address any; + application [ junos-icmp-all junos-icmp6-all ]; + } + then { + permit; + } + } + policy DENY { + match { + source-address any; + destination-address any; + application any; + } + then { + deny; + count; + } + } + } + global { + policy PING { + match { + source-address any; + destination-address any; + application [ junos-ping junos-pingv6 junos-dhcp-relay ]; + } + then { + permit; + } + } + } + } + zones { + security-zone INET { + host-inbound-traffic { + system-services { + ping; + traceroute; + ssh; + dhcp; + } + protocols { + ospf3; + } + } + interfaces { + reth0.10; + } + } + security-zone NAT-WIFI { + host-inbound-traffic { + system-services { + ping; + traceroute; + dhcp; + } + protocols { + ospf3; + } + } + interfaces { + reth0.20; + } + } + security-zone NAT-LAN { + host-inbound-traffic { + system-services { + netconf; + traceroute; + dhcp; + } + protocols { + ospf3; + } + } + interfaces { + reth0.30; + } + } + security-zone LOOPBACK { + host-inbound-traffic { + system-services { + ssh; + netconf; + ping; + snmp; + traceroute; + dhcp; + } + protocols { + ospf3; + } + } + interfaces { + lo0.0; + } + } + } +} +interfaces { + et-1/0/0 { + description "G: r1.tele et-4/0/3 (ae999)"; + gigether-options { + redundant-parent reth0; + } + } + et-1/0/2 { + description "X: fab0"; + } + et-1/0/3 { + description "X: fab0"; + } + et-8/0/0 { + description "G: r1.tele et-5/0/3 (ae999)"; + gigether-options { + redundant-parent reth0; + } + } + et-8/0/2 { + description "X: fab1"; + } + et-8/0/3 { + description "X: fab1"; + } + fab0 { + description "X: fab0"; + fabric-options { + member-interfaces { + et-1/0/2; + et-1/0/3; + } + } + } + fab1 { + description "X: fab1"; + fabric-options { + member-interfaces { + et-8/0/2; + et-8/0/3; + } + } + } + lo0 { + description "X: Loopback"; + unit 0 { + family inet { + address 127.0.0.1/32; + address 185.110.148.2/32 { + primary; + preferred; + } + } + family inet6 { + address ::1/128; + address 2a06:5841:f:a::2/128 { + primary; + preferred; + } + } + } + } + reth0 { + description "B: r1.tele ae5"; + vlan-tagging; + redundant-ether-options { + redundancy-group 1; + } + unit 10 { + description INET; + vlan-id 10; + family inet { + address 185.110.148.163/31; + } + family inet6 { + address 2a06:5841:f:101::1/127; + } + } + unit 20 { + description NAT-WIFI; + vlan-id 20; + family inet { + address 185.110.148.165/31; + } + family inet6 { + address 2a06:5841:f:101::3/127; + } + } + unit 30 { + description NAT-LAN; + vlan-id 30; + family inet { + address 185.110.148.167/31; + } + family inet6 { + address 2a06:5841:f:101::5/127; + } + } + } +} +snmp { + contact "<removed>"; + community <removed> { + authorization read-only; + client-list-name mgmt; + } +} +forwarding-options { + dhcp-relay { + dhcpv6 { + overrides { + allow-snooped-clients; + } + group all-networks { + inactive: active-server-group v6-dhcp; + route-suppression access-internal; + interface reth0.20; + interface reth0.30; + } + server-group { + v6-dhcp { + 2a06:5841:f:d::98; + } + } + } + server-group { + v4-dhcp { + 185.110.148.98; + } + } + group all-networks { + inactive: active-server-group v4-dhcp; + inactive: overrides { + ## + ## Warning: statement ignored: unsupported platform (srx4600) + ## + allow-snooped-clients; + trust-option-82; + } + route-suppression { + access-internal; + } + interface reth0.20; + interface reth0.30; + } + } +} +policy-options { + prefix-list mgmt-v4 { + } + prefix-list mgmt-v6 { + } + /* Merged separate v4- og v6-lister */ + prefix-list mgmt { + apply-path "policy-options prefix-list <mgmt-v*> <*>"; + } + policy-statement v4-from-direct-to-ospf { + from protocol direct; + then accept; + } + policy-statement v6-from-direct-to-ospf { + from protocol direct; + then accept; + } +} +protocols { + ospf3 { + realm ipv4-unicast { + area 0.0.0.0 { + interface reth0.10; + interface lo0.0 { + passive; + } + interface reth0.30; + interface reth0.20; + } + export v4-from-direct-to-ospf; + reference-bandwidth 1000g; + } + area 0.0.0.0 { + interface reth0.10; + interface lo0.0 { + passive; + } + interface reth0.20; + interface reth0.30; + } + export v6-from-direct-to-ospf; + } + lldp { + port-id-subtype interface-name; + port-description-type interface-description; + interface all; + } +} |