diff options
Diffstat (limited to 'examples/tg23/netconfig/natfw1.tele.tg23.gathering.org.conf')
| -rw-r--r-- | examples/tg23/netconfig/natfw1.tele.tg23.gathering.org.conf | 800 | 
1 files changed, 800 insertions, 0 deletions
| diff --git a/examples/tg23/netconfig/natfw1.tele.tg23.gathering.org.conf b/examples/tg23/netconfig/natfw1.tele.tg23.gathering.org.conf new file mode 100644 index 0000000..880f4f8 --- /dev/null +++ b/examples/tg23/netconfig/natfw1.tele.tg23.gathering.org.conf @@ -0,0 +1,800 @@ +## srx4600 +## Last commit: 2023-04-06 03:12:36 CEST by j +version 21.2R3-S2.9; +groups { +    node0 { +        system { +            host-name natfw1.tele; +        } +    } +    node1 { +        system { +            host-name BACKUP-NODE-natfw1.tele; +        } +    } +    log-session-init-close { +        security { +            policies { +                from-zone <*> to-zone <*> { +                    policy <*> { +                        then { +                            log { +                                session-init; +                                session-close; +                            } +                        } +                    } +                } +            } +        } +    } +} +apply-groups "${node}"; +system { +    root-authentication { +        encrypted-password "<removed>"; ## SECRET-DATA +    } +    login { +        user api { +            uid 2001; +            class super-user; +            authentication { +                ssh-ed25519 "<removed>"; ## SECRET-DATA +            } +        } +        user legz { +            uid 2002; +            class super-user; +            authentication { +                ssh-ed25519 "<removed>"; ## SECRET-DATA +            } +        } +        user tech { +            uid 2000; +            class super-user; +            authentication { +                encrypted-password "<removed>"; ## SECRET-DATA +            } +        } +    } +    services { +        ssh { +            root-login deny; +            no-tcp-forwarding; +            protocol-version v2; +            connection-limit 50; +        } +        netconf { +            ssh { +                port 830; +            } +        } +    } +    domain-name tg23.gathering.org; +    time-zone Europe/Oslo; +    no-multicast-echo; +    no-redirects; +    no-redirects-ipv6; +    no-ping-record-route; +    no-ping-time-stamp; +    internet-options { +        path-mtu-discovery; +        ipv6-path-mtu-discovery; +    } +    authentication-order tacplus; +    name-server { +        1.1.1.1; +    } +    tacplus-server { +        <removed> { +            port 49; +            secret "<removed>"; ## SECRET-DATA +            timeout 10; +            single-connection; +            source-address 185.110.148.2; +        } +        2a02:d140:c012:1::73 { +            port 49; +            secret "<removed>"; ## SECRET-DATA +            timeout 10; +            single-connection; +            source-address 2a06:5841:f:a::2; +        } +    } +    accounting { +        events [ login change-log interactive-commands ]; +        destination { +            tacplus { +                server { +                    <removed> { +                        secret "<removed>"; ## SECRET-DATA +                        source-address 185.110.148.2; +                    } +                } +            } +        } +    } +    syslog { +        user * { +            any emergency; +        } +        host log.tg23.gathering.org { +            any warning; +            authorization info; +            daemon warning; +            user warning; +            change-log any; +            interactive-commands any; +            match "!(.*License.*)"; +            allow-duplicates; +            facility-override local7; +            explicit-priority; +        } +        host oxidized.tg23.gathering.org { +            interactive-commands any; +            match UI_COMMIT_COMPLETED; +            allow-duplicates; +            source-address 185.110.148.2; +        } +        file firewall { +            firewall any; +            allow-duplicates; +        } +        file interactive-commands { +            interactive-commands any; +            match "UI_CMDLINE_READ_LINE|UI_COMMIT_COMPLETED"; +        } +        file messages { +            any any; +            authorization info; +        } +    } +    max-configurations-on-flash 49; +    inactive: archival { +        configuration { +            transfer-on-commit; +            archive-sites { +                "scp://user@host/some/folder/" password "<removed>"; ## SECRET-DATA +            } +        } +    } +    ntp { +        server 2001:700:100:2::6; +    } +} +chassis { +    cluster { +        control-link-recovery; +        reth-count 1; +        redundancy-group 0 { +            node 0 priority 100; +            node 1 priority 1; +        } +        redundancy-group 1 { +            node 0 priority 100; +            node 1 priority 1; +            preempt; +            interface-monitor { +                et-1/0/0 weight 255; +                et-8/0/0 weight 255; +            } +        } +    } +} +security { +    log { +        mode stream; +        format syslog; +        stream LOG { +            severity notice; +            format syslog; +            host { +                2a06:5841:f:e::134; +                port 514; +            } +            source-address 2a06:5841:f:a::2; +        } +    } +    ssh-known-hosts { +        host 185.80.182.92 { +            ecdsa-sha2-nistp256-key <removed>; +        } +    } +    address-book { +        global { +            address MGMT-TG23_Infra-v4 185.110.148.0/24; +            address MGMT-TG23_Infra-v6 2a06:5841:f::/48; +            address TGNET1 88.92.0.0/17; +            address TGNET2 151.216.128.0/17; +            address TGNET3 185.110.148.0/22; +            address-set MANAGEMENT { +                address MGMT-Tech_Colo-v4; +                address MGMT-Tech_Colo-v6; +                address MGMT-TG23_Infra-v4; +                address MGMT-TG23_Infra-v6; +            } +            address-set TGNETv4 { +                address TGNET1; +                address TGNET2; +                address TGNET3; +            } +        } +    } +    nat { +        source { +            pool NAT-WIFI-POOL { +                address { +                    185.110.150.0/25; +                } +            } +            pool NAT-LAN-POOL { +                address { +                    185.110.150.128/25; +                } +            } +            address-persistent; +            rule-set NAT-WIFI-TO-INET { +                from zone NAT-WIFI; +                to zone INET; +                rule TG-NO-NAT-LOL { +                    match { +                        destination-address-name TGNETv4; +                    } +                    then { +                        source-nat { +                            off; +                        } +                    } +                } +                rule NAT-WIFI-TO-INET-RULE { +                    match { +                        source-address 0.0.0.0/0; +                        destination-address 0.0.0.0/0; +                        application any; +                    } +                    then { +                        source-nat { +                            pool { +                                NAT-WIFI-POOL; +                            } +                        } +                    } +                } +            } +            rule-set NAT-LAN-TO-INET { +                from zone NAT-LAN; +                to zone INET; +                rule TG-NO-NAT { +                    match { +                        destination-address-name TGNETv4; +                    } +                    then { +                        source-nat { +                            off; +                        } +                    } +                } +                rule NAT-LAN-TO-INET-RULE { +                    match { +                        source-address 0.0.0.0/0; +                        destination-address 0.0.0.0/0; +                        application any; +                    } +                    then { +                        source-nat { +                            pool { +                                NAT-LAN-POOL; +                            } +                        } +                    } +                } +            } +        } +    } +    policies { +        apply-groups log-session-init-close; +        from-zone NAT-WIFI to-zone INET { +            policy COUNT_IPv4 { +                match { +                    source-address any-ipv4; +                    destination-address any-ipv4; +                    application any; +                } +                then { +                    permit; +                    count; +                } +            } +            policy COUNT_IPv6 { +                match { +                    source-address any-ipv6; +                    destination-address any-ipv6; +                    application any; +                } +                then { +                    permit; +                    count; +                } +            } +            policy YESMAN { +                match { +                    source-address any; +                    destination-address any; +                    application any; +                } +                then { +                    permit; +                } +            } +        } +        from-zone NAT-LAN to-zone INET { +            policy COUNT_IPv4 { +                match { +                    source-address any-ipv4; +                    destination-address any-ipv4; +                    application any; +                } +                then { +                    permit; +                    count; +                } +            } +            policy COUNT_IPv6 { +                match { +                    source-address any-ipv6; +                    destination-address any-ipv6; +                    application any; +                } +                then { +                    permit; +                    count; +                } +            } +            policy YESMAN { +                match { +                    source-address any; +                    destination-address any; +                    application any; +                } +                then { +                    permit; +                } +            } +        } +        from-zone INET to-zone NAT-LAN { +            policy COUNT_IPv4 { +                match { +                    source-address any-ipv4; +                    destination-address any-ipv4; +                    application any; +                } +                then { +                    permit; +                    count; +                } +            } +            policy COUNT_IPv6 { +                match { +                    source-address any-ipv6; +                    destination-address any-ipv6; +                    application any; +                } +                then { +                    permit; +                    count; +                } +            } +            policy YESMAN { +                match { +                    source-address any; +                    destination-address any; +                    application any; +                } +                then { +                    permit; +                } +            } +        } +        from-zone INET to-zone NAT-WIFI { +            policy COUNT_IPv4 { +                match { +                    source-address any-ipv4; +                    destination-address any-ipv4; +                    application any; +                } +                then { +                    permit; +                    count; +                } +            } +            policy COUNT_IPv6 { +                match { +                    source-address any-ipv6; +                    destination-address any-ipv6; +                    application any; +                } +                then { +                    permit; +                    count; +                } +            } +            policy YESMAN { +                match { +                    source-address any; +                    destination-address any; +                    application any; +                } +                then { +                    permit; +                } +            } +        } +        from-zone NAT-LAN to-zone NAT-WIFI { +            policy YESMAN { +                match { +                    source-address any; +                    destination-address any; +                    application any; +                } +                then { +                    permit; +                } +            } +        } +        from-zone NAT-WIFI to-zone NAT-LAN { +            policy YESMAN { +                match { +                    source-address any; +                    destination-address any; +                    application any; +                } +                then { +                    permit; +                } +            } +        } +        /* Fordi ellers naar man ikke lo0 fra internetttttz */ +        from-zone INET to-zone LOOPBACK { +            policy YESMAN { +                match { +                    source-address any; +                    destination-address any; +                    application any; +                } +                then { +                    permit; +                } +            } +        } +        from-zone INET to-zone INET { +            policy YESMAN { +                match { +                    source-address any; +                    destination-address any; +                    application any; +                } +                then { +                    permit; +                } +            } +        } +        from-zone LOOPBACK to-zone INET { +            policy YESMAN { +                match { +                    source-address any; +                    destination-address any; +                    application any; +                } +                then { +                    permit; +                } +            } +        } +        inactive: from-zone INET to-zone junos-host { +            policy ALLOW-TECH { +                match { +                    source-address MANAGEMENT; +                    destination-address any; +                    application any; +                } +                then { +                    permit; +                } +            } +            policy ICMP { +                match { +                    source-address any; +                    destination-address any; +                    application [ junos-icmp-all junos-icmp6-all ]; +                } +                then { +                    permit; +                } +            } +            policy DENY { +                match { +                    source-address any; +                    destination-address any; +                    application any; +                } +                then { +                    deny; +                    count; +                } +            } +        } +        global { +            policy PING { +                match { +                    source-address any; +                    destination-address any; +                    application [ junos-ping junos-pingv6 junos-dhcp-relay ]; +                } +                then { +                    permit; +                } +            } +        } +    } +    zones { +        security-zone INET { +            host-inbound-traffic { +                system-services { +                    ping; +                    traceroute; +                    ssh; +                    dhcp; +                } +                protocols { +                    ospf3; +                } +            } +            interfaces { +                reth0.10; +            } +        } +        security-zone NAT-WIFI { +            host-inbound-traffic { +                system-services { +                    ping; +                    traceroute; +                    dhcp; +                } +                protocols { +                    ospf3; +                } +            } +            interfaces { +                reth0.20; +            } +        } +        security-zone NAT-LAN { +            host-inbound-traffic { +                system-services { +                    netconf; +                    traceroute; +                    dhcp; +                } +                protocols { +                    ospf3; +                } +            } +            interfaces { +                reth0.30; +            } +        } +        security-zone LOOPBACK { +            host-inbound-traffic { +                system-services { +                    ssh; +                    netconf; +                    ping; +                    snmp; +                    traceroute; +                    dhcp; +                } +                protocols { +                    ospf3; +                } +            } +            interfaces { +                lo0.0; +            } +        } +    } +} +interfaces { +    et-1/0/0 { +        description "G: r1.tele et-4/0/3 (ae999)"; +        gigether-options { +            redundant-parent reth0; +        } +    } +    et-1/0/2 { +        description "X: fab0"; +    } +    et-1/0/3 { +        description "X: fab0"; +    } +    et-8/0/0 { +        description "G: r1.tele et-5/0/3 (ae999)"; +        gigether-options { +            redundant-parent reth0; +        } +    } +    et-8/0/2 { +        description "X: fab1"; +    } +    et-8/0/3 { +        description "X: fab1"; +    } +    fab0 { +        description "X: fab0"; +        fabric-options { +            member-interfaces { +                et-1/0/2; +                et-1/0/3; +            } +        } +    } +    fab1 { +        description "X: fab1"; +        fabric-options { +            member-interfaces { +                et-8/0/2; +                et-8/0/3; +            } +        } +    } +    lo0 { +        description "X: Loopback"; +        unit 0 { +            family inet { +                address 127.0.0.1/32; +                address 185.110.148.2/32 { +                    primary; +                    preferred; +                } +            } +            family inet6 { +                address ::1/128; +                address 2a06:5841:f:a::2/128 { +                    primary; +                    preferred; +                } +            } +        } +    } +    reth0 { +        description "B: r1.tele ae5"; +        vlan-tagging; +        redundant-ether-options { +            redundancy-group 1; +        } +        unit 10 { +            description INET; +            vlan-id 10; +            family inet { +                address 185.110.148.163/31; +            } +            family inet6 { +                address 2a06:5841:f:101::1/127; +            } +        } +        unit 20 { +            description NAT-WIFI; +            vlan-id 20; +            family inet { +                address 185.110.148.165/31; +            } +            family inet6 { +                address 2a06:5841:f:101::3/127; +            } +        } +        unit 30 { +            description NAT-LAN; +            vlan-id 30; +            family inet { +                address 185.110.148.167/31; +            } +            family inet6 { +                address 2a06:5841:f:101::5/127; +            } +        } +    } +} +snmp { +    contact "<removed>"; +    community <removed> { +        authorization read-only; +        client-list-name mgmt; +    } +} +forwarding-options { +    dhcp-relay { +        dhcpv6 { +            overrides { +                allow-snooped-clients; +            } +            group all-networks { +                inactive: active-server-group v6-dhcp; +                route-suppression access-internal; +                interface reth0.20; +                interface reth0.30; +            } +            server-group { +                v6-dhcp { +                    2a06:5841:f:d::98; +                } +            } +        } +        server-group { +            v4-dhcp { +                185.110.148.98; +            } +        } +        group all-networks { +            inactive: active-server-group v4-dhcp; +            inactive: overrides { +                ## +                ## Warning: statement ignored: unsupported platform (srx4600) +                ## +                allow-snooped-clients; +                trust-option-82; +            } +            route-suppression { +                access-internal; +            } +            interface reth0.20; +            interface reth0.30; +        } +    } +} +policy-options { +    prefix-list mgmt-v4 { +    } +    prefix-list mgmt-v6 { +    } +    /* Merged separate v4- og v6-lister */ +    prefix-list mgmt { +        apply-path "policy-options prefix-list <mgmt-v*> <*>"; +    } +    policy-statement v4-from-direct-to-ospf { +        from protocol direct; +        then accept; +    } +    policy-statement v6-from-direct-to-ospf { +        from protocol direct; +        then accept; +    } +} +protocols { +    ospf3 { +        realm ipv4-unicast { +            area 0.0.0.0 { +                interface reth0.10; +                interface lo0.0 { +                    passive; +                } +                interface reth0.30; +                interface reth0.20; +            } +            export v4-from-direct-to-ospf; +            reference-bandwidth 1000g; +        } +        area 0.0.0.0 { +            interface reth0.10; +            interface lo0.0 { +                passive; +            } +            interface reth0.20; +            interface reth0.30; +        } +        export v6-from-direct-to-ospf; +    } +    lldp { +        port-id-subtype interface-name; +        port-description-type interface-description; +        interface all; +    } +} | 
