## srx4600 ## Last commit: 2023-04-06 03:12:36 CEST by j version 21.2R3-S2.9; groups { node0 { system { host-name natfw1.tele; } } node1 { system { host-name BACKUP-NODE-natfw1.tele; } } log-session-init-close { security { policies { from-zone <*> to-zone <*> { policy <*> { then { log { session-init; session-close; } } } } } } } } apply-groups "${node}"; system { root-authentication { encrypted-password ""; ## SECRET-DATA } login { user api { uid 2001; class super-user; authentication { ssh-ed25519 ""; ## SECRET-DATA } } user legz { uid 2002; class super-user; authentication { ssh-ed25519 ""; ## SECRET-DATA } } user tech { uid 2000; class super-user; authentication { encrypted-password ""; ## SECRET-DATA } } } services { ssh { root-login deny; no-tcp-forwarding; protocol-version v2; connection-limit 50; } netconf { ssh { port 830; } } } domain-name tg23.gathering.org; time-zone Europe/Oslo; no-multicast-echo; no-redirects; no-redirects-ipv6; no-ping-record-route; no-ping-time-stamp; internet-options { path-mtu-discovery; ipv6-path-mtu-discovery; } authentication-order tacplus; name-server { 1.1.1.1; } tacplus-server { { port 49; secret ""; ## SECRET-DATA timeout 10; single-connection; source-address 185.110.148.2; } 2a02:d140:c012:1::73 { port 49; secret ""; ## SECRET-DATA timeout 10; single-connection; source-address 2a06:5841:f:a::2; } } accounting { events [ login change-log interactive-commands ]; destination { tacplus { server { { secret ""; ## SECRET-DATA source-address 185.110.148.2; } } } } } syslog { user * { any emergency; } host log.tg23.gathering.org { any warning; authorization info; daemon warning; user warning; change-log any; interactive-commands any; match "!(.*License.*)"; allow-duplicates; facility-override local7; explicit-priority; } host oxidized.tg23.gathering.org { interactive-commands any; match UI_COMMIT_COMPLETED; allow-duplicates; source-address 185.110.148.2; } file firewall { firewall any; allow-duplicates; } file interactive-commands { interactive-commands any; match "UI_CMDLINE_READ_LINE|UI_COMMIT_COMPLETED"; } file messages { any any; authorization info; } } max-configurations-on-flash 49; inactive: archival { configuration { transfer-on-commit; archive-sites { "scp://user@host/some/folder/" password ""; ## SECRET-DATA } } } ntp { server 2001:700:100:2::6; } } chassis { cluster { control-link-recovery; reth-count 1; redundancy-group 0 { node 0 priority 100; node 1 priority 1; } redundancy-group 1 { node 0 priority 100; node 1 priority 1; preempt; interface-monitor { et-1/0/0 weight 255; et-8/0/0 weight 255; } } } } security { log { mode stream; format syslog; stream LOG { severity notice; format syslog; host { 2a06:5841:f:e::134; port 514; } source-address 2a06:5841:f:a::2; } } ssh-known-hosts { host 185.80.182.92 { ecdsa-sha2-nistp256-key ; } } address-book { global { address MGMT-TG23_Infra-v4 185.110.148.0/24; address MGMT-TG23_Infra-v6 2a06:5841:f::/48; address TGNET1 88.92.0.0/17; address TGNET2 151.216.128.0/17; address TGNET3 185.110.148.0/22; address-set MANAGEMENT { address MGMT-Tech_Colo-v4; address MGMT-Tech_Colo-v6; address MGMT-TG23_Infra-v4; address MGMT-TG23_Infra-v6; } address-set TGNETv4 { address TGNET1; address TGNET2; address TGNET3; } } } nat { source { pool NAT-WIFI-POOL { address { 185.110.150.0/25; } } pool NAT-LAN-POOL { address { 185.110.150.128/25; } } address-persistent; rule-set NAT-WIFI-TO-INET { from zone NAT-WIFI; to zone INET; rule TG-NO-NAT-LOL { match { destination-address-name TGNETv4; } then { source-nat { off; } } } rule NAT-WIFI-TO-INET-RULE { match { source-address 0.0.0.0/0; destination-address 0.0.0.0/0; application any; } then { source-nat { pool { NAT-WIFI-POOL; } } } } } rule-set NAT-LAN-TO-INET { from zone NAT-LAN; to zone INET; rule TG-NO-NAT { match { destination-address-name TGNETv4; } then { source-nat { off; } } } rule NAT-LAN-TO-INET-RULE { match { source-address 0.0.0.0/0; destination-address 0.0.0.0/0; application any; } then { source-nat { pool { NAT-LAN-POOL; } } } } } } } policies { apply-groups log-session-init-close; from-zone NAT-WIFI to-zone INET { policy COUNT_IPv4 { match { source-address any-ipv4; destination-address any-ipv4; application any; } then { permit; count; } } policy COUNT_IPv6 { match { source-address any-ipv6; destination-address any-ipv6; application any; } then { permit; count; } } policy YESMAN { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone NAT-LAN to-zone INET { policy COUNT_IPv4 { match { source-address any-ipv4; destination-address any-ipv4; application any; } then { permit; count; } } policy COUNT_IPv6 { match { source-address any-ipv6; destination-address any-ipv6; application any; } then { permit; count; } } policy YESMAN { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone INET to-zone NAT-LAN { policy COUNT_IPv4 { match { source-address any-ipv4; destination-address any-ipv4; application any; } then { permit; count; } } policy COUNT_IPv6 { match { source-address any-ipv6; destination-address any-ipv6; application any; } then { permit; count; } } policy YESMAN { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone INET to-zone NAT-WIFI { policy COUNT_IPv4 { match { source-address any-ipv4; destination-address any-ipv4; application any; } then { permit; count; } } policy COUNT_IPv6 { match { source-address any-ipv6; destination-address any-ipv6; application any; } then { permit; count; } } policy YESMAN { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone NAT-LAN to-zone NAT-WIFI { policy YESMAN { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone NAT-WIFI to-zone NAT-LAN { policy YESMAN { match { source-address any; destination-address any; application any; } then { permit; } } } /* Fordi ellers naar man ikke lo0 fra internetttttz */ from-zone INET to-zone LOOPBACK { policy YESMAN { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone INET to-zone INET { policy YESMAN { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone LOOPBACK to-zone INET { policy YESMAN { match { source-address any; destination-address any; application any; } then { permit; } } } inactive: from-zone INET to-zone junos-host { policy ALLOW-TECH { match { source-address MANAGEMENT; destination-address any; application any; } then { permit; } } policy ICMP { match { source-address any; destination-address any; application [ junos-icmp-all junos-icmp6-all ]; } then { permit; } } policy DENY { match { source-address any; destination-address any; application any; } then { deny; count; } } } global { policy PING { match { source-address any; destination-address any; application [ junos-ping junos-pingv6 junos-dhcp-relay ]; } then { permit; } } } } zones { security-zone INET { host-inbound-traffic { system-services { ping; traceroute; ssh; dhcp; } protocols { ospf3; } } interfaces { reth0.10; } } security-zone NAT-WIFI { host-inbound-traffic { system-services { ping; traceroute; dhcp; } protocols { ospf3; } } interfaces { reth0.20; } } security-zone NAT-LAN { host-inbound-traffic { system-services { netconf; traceroute; dhcp; } protocols { ospf3; } } interfaces { reth0.30; } } security-zone LOOPBACK { host-inbound-traffic { system-services { ssh; netconf; ping; snmp; traceroute; dhcp; } protocols { ospf3; } } interfaces { lo0.0; } } } } interfaces { et-1/0/0 { description "G: r1.tele et-4/0/3 (ae999)"; gigether-options { redundant-parent reth0; } } et-1/0/2 { description "X: fab0"; } et-1/0/3 { description "X: fab0"; } et-8/0/0 { description "G: r1.tele et-5/0/3 (ae999)"; gigether-options { redundant-parent reth0; } } et-8/0/2 { description "X: fab1"; } et-8/0/3 { description "X: fab1"; } fab0 { description "X: fab0"; fabric-options { member-interfaces { et-1/0/2; et-1/0/3; } } } fab1 { description "X: fab1"; fabric-options { member-interfaces { et-8/0/2; et-8/0/3; } } } lo0 { description "X: Loopback"; unit 0 { family inet { address 127.0.0.1/32; address 185.110.148.2/32 { primary; preferred; } } family inet6 { address ::1/128; address 2a06:5841:f:a::2/128 { primary; preferred; } } } } reth0 { description "B: r1.tele ae5"; vlan-tagging; redundant-ether-options { redundancy-group 1; } unit 10 { description INET; vlan-id 10; family inet { address 185.110.148.163/31; } family inet6 { address 2a06:5841:f:101::1/127; } } unit 20 { description NAT-WIFI; vlan-id 20; family inet { address 185.110.148.165/31; } family inet6 { address 2a06:5841:f:101::3/127; } } unit 30 { description NAT-LAN; vlan-id 30; family inet { address 185.110.148.167/31; } family inet6 { address 2a06:5841:f:101::5/127; } } } } snmp { contact ""; community { authorization read-only; client-list-name mgmt; } } forwarding-options { dhcp-relay { dhcpv6 { overrides { allow-snooped-clients; } group all-networks { inactive: active-server-group v6-dhcp; route-suppression access-internal; interface reth0.20; interface reth0.30; } server-group { v6-dhcp { 2a06:5841:f:d::98; } } } server-group { v4-dhcp { 185.110.148.98; } } group all-networks { inactive: active-server-group v4-dhcp; inactive: overrides { ## ## Warning: statement ignored: unsupported platform (srx4600) ## allow-snooped-clients; trust-option-82; } route-suppression { access-internal; } interface reth0.20; interface reth0.30; } } } policy-options { prefix-list mgmt-v4 { } prefix-list mgmt-v6 { } /* Merged separate v4- og v6-lister */ prefix-list mgmt { apply-path "policy-options prefix-list <*>"; } policy-statement v4-from-direct-to-ospf { from protocol direct; then accept; } policy-statement v6-from-direct-to-ospf { from protocol direct; then accept; } } protocols { ospf3 { realm ipv4-unicast { area 0.0.0.0 { interface reth0.10; interface lo0.0 { passive; } interface reth0.30; interface reth0.20; } export v4-from-direct-to-ospf; reference-bandwidth 1000g; } area 0.0.0.0 { interface reth0.10; interface lo0.0 { passive; } interface reth0.20; interface reth0.30; } export v6-from-direct-to-ospf; } lldp { port-id-subtype interface-name; port-description-type interface-description; interface all; } }