Realisations/2010-2011/Projet/Entreprise2/Preview: as4-f2.conf

File as4-f2.conf, 7.6 KB (added by panhaleux, 14 years ago)

Configuration Firewall2

Line 
1set clock timezone 0
2set vrouter trust-vr sharable
3set vrouter "untrust-vr"
4exit
5set vrouter "trust-vr"
6unset auto-route-export
7set protocol ospf
8set enable
9set advertise-def-route metric 1 metric-type 1
10set reject-default-route
11exit
12exit
13set auth-server "Local" id 0
14set auth-server "Local" server-name "Local"
15set auth default auth server "Local"
16set auth radius accounting port 1646
17set admin name "admin"
18set admin password "nO1CGHrlLNQGcmMEDsjLaJOt8VPYtn"
19set admin manager-ip 10.40.1.21 255.255.255.0
20set admin auth timeout 10
21set admin auth server "Local"
22set admin format dos
23set zone "Trust" vrouter "trust-vr"
24set zone "Untrust" vrouter "trust-vr"
25set zone "DMZ" vrouter "trust-vr"
26set zone "VLAN" vrouter "trust-vr"
27set zone "Untrust-Tun" vrouter "trust-vr"
28set zone "Trust" tcp-rst
29set zone "Untrust" block
30unset zone "Untrust" tcp-rst
31set zone "DMZ" tcp-rst
32set zone "VLAN" block
33unset zone "VLAN" tcp-rst
34set zone "Untrust" screen tear-drop
35set zone "Untrust" screen syn-flood
36set zone "Untrust" screen ping-death
37set zone "Untrust" screen ip-filter-src
38set zone "Untrust" screen land
39set zone "V1-Untrust" screen tear-drop
40set zone "V1-Untrust" screen syn-flood
41set zone "V1-Untrust" screen ping-death
42set zone "V1-Untrust" screen ip-filter-src
43set zone "V1-Untrust" screen land
44set interface "ethernet0/0" zone "Null"
45set interface "ethernet0/1" zone "Null"
46set interface "bgroup0" zone "Null"
47set interface "bgroup0.1" tag 240 zone "Untrust"
48set interface "bgroup0.2" tag 2 zone "Untrust"
49set interface "bgroup1.1" tag 441 zone "DMZ"
50set interface "bgroup2.1" tag 443 zone "Trust"
51set interface bgroup0 port ethernet0/0
52set interface bgroup1 port ethernet0/1
53set interface bgroup2 port ethernet0/2
54unset interface vlan1 ip
55set interface bgroup0.1 ip 10.20.0.6/30
56set interface "bgroup0.1" ipv6 mode "host"
57set interface "bgroup0.1" ipv6 ip 2001:db8:2:240::6/64
58set interface "bgroup0.1" ipv6 enable
59set interface bgroup0.1 route
60set interface bgroup0.2 ip 10.40.130.253/24
61set interface "bgroup0.2" ipv6 mode "router"
62set interface bgroup0.2 route
63set interface bgroup1.1 ip 10.40.2.2/24
64set interface "bgroup1.1" ipv6 mode "router"
65set interface "bgroup1.1" ipv6 ip 2001:db8:4:441::2/64
66set interface "bgroup1.1" ipv6 enable
67set interface bgroup1.1 route
68set interface bgroup2.1 ip 10.40.30.6/30
69set interface "bgroup2.1" ipv6 mode "router"
70set interface "bgroup2.1" ipv6 ip 2001:db8:4:443::2/64
71set interface "bgroup2.1" ipv6 enable
72set interface bgroup2.1 nat
73set interface "bgroup0.1" pmtu ipv4
74unset interface vlan1 bypass-others-ipsec
75unset interface vlan1 bypass-non-ip
76unset interface bgroup0.1 ip manageable
77set interface bgroup0.2 ip manageable
78set interface bgroup1.1 ip manageable
79set interface bgroup2.1 ip manageable
80set interface bgroup0.1 manage ping
81set interface bgroup0.1 manage ident-reset
82set interface bgroup0.2 manage ping
83set interface bgroup0.2 manage telnet
84set interface bgroup0.2 manage web
85set interface bgroup1.1 manage telnet
86set interface bgroup0.1 ipv6 ra accept
87set interface bgroup0.2 ipv6 ra prefix ::/0 autonomous onlink
88set interface bgroup0.2 ipv6 ra link-address
89set interface bgroup1.1 ipv6 ra link-address
90set interface bgroup1.1 ipv6 ra transmit
91set interface bgroup2.1 ipv6 ra prefix 2001:db8:2:240::/64 autonomous onlink
92set interface bgroup2.1 ipv6 ra link-address
93set interface bgroup0.1 ipv6 nd nud
94set interface bgroup0.2 ipv6 nd nud
95set interface bgroup1.1 ipv6 nd nud
96set interface bgroup2.1 ipv6 nd nud
97set interface "serial0/0" modem settings "USR" init "AT&F"
98set interface "serial0/0" modem settings "USR" active
99set interface "serial0/0" modem speed 115200
100set interface "serial0/0" modem retry 3
101set interface "serial0/0" modem interval 10
102set interface "serial0/0" modem idle-time 10
103set flow tcp-mss
104unset flow no-tcp-seq-check
105set flow tcp-syn-check
106set hostname firewall2
107set pki authority default scep mode "auto"
108set pki x509 default cert-path partial
109set ike respond-bad-spi 1
110unset ike ikeid-enumeration
111unset ipsec access-session enable
112set ipsec access-session maximum 5000
113set ipsec access-session upper-threshold 0
114set ipsec access-session lower-threshold 0
115set ipsec access-session dead-p2-sa-timeout 0
116unset ipsec access-session log-error
117unset ipsec access-session info-exch-connected
118unset ipsec access-session use-error-log
119set url protocol websense
120exit
121set policy id 1 from "Trust" to "Untrust"  "Any-IPv4" "Any-IPv4" "ANY" permit
122set policy id 1
123exit
124set policy id 2 from "Trust" to "DMZ"  "Any-IPv4" "Any-IPv4" "ANY" permit
125set policy id 2
126exit
127set policy id 3 from "Untrust" to "DMZ"  "Any-IPv4" "Any-IPv4" "DNS" permit
128set policy id 3
129set service "HTTP"
130set service "NTP"
131set service "PING"
132exit
133set policy id 4 from "DMZ" to "Untrust"  "Any-IPv4" "Any-IPv4" "DNS" permit
134set policy id 4
135set service "HTTP"
136set service "NTP"
137set service "PING"
138exit
139set policy id 5 from "DMZ" to "Trust"  "Any-IPv4" "Any-IPv4" "DNS" permit
140set policy id 5
141set service "HTTP"
142set service "NTP"
143set service "PING"
144exit
145set policy id 6 from "Untrust" to "Trust"  "Any-IPv4" "Any-IPv4" "ANY" deny
146set policy id 6
147exit
148set policy id 7 from "Trust" to "Untrust"  "Any-IPv6" "Any-IPv6" "ANY" permit
149set policy id 7
150exit
151set policy id 8 from "Trust" to "DMZ"  "Any-IPv6" "Any-IPv6" "ANY" permit
152set policy id 8
153exit
154set policy id 9 from "Untrust" to "DMZ"  "Any-IPv6" "Any-IPv6" "DNS" permit
155set policy id 9
156set service "HTTP"
157set service "ICMP6-ANY"
158set service "NTP"
159exit
160set policy id 10 from "DMZ" to "Untrust"  "Any-IPv6" "Any-IPv6" "DNS" permit
161set policy id 10
162set service "HTTP"
163set service "ICMP6-ANY"
164set service "NTP"
165set service "PINGv6"
166exit
167set policy id 11 from "DMZ" to "Trust"  "Any-IPv6" "Any-IPv6" "DNS" permit
168set policy id 11
169set service "HTTP"
170set service "ICMP6-ANY"
171set service "NTP"
172exit
173set policy id 12 from "Untrust" to "Trust"  "Any-IPv6" "Any-IPv6" "ANY" deny
174set policy id 12
175exit
176set monitor cpu 100
177set nsmgmt bulkcli reboot-timeout 60
178set ssh version v2
179set config lock timeout 5
180set snmp community "public" Read-Only Trap-on  traffic version v1
181set snmp host "public" 10.40.1.0 255.255.255.0 src-interface bgroup2.1
182set snmp port listen 161
183set snmp port trap 162
184set vrouter "untrust-vr"
185exit
186set vrouter "trust-vr"
187set router-id 10.20.0.6
188set protocol bgp 65004
189set enable
190set neighbor 10.20.0.5 remote-as 65002
191set neighbor 10.20.0.5 enable
192set network 10.40.2.0/24 weight 1 no-check
193 set network 10.40.1.0/24 weight 1 no-check
194 exit
195unset add-default-route
196set route 0.0.0.0/0 interface null gateway 10.20.0.5 preference 20
197set route 2001:db8:4:444::/64 interface bgroup2.1 gateway 2001:db8:4:443::1 preference 20
198set route 2001:db8:4:445::/64 interface bgroup2.1 gateway 2001:db8:4:443::1 preference 20
199set route 2001:db8:3:340::/64 interface bgroup1.1 gateway 2001:db8:4:441::1 preference 20
200set route ::/0 interface bgroup0.1 gateway 2001:db8:2:240::5 preference 20
201exit
202set interface bgroup0.2 protocol ospf area 0.0.0.0
203set interface bgroup0.2 protocol ospf enable
204set interface bgroup0.2 protocol ospf retransmit-interval 5
205set interface bgroup0.2 protocol ospf cost 1
206set interface bgroup1.1 protocol ospf area 0.0.0.0
207set interface bgroup1.1 protocol ospf enable
208set interface bgroup1.1 protocol ospf cost 1
209set interface bgroup2.1 protocol ospf area 0.0.0.0
210set interface bgroup2.1 protocol ospf enable
211set interface bgroup2.1 protocol ospf retransmit-interval 5
212set interface bgroup2.1 protocol ospf cost 1
213set interface bgroup0.1 protocol bgp
214set vrouter "untrust-vr"
215exit
216set vrouter "trust-vr"
217exit