Realisations/2010-2011/Projet/Entreprise2: firewall1.conf

File firewall1.conf, 8.6 KB (added by panhaleux, 14 years ago)

Configuration routeur Firewall1

Line 
1set clock timezone 1
2set vrouter trust-vr sharable
3set vrouter "untrust-vr"
4exit
5set vrouter "trust-vr"
6unset auto-route-export
7set protocol ospf
8set enable
9set advertise-def-route metric 1 metric-type 1
10set reject-default-route
11exit
12exit
13set service "HTTP-PROXY" protocol tcp src-port 0-65535 dst-port 8080-8080
14set auth-server "Local" id 0
15set auth-server "Local" server-name "Local"
16set auth default auth server "Local"
17set auth radius accounting port 1646
18set admin name "admin"
19set admin password "nO1CGHrlLNQGcmMEDsjLaJOt8VPYtn"
20set admin manager-ip 10.40.1.21 255.255.255.0
21set admin auth timeout 10
22set admin auth server "Local"
23set admin format dos
24set vip multi-port
25set zone "Trust" vrouter "trust-vr"
26set zone "Untrust" vrouter "trust-vr"
27set zone "DMZ" vrouter "trust-vr"
28set zone "VLAN" vrouter "trust-vr"
29set zone "Untrust-Tun" vrouter "trust-vr"
30set zone "Trust" tcp-rst
31set zone "Untrust" block
32unset zone "Untrust" tcp-rst
33set zone "DMZ" tcp-rst
34set zone "VLAN" block
35unset zone "VLAN" tcp-rst
36set zone "Untrust" screen tear-drop
37set zone "Untrust" screen syn-flood
38set zone "Untrust" screen ping-death
39set zone "Untrust" screen ip-filter-src
40set zone "Untrust" screen land
41set zone "V1-Untrust" screen tear-drop
42set zone "V1-Untrust" screen syn-flood
43set zone "V1-Untrust" screen ping-death
44set zone "V1-Untrust" screen ip-filter-src
45set zone "V1-Untrust" screen land
46set interface "ethernet0/0" zone "Null"
47set interface "ethernet0/1" zone "Null"
48set interface "bgroup0" zone "Null"
49set interface "bgroup0.1" tag 340 zone "Untrust"
50set interface "bgroup0.2" tag 2 zone "Untrust"
51set interface "bgroup1.1" tag 441 zone "DMZ"
52set interface "bgroup2" zone "Trust"
53set interface "bgroup2.1" tag 442 zone "Trust"
54set interface "bgroup3" zone "Trust"
55set interface bgroup0 port ethernet0/0
56set interface bgroup1 port ethernet0/1
57set interface bgroup2 port ethernet0/2
58unset interface vlan1 ip
59set interface bgroup0.1 ip 10.30.0.6/30
60set interface "bgroup0.1" ipv6 mode "router"
61set interface "bgroup0.1" ipv6 ip 2001:db8:3:340::6/64
62set interface "bgroup0.1" ipv6 enable
63set interface bgroup0.1 route
64set interface bgroup0.2 ip 10.40.130.254/24
65set interface "bgroup0.2" ipv6 mode "router"
66set interface bgroup0.2 route
67set interface bgroup1.1 ip 10.40.2.1/24
68set interface "bgroup1.1" ipv6 mode "router"
69set interface "bgroup1.1" ipv6 ip 2001:db8:4:441::1/64
70set interface "bgroup1.1" ipv6 enable
71set interface bgroup1.1 route
72set interface bgroup2.1 ip 10.40.30.2/30
73set interface "bgroup2.1" ipv6 mode "router"
74set interface "bgroup2.1" ipv6 ip 2001:db8:4:442::2/64
75set interface "bgroup2.1" ipv6 enable
76set interface bgroup2.1 nat
77set interface "bgroup0.1" pmtu ipv4
78unset interface vlan1 bypass-others-ipsec
79unset interface vlan1 bypass-non-ip
80unset interface bgroup0.1 ip manageable
81set interface bgroup0.2 ip manageable
82set interface bgroup1.1 ip manageable
83set interface bgroup2.1 ip manageable
84set interface bgroup0.1 manage ping
85set interface bgroup0.1 manage ident-reset
86set interface bgroup0.2 manage ping
87set interface bgroup0.2 manage telnet
88set interface bgroup0.2 manage web
89unset interface bgroup2 manage ping
90unset interface bgroup2 manage ssh
91unset interface bgroup2 manage telnet
92unset interface bgroup2 manage snmp
93unset interface bgroup2 manage ssl
94unset interface bgroup2 manage web
95unset interface bgroup2.1 manage ssh
96unset interface bgroup2.1 manage snmp
97unset interface bgroup2.1 manage ssl
98set interface bgroup0.1 ipv6 ra link-address
99set interface bgroup0.2 ipv6 ra prefix 2001:db8:3:340::/64 autonomous onlink
100set interface bgroup0.2 ipv6 ra link-address
101set interface bgroup1.1 ipv6 ra prefix 2001:db8:4:441::/64 autonomous onlink
102unset interface bgroup1.1 ipv6 ra link-address
103set interface bgroup1.1 ipv6 ra transmit
104set interface bgroup2.1 ipv6 ra prefix 2001:db8:4:441::/64 autonomous onlink
105set interface bgroup2.1 ipv6 ra prefix 2001:db8:3:340::/64 autonomous onlink
106set interface bgroup2.1 ipv6 ra link-address
107set interface bgroup2.1 ipv6 ra other
108set interface bgroup2.1 ipv6 ra managed
109set interface bgroup2.1 ipv6 ra transmit
110set interface bgroup0.1 ipv6 nd nud
111set interface bgroup0.2 ipv6 nd nud
112set interface bgroup1.1 ipv6 nd nud
113set interface bgroup2.1 ipv6 nd nud
114set interface bgroup0.2 dip interface-ip incoming
115set interface bgroup1.1 dip interface-ip incoming
116set interface "serial0/0" modem settings "USR" init "AT&F"
117set interface "serial0/0" modem settings "USR" active
118set interface "serial0/0" modem speed 115200
119set interface "serial0/0" modem retry 3
120set interface "serial0/0" modem interval 10
121set interface "serial0/0" modem idle-time 10
122set flow tcp-mss
123unset flow no-tcp-seq-check
124set flow tcp-syn-check
125set hostname firewall1
126set pki authority default scep mode "auto"
127set pki x509 default cert-path partial
128set ike respond-bad-spi 1
129unset ike ikeid-enumeration
130unset ipsec access-session enable
131set ipsec access-session maximum 5000
132set ipsec access-session upper-threshold 0
133set ipsec access-session lower-threshold 0
134set ipsec access-session dead-p2-sa-timeout 0
135unset ipsec access-session log-error
136unset ipsec access-session info-exch-connected
137unset ipsec access-session use-error-log
138set url protocol websense
139exit
140set policy id 1 from "Trust" to "Untrust"  "Any-IPv4" "Any-IPv4" "ANY" permit
141set policy id 1
142exit
143set policy id 2 from "Trust" to "DMZ"  "Any-IPv4" "Any-IPv4" "ANY" permit
144set policy id 2
145exit
146set policy id 3 from "Untrust" to "Trust"  "Any-IPv4" "Any-IPv4" "ANY" deny
147set policy id 3
148exit
149set policy id 4 from "Untrust" to "DMZ"  "Any-IPv4" "Any-IPv4" "DNS" permit
150set policy id 4
151set service "HTTP"
152set service "NTP"
153set service "PING"
154set service "SSH"
155exit
156set policy id 5 from "DMZ" to "Untrust"  "Any-IPv4" "Any-IPv4" "DNS" permit
157set policy id 5
158set service "HTTP"
159set service "HTTP-PROXY"
160set service "NTP"
161set service "PING"
162exit
163set policy id 6 from "DMZ" to "Trust"  "Any-IPv4" "Any-IPv4" "DNS" permit
164set policy id 6
165set service "HTTP"
166set service "NTP"
167set service "PING"
168exit
169set policy id 7 from "Trust" to "DMZ"  "Any-IPv6" "Any-IPv6" "ANY" permit
170set policy id 7
171exit
172set policy id 8 from "Trust" to "Untrust"  "Any-IPv6" "Any-IPv6" "ANY" permit
173set policy id 8
174exit
175set policy id 9 from "Untrust" to "Trust"  "Any-IPv6" "Any-IPv6" "ANY" deny
176set policy id 9
177exit
178set policy id 10 from "Untrust" to "DMZ"  "Any-IPv6" "Any-IPv6" "DNS" permit
179set policy id 10
180set service "HTTP"
181set service "ICMP6-ANY"
182set service "NTP"
183exit
184set policy id 11 from "DMZ" to "Untrust"  "Any-IPv6" "Any-IPv6" "DNS" permit
185set policy id 11
186set service "HTTP"
187set service "ICMP6-ANY"
188set service "NTP"
189exit
190set policy id 12 from "DMZ" to "Trust"  "Any-IPv6" "Any-IPv6" "DNS" permit
191set policy id 12
192set service "HTTP"
193set service "ICMP6-ANY"
194set service "NTP"
195exit
196set policy id 13 from "DMZ" to "Untrust"  "Any-IPv4" "Any-IPv4" "ANY" permit
197set policy id 13 disable
198set policy id 13
199exit
200set monitor cpu 100
201set nsmgmt bulkcli reboot-timeout 60
202set ssh version v2
203set config lock timeout 5
204set ntp server "10.40.2.32"
205set ntp server backup1 "0.0.0.0"
206set ntp server backup2 "0.0.0.0"
207set snmp community "public" Read-Only Trap-on  traffic version v1
208set snmp host "public" 10.40.1.0 255.255.255.0
209set snmp name "firewall1"
210unset snmp auth-trap enable
211set snmp port listen 161
212set snmp port trap 162
213set vrouter "untrust-vr"
214exit
215set vrouter "trust-vr"
216set router-id 10.30.0.6
217set protocol bgp 65004
218set enable
219set neighbor 10.30.0.5 remote-as 65003
220set neighbor 10.30.0.5 enable
221set neighbor 10.30.0.5 send-community
222set network 10.40.2.0/24 weight 1 no-check
223 set network 10.40.1.0/24 weight 1 no-check
224 exit
225set access-list 1
226set route-map name "DMZ"
227unset add-default-route
228set route 0.0.0.0/0 interface bgroup0.1 gateway 10.30.0.5 preference 20
229set route 2001:db8:4:444::/64 interface bgroup2.1 gateway 2001:db8:4:442::1 preference 20
230set route 2001:db8:4:445::/64 interface bgroup2.1 gateway 2001:db8:4:442::1 preference 20
231set route ::/0 interface bgroup0.1 gateway 2001:db8:3:340::5 preference 20
232set protocol bgp
233set redistribute route-map "DMZ" protocol connected
234exit
235exit
236set interface bgroup0.1 protocol ospf area 0.0.0.0
237set interface bgroup0.1 protocol ospf passive
238set interface bgroup0.1 protocol ospf enable
239set interface bgroup0.1 protocol ospf cost 1
240set interface bgroup2.1 protocol ospf area 0.0.0.0
241set interface bgroup2.1 protocol ospf enable
242set interface bgroup2.1 protocol ospf cost 1
243set interface bgroup0.1 protocol bgp
244set interface bgroup1.1 protocol bgp
245set vrouter "untrust-vr"
246exit
247set vrouter "trust-vr"
248exit