{primary:node1} version 12.1X44-D35.5; groups { node0 { system { host-name host0; } interfaces { fxp0 { unit 0 { family inet { address 10.2.2.250/24; } } } } } node1 { system { host-name host1; } interfaces { fxp0 { unit 0 { family inet { address 10.2.2.251/24; } } } } } } apply-groups "${node}"; system { root-authentication { encrypted-password "jibberish"; ## SECRET-DATA } name-server { 10.2.2.53; 8.8.8.8; } login { user annonymous { uid 2001; class super-user; authentication { encrypted-password "jibberish"; ## SECRET-DATA } } } services { ssh; web-management { http { interface [ reth0.0 reth1.0 fxp1.0 fxp2.0 ]; } https { system-generated-certificate; interface [ reth0.0 reth1.0 fxp1.0 fxp2.0 ]; } } } syslog { archive size 100k files 3; user * { any emergency; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } } max-configurations-on-flash 15; max-configuration-rollbacks 15; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } } chassis { cluster { reth-count 2; redundancy-group 0 { node 0 priority 200; node 1 priority 100; } redundancy-group 1 { node 0 priority 200; node 1 priority 100; } } } interfaces { ge-0/0/4 { gigether-options { redundant-parent reth0; } } ge-0/0/5 { gigether-options { redundant-parent reth1; } } ge-5/0/4 { gigether-options { redundant-parent reth0; } } ge-5/0/5 { gigether-options { redundant-parent reth1; } } fab0 { fabric-options { member-interfaces { ge-0/0/2; } } } fab1 { fabric-options { member-interfaces { ge-5/0/2; } } } lo0 { unit 0 { family inet { address 2.2.2.2/32; } } } reth0 { redundant-ether-options { redundancy-group 1; } unit 0 { description WAN; family inet { address X.X.X.X/X; } } } reth1 { redundant-ether-options { redundancy-group 1; } unit 0 { description LAN; family inet { address 10.2.2.254/24; } } } st0 { unit 0 { description "SBC - VPN"; family inet; family inet6; } } } routing-options { static { route 0.0.0.0/0 next-hop X.X.X.X/X; } } protocols { stp; } security { nat { source { rule-set LAN_To_WAN { from zone Trusted; to zone Untrusted; rule LAN_To_Internet { match { source-address 0.0.0.0/0; } then { source-nat { interface; } } } } } proxy-arp { interface reth0.0 { address { X.X.X.X/32 X.X.X.X/32 } } } } zones { security-zone Trusted { host-inbound-traffic { system-services { all; } } interfaces { reth1.0; } } security-zone Untrusted { host-inbound-traffic { system-services { https; ping; } } interfaces { reth0.0; } } security-zone VPN { host-inbound-traffic { system-services { all; } } interfaces { st0.0; } } } }