## Last changed: 2013-10-11 15:09:30 PDT version 11.2R2.4; system { services { ssh { root-login allow; protocol-version v2; connection-limit 5; rate-limit 5; } web-management { http { interface [ ge-0/0/1.0 ge-0/0/2.0 ge-0/0/3.0 ge-2/0/3.0 ge-2/0/2.0 ]; } https { system-generated-certificate; interface [ ge-0/0/1.0 ge-0/0/2.0 ge-0/0/3.0 ge-2/0/2.0 ]; } } } syslog { user * { any emergency; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } } max-configurations-on-flash 15; max-configuration-rollbacks 15; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } ntp { server 50.116.38.157 version 4; server 173.255.224.22 version 4; } } chassis { aggregated-devices { ethernet { device-count 1; } } } interfaces { interface-range access-ports { member ge-2/0/5; member ge-2/0/8; member ge-2/0/22; member-range ge-2/0/12 to ge-2/0/15; unit 0 { family ethernet-switching { port-mode access; vlan { members vlan-oldswitch2; } } } } ge-0/0/0 { unit 0; } gr-0/0/0 { unit 1 { description juniper_gal1; tunnel { source 208.34.20.111;#juniper - this works destination 206.71.58.4; } family inet { filter { input tunnel-inbound; } address 10.0.0.6/32; } } unit 3 { description tun_39649; tunnel { source 208.34.20.4; To our internel server. Does not work destination 46.108.224.162; } family inet { filter { input tunnel-inbound; } address 10.0.0.8/32; } } } ge-0/0/1 { unit 0; } ge-0/0/2 { unit 0; } ge-0/0/3 { unit 0; } ge-2/0/1 { unit 0 { family ethernet-switching { port-mode access; vlan { members vlan-oldswitch2; } } } } ge-2/0/2 { description w1; unit 0 { family ethernet-switching { port-mode access; vlan { members vlan-oldswitch2; } } } } ge-2/0/3 { description sm1; unit 0 { family ethernet-switching { port-mode access; vlan { members vlan-oldswitch2; } } } } ge-2/0/4 { description esxi10_p1p2; unit 0 { family ethernet-switching { port-mode access; vlan { members vlan-oldswitch2; } } } } ge-2/0/6 { description sm4; unit 0 { family ethernet-switching { port-mode access; vlan { members vlan-oldswitch2; } } } } ge-2/0/7 { description sm5; unit 0 { family ethernet-switching { port-mode access; vlan { members vlan-oldswitch2; } } } } ge-2/0/9 { description sm13_p1p1; unit 0 { family ethernet-switching { port-mode access; vlan { members vlan-oldswitch2; } } } } ge-2/0/10 { description sm13_p1p2; unit 0 { family ethernet-switching { port-mode access; vlan { members vlan-oldswitch2; } } } } ge-2/0/11 { description sm14; unit 0 { family ethernet-switching { port-mode access; vlan { members vlan-oldswitch2; } } } } ge-2/0/16 { description "Cisco 3750G Stack - GigabitEthernet1/0/12"; gigether-options { 802.3ad ae0; } } ge-2/0/17 { description "Cisco 3750G Stack - GigabitEthernet1/0/17"; gigether-options { 802.3ad ae0; } } ge-2/0/18 { description "Cisco 3750G Stack - GigabitEthernet1/0/21"; gigether-options { 802.3ad ae0; } } ge-2/0/19 { description "Cisco 3750G Stack - GigabitEthernet1/0/23"; gigether-options { 802.3ad ae0; } } ge-2/0/20 { unit 0 { family ethernet-switching { port-mode access; vlan { members vlan-oldswitch2; } } } } ge-2/0/21 { description core2; unit 0 { family ethernet-switching { port-mode access; vlan { members vlan-oldswitch2; } } } } ge-2/0/23 { description "Broadcloud Uplink"; enable; speed 1g; link-mode full-duplex; unit 0 { proxy-arp restricted; family inet { address 207.246.237.230/30; } } } xe-6/0/0 { media-type fiber; } ae0 { aggregated-ether-options { lacp { active; } } unit 0 { family ethernet-switching { port-mode access; vlan { members vlan-oldswitch2; } } } } gre { unit 0 { description new_galaxy2; tunnel { source 208.34.20.4; destination 208.96.166.4; routing-instance { destination route; } } family inet { filter { input tunnel-inbound; } address 10.0.0.6/30; } } } vlan { unit 3 { proxy-arp restricted; family inet { address 38.96.0.1/24; address 209.234.134.1/24; } } unit 5 { proxy-arp restricted; family inet { address 208.34.20.111/24; } family inet6 { address fdf7:111c:0762:7ae2::1/64; } } } } snmp { location S1-F1-R02-C08-RR17; community sfga5eye6tha323r { authorization read-only; clients { 208.34.20.43/32; } } } routing-options { interface-routes { rib-group inet src-route-targets; } rib inet6.0 { static { route 2a03:60c0::/32 next-hop fdf7:111c:762:7ae2::8; route 2a03:60c0:f000::/36 next-hop fdf7:111c:0762:7ae2::7; route 2a04:2a40::/32 next-hop fdf7:111c:0762:7ae2::2; route ::0/0 next-hop 2001:4870:a282:5::1; route 2a02:2518:f000::/36 next-hop fdf7:111c:0762:7ae2::2; route 2a03:60c0::/33 next-hop fdf7:111c:0762:7ae2::2; route 2001:1638:4000::/34 next-hop fdf7:111c:0762:7ae2::8; route 2001:1638::/34 next-hop fdf7:111c:0762:7ae2::2; route 2407:cd00::/32 next-hop fdf7:111c:0762:7ae2::7; route 2803:1c00::0/32 next-hop fdf7:111c:0762:7ae2::2; route 2a00:c8a0::0/32 next-hop fdf7:111c:0762:7ae2::2; } } static { route 10.0.208.0/24 next-hop 10.0.208.1; route 0.0.0.0/0 { next-hop 207.246.237.229; preference 100; } route 209.234.134.0/24 next-hop 209.234.134.1; route 207.246.237.230/32 next-hop 207.246.237.229; route 208.34.20.0/24 next-hop 208.34.20.1; route 206.71.58.0/24 next-hop 208.34.20.43; route 188.211.64.0/24 next-hop 208.34.20.66; route 188.211.65.0/24 next-hop 208.34.20.66; route 188.211.66.0/24 next-hop 208.34.20.66; route 188.211.67.0/24 next-hop 208.34.20.66; route 188.211.68.0/24 next-hop 208.34.20.65; route 188.211.69.0/24 next-hop 208.34.20.65; route 188.211.70.0/24 next-hop 208.34.20.65; route 188.211.71.0/24 next-hop 208.34.20.65; route 188.211.72.0/24 next-hop 208.34.20.65; route 188.211.73.0/24 next-hop 208.34.20.65; route 67.216.211.0/24 next-hop 208.34.20.81; } rib-groups { src-route-targets { import-rib [ inet.0 w1.inet.0 w2.inet.0 w3.inet.0 w4.inet.0 w5.inet.0 sm1.inet.0 route.inet.0 sm2.inet.0 sm3.inet.0 sm4.inet.0 sm5.inet.0 db.inet.0 sm6.inet.0 sm7.inet.0 sm11.inet.0 pdns.inet.0 sm12.inet.0 sm15.inet.0 sm16.inet.0 ]; } } } protocols { stp { interface ge-2/0/1.0 { disable; } interface ge-2/0/2.0 { disable; } interface ge-2/0/3.0 { disable; } } } policy-options { prefix-list comcast { 68.87.26.147/32; 76.96.40.147/32; } prefix-list cox { 68.1.17.3/32; 68.6.19.3/32; } prefix-list bounce-prefix { 1.2.3.4/32; 64.17.34.0/24; 64.17.40.0/24; 64.17.42.0/24; 67.216.207.0/24; 69.58.12.0/24; 173.244.144.0/24; 208.113.79.0/24; } prefix-list 76.84.0.0/15; prefix-list 75.180.128.0/19; prefix-list 71.74.48.0/20; prefix-list 24.93.0.0/16; prefix-list 24.28.0.0/15; prefix-list sbc { 98.136.217.192/32; 98.138.206.39/32; } prefix-list allow-all { 1.2.3.4/32; 10.0.0.206/32; 10.0.4.1/32; 10.0.4.2/32; 10.200.100.0/24; 10.200.200.0/24; 10.202.100.1/32; 10.202.100.2/32; 10.205.100.0/24; 10.205.100.2/32; } prefix-list bandwidth-test-prefix; prefix-list directly-announced-mail-ips { 142.147.0.0/16; 149.118.0.0/16; } prefix-list 208.117.36.146; prefix-list 128.199.0.0/16; prefix-list att { 12.102.252.75/32; 204.127.208.75/32; 204.127.217.21/32; } prefix-list bellsouth { 204.127.217.16/32; 207.115.11.16/32; } prefix-list test-prefix; prefix-list dns-prefix { 1.2.3.4/32; 67.229.97.0/24; } } security { ssh-known-hosts { host 208.34.20.93 { rsa-key AAAAB3NzaC1yc2EAAAABIwAAAQEAn8IbCJ2oZARuE4aDD0Fi2jx5plI5rwifR2HD5FFQ779jLdnkBizYNgd0eZpWPOOseWbbELKlq4M3nCevRfuo6unoEJF2UOzO9tMXaVyVCf2zoPOyMJl5F/iIowRkCYKEcKyPPcOztp/pS2aUhcf9wi5UbRBZWFo1P9IdvDlw5uUfunoXsFhdh6N6jFkmHlt4vWeuRx6u9uzdItbm7DC4mGmtbqRLq82HbBWWiuo8QBKpwquYn2V7hApbDs7GQAhW1pNQehUTX2b/rAH/6Kr0BRZGoh0mszMuYdBwwBjlFdbqxIQ3HEc+v6wi2v/sfheR528+Ds5P1EMaA4SzMQRPtQ==; } } forwarding-options { family { inet6 { mode packet-based; } mpls { mode packet-based; } iso { mode packet-based; } } } zones { security-zone TunnelZone { interfaces { gre.0; } } } } firewall { family inet { filter sources { term comcast { from { source-prefix-list { comcast; cox; } source-port 25; } then { routing-instance sm1; } } term default { then accept; } } filter tunnel-inbound { term TEMPORARY { from { source-address { 10.87.5.0/24; } } then accept; } term test-pdns { from { destination-prefix-list { test-prefix; } } then { routing-instance pdns; } } term hotmail-mail { from { source-port 25; destination-port 1-3071; } then { routing-instance sm3; } } term aolserver2-mail { from { source-port 25; destination-port 3072-6143; } then { routing-instance sm11; } } term route-test { from { source-port 25; destination-port 6144-10240; } then { routing-instance route; } } term route-speedtest { from { source-prefix-list { bandwidth-test-prefix; } source-port 80; destination-port 6144-10240; } then { routing-instance route; } } term att { from { source-prefix-list { att; } source-port 25; } then { routing-instance w5; } } term bellsouth { from { source-prefix-list { bellsouth; } source-port 25; } then { routing-instance w5; } } term charter { from { source-prefix-list { charter; } source-port 25; } then { routing-instance sm1; } } term windstream { from { source-prefix-list { windstream; } source-port 25; } then { routing-instance w1; } } term q { from { source-prefix-list { q; } source-port 25; } then { routing-instance w3; } } term suddenlink { from { source-prefix-list { suddenlink; } source-port 25; } then { routing-instance w3; } } term cox-server1 { from { source-prefix-list { cox; } source-port 25; destination-port 10240-32554; } then { routing-instance sm6; } } term cox-server2 { from { source-prefix-list { cox; } source-port 25; destination-port 32555-65535; } then { routing-instance sm6; } } term verizon-server1 { from { source-prefix-list { verizon; } source-port 25; destination-port 10240-32554; } then { routing-instance sm1; } } term verizon-server2 { from { source-prefix-list { verizon; } source-port 25; destination-port 32555-65535; } then { routing-instance sm6; } } term roadrunner-server1 { from { source-prefix-list { roadrunner; } source-port 25; destination-port 10240-32554; } then { routing-instance sm1; } } term roadrunner-server2 { from { source-prefix-list { roadrunner; } source-port 25; destination-port 32555-65535; } then { routing-instance sm7; } } term comcast-server1 { from { source-prefix-list { comcast; } source-port 25; destination-port 10240-32554; } then { routing-instance sm2; } } term comcast-server2 { from { source-prefix-list { comcast; } source-port 25; destination-port 32555-65535; } then { routing-instance sm6; } } term apple { from { source-prefix-list { apple; } source-port 25; } then { routing-instance w2; } } term bounce-traffic { from { destination-prefix-list { bounce-prefix; } destination-port 25; } then accept; } term mail-traffic { from { destination-prefix-list { mail-prefix; } source-port 25; } then accept; } term web-traffic { from { destination-prefix-list { web-prefix; } destination-port 80; } then accept; } term dns-traffic { from { destination-prefix-list { dns-prefix; } destination-port 53; } then accept; } term bandwidth-test-traffic { from { destination-prefix-list { bandwidth-test-prefix; } source-port 80; } then accept; } term allow-all { from { destination-prefix-list { allow-all; } } then accept; } term aolserver3-mail { from { source-port 25; destination-port 9217-12287; } then { routing-instance sm16; } } term hotmailserver1-mail { from { source-port 25; destination-port 6145-9216; } then { routing-instance sm15; } } term default { then { discard; } } } filter vlan { term attack { from { source-address { 202.82.173.85/32; 38.78.196.0/22; } } then { discard; } } term accept-vz { from { source-prefix-list { verizon; } destination-prefix-list { directly-announced-mail-ips; } source-port 25; } then { routing-instance sm6; } } term accept-cc { from { source-prefix-list { comcast; } destination-prefix-list { directly-announced-mail-ips; } source-port 25; } then { routing-instance sm2; } } term accept-ch { from { source-prefix-list { charter; } destination-prefix-list { directly-announced-mail-ips; } source-port 25; } then { routing-instance sm1; } } term accept-rr { from { source-prefix-list { roadrunner; } destination-prefix-list { directly-announced-mail-ips; } source-port 25; } then { routing-instance sm7; } } term accept-sl { from { source-prefix-list { suddenlink; } destination-prefix-list { directly-announced-mail-ips; } source-port 25; } then { routing-instance w3; } } term accept-cx { from { source-prefix-list { cox; } destination-prefix-list { directly-announced-mail-ips; } source-port 25; } then { routing-instance sm5; } } term accept-dnstraffic { from { destination-prefix-list { directly-announced-mail-ips; } destination-port 53; } then accept; } term accept-remaindermailtraffic { from { destination-prefix-list { directly-announced-mail-ips; } source-port 25; } then accept; } term accept-webtraffic { from { destination-prefix-list { web-prefix; } destination-port 80; } then { routing-instance db; } } term drop-remaindermailiptraffic { from { destination-prefix-list { directly-announced-mail-ips; } } then { discard; } } term default { then accept; } } filter vpn { term TEMPORARY { from { source-address { 184.188.176.163/32; } destination-address { 38.96.0.0/24; } } then accept; } term mysql_master { from { source-address { 173.1.179.9/32; } } then accept; } term vpn_traffic { from { destination-address { 208.34.20.112/32; } protocol esp; } then accept; } term vpn_traffic2 { from { destination-address { 208.34.20.112/32; } destination-port [ 500 4500 1194 443 ]; } then accept; } term vpn_traffic3 { from { destination-address { 208.34.20.112/32; } } then { discard; } } term lockdown { from { destination-prefix-list { lockdown; } source-port-except [ 53 80 442 443 ]; } then { discard; } } term mail { from { destination-port [ 25 2525 2526 2527 2528 2529 2530 8080 8081 8082 8083 8084 8085 8086 8087 8088 8089 8090 1027 ]; } then { reject tcp-reset; } } term prohibited { from { destination-port [ 3306 11211 11212 11213 111 5666 6379 6380 6381 54679 39322 49898 34951 667 38083 59849 161 515 631 2049 5000 5432 6382 ]; } then { reject tcp-reset; } } term protect_web { from { destination-prefix-list { protect-web; } destination-port 80; } then { reject tcp-reset; } } term default { then accept; } } } family inet6 { filter tunnel6-inbound { term mail { from { source-port 25; } then accept; } term default { then discard; } } } } routing-instances { db { instance-type forwarding; routing-options { static { route 0.0.0.0/0 next-hop 208.34.20.5; } } } pdns { instance-type forwarding; routing-options { static { route 0.0.0.0/0 next-hop 208.34.20.79; } } } route { instance-type forwarding; routing-options { static { route 0.0.0.0/0 next-hop 208.34.20.4; } } } sm1 { instance-type forwarding; routing-options { static { route 0.0.0.0/0 next-hop 208.34.20.81; } } } sm11 { instance-type forwarding; routing-options { static { route 0.0.0.0/0 next-hop 208.34.20.107; } } } sm12 { instance-type forwarding; routing-options { static { route 0.0.0.0/0 next-hop 208.34.20.126; } } } sm15 { instance-type forwarding; routing-options { static { route 0.0.0.0/0 next-hop 208.34.20.117; } } } sm16 { instance-type forwarding; routing-options { static { route 0.0.0.0/0 next-hop 208.34.20.119; } } } sm2 { instance-type forwarding; routing-options { static { route 0.0.0.0/0 next-hop 208.34.20.38; } } } sm3 { instance-type forwarding; routing-options { static { route 0.0.0.0/0 next-hop 208.34.20.92; } } } sm4 { instance-type forwarding; routing-options { static { route 0.0.0.0/0 next-hop 208.34.20.121; } } } sm5 { instance-type forwarding; routing-options { static { route 0.0.0.0/0 next-hop 208.34.20.122; } } } sm6 { instance-type forwarding; routing-options { static { route 0.0.0.0/0 next-hop 208.34.20.100; } } } sm7 { instance-type forwarding; routing-options { static { route 0.0.0.0/0 next-hop 208.34.20.104; } } } w1 { instance-type forwarding; routing-options { static { route 0.0.0.0/0 next-hop 208.34.20.27; } } } w2 { instance-type forwarding; routing-options { static { route 0.0.0.0/0 next-hop 208.34.20.18; } } } w3 { instance-type forwarding; routing-options { static { route 0.0.0.0/0 next-hop 208.34.20.24; } } } w4 { instance-type forwarding; routing-options { static { route 0.0.0.0/0 next-hop 208.34.20.113; } } } w5 { instance-type forwarding; routing-options { static { route 0.0.0.0/0 next-hop 208.34.20.31; } } } } vlans { vlan-main { vlan-id 3; l3-interface vlan.3; } vlan-oldswitch2 { vlan-id 5; l3-interface vlan.5; } }