shamun · July 9, 2011 23:28
diff --git a/1 b/1
 root# show 
 ## Last changed: 2011-07-09 23:20:02 UTC
 version 11.1R3.5;
 system {
    root-authentication {
        encrypted-password "PAPA MAMA"; ## SECRET-DATA
    }
    name-server {
        195.130.130.1;
        195.130.131.1;
    }
    services {
        ssh;
        telnet;
        web-management {
            http {
                interface vlan.0;
            }
            https {
                system-generated-certificate;
                interface vlan.0;
            }
        }
        dhcp {
            router {                    
                192.168.1.1;            
            }                           
            pool 192.168.1.0/24 {       
                address-range low 192.168.1.2 high 192.168.1.254;
            }                           
            propagate-settings ge-0/0/0.0;
        }                               
    }                                   
    syslog {                            
        archive size 100k files 3;      
        user * {                        
            any emergency;              
        }                               
        file messages {                 
            any critical;               
            authorization info;         
        }                               
        file interactive-commands {     
            interactive-commands error; 
        }                               
    }                                   
    max-configurations-on-flash 5;      
    max-configuration-rollbacks 5;      
    license {                           
        autoupdate {                    
            url https://ae1.juniper.net/junos/key_retrieval;
        }                               
    }                                   
 }                                       
 interfaces {                            
    interface-range interfaces-trust {  
        member ge-0/0/1;                
        member fe-0/0/2;                
        member fe-0/0/3;                
        member fe-0/0/4;                
        member fe-0/0/5;                
        member fe-0/0/6;                
        member fe-0/0/7;                
        unit 0 {                        
            family ethernet-switching { 
                vlan {                  
                    members vlan-trust; 
                }                       
            }                           
        }                               
    }                                   
    ge-0/0/0 {                          
        mac 08:00:69:02:01:fc;          
        unit 0 {                        
            family inet {               
                dhcp;                   
            }                           
        }                               
    }                                   
    vlan {                              
        unit 0 {                        
            family inet {               
                address 192.168.1.1/24; 
            }                           
        }                               
    }                                   
 }                                       
 security {                              
    alg {                               
        sip disable;                    
    }                                   
    screen {                            
        ids-option untrust-screen {     
            icmp {                      
                ping-death;             
            }                           
            ip {                        
                source-route-option;    
                tear-drop;              
            }                           
            tcp {                       
                syn-flood {             
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;         
                }                       
                land;                   
            }                           
        }                               
    }                                   
    nat {                               
        source {                        
            rule-set trust-to-untrust { 
                from zone trust;        
                to zone untrust;        
                rule source-nat-rule {  
                    match {             
                        source-address 0.0.0.0/0;
                    }                   
                    then {              
                        source-nat {    
                            interface;  
                        }               
                    }                   
                }                       
            }                           
        }                               
        destination {                   
            pool dst-nat-pool-1 {       
                address 192.168.1.2/32; 
            }                           
            rule-set rs1 {              
                from zone untrust;      
                rule r1 {               
                    match {             
                        destination-address 0.0.0.0/0;
                    }                   
                    then {              
                        destination-nat pool dst-nat-pool-1;
                    }                   
                }                       
            }                           
        }                               
        proxy-arp {                     
            interface ge-0/0/0.0 {      
                address {               
                    1.1.1.100/32 to 1.1.1.101/32;
                }                       
            }                           
        }                               
    }                                   
    policies {                          
        from-zone trust to-zone untrust {
            policy trust-to-untrust {   
                match {                 
                    source-address any; 
                    destination-address any;
                    application any;    
                }                       
                then {                  
                    permit;             
                }                       
            }                           
        }                               
        from-zone untrust to-zone trust {
            policy server-access {      
                match {                 
                    source-address any; 
                    destination-address server-1;
                    application any;    
                }                       
                then {                  
                    permit;             
                }                       
            }                           
        }                               
    }                                   
    zones {                             
        security-zone trust {           
            address-book {              
                address server-1 192.168.1.2/32;
            }                           
            host-inbound-traffic {      
                system-services {       
                    all;                
                }                       
                protocols {             
                    all;                
                }                       
            }                           
            interfaces {                
                vlan.0;                 
            }                           
        }                               
        security-zone untrust {         
            screen untrust-screen;      
            interfaces {                
                ge-0/0/0.0 {            
                    host-inbound-traffic {
                        system-services {
                            dhcp;       
                            tftp;       
                        }               
                    }                   
                }                       
            }                           
        }                               
    }                                   
 }                                       
 vlans {                                 
    vlan-trust {                        
        vlan-id 3;                      
        l3-interface vlan.0;            
    }                                   
 }                                       
                                        
 [edit]
diff --git a/2 b/2
 set version 11.1R3.5
 set system root-authentication encrypted-password "PAPA MAMA"
 set system name-server 195.130.130.1
 set system name-server 195.130.131.1
 set system services ssh
 set system services telnet
 set system services web-management http interface vlan.0
 set system services web-management https system-generated-certificate
 set system services web-management https interface vlan.0
 set system services dhcp router 192.168.1.1
 set system services dhcp pool 192.168.1.0/24 address-range low 192.168.1.2
 set system services dhcp pool 192.168.1.0/24 address-range high 192.168.1.254
 set system services dhcp propagate-settings ge-0/0/0.0
 set system syslog archive size 100k
 set system syslog archive files 3
 set system syslog user * any emergency
 set system syslog file messages any critical
 set system syslog file messages authorization info
 set system syslog file interactive-commands interactive-commands error
 set system max-configurations-on-flash 5
 set system max-configuration-rollbacks 5
 set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval

 set interfaces interface-range interfaces-trust member ge-0/0/1
 set interfaces interface-range interfaces-trust member fe-0/0/2
 set interfaces interface-range interfaces-trust member fe-0/0/3
 set interfaces interface-range interfaces-trust member fe-0/0/4
 set interfaces interface-range interfaces-trust member fe-0/0/5
 set interfaces interface-range interfaces-trust member fe-0/0/6
 set interfaces interface-range interfaces-trust member fe-0/0/7
 set interfaces interface-range interfaces-trust unit 0 family ethernet-switching vlan members vlan-trust
 set interfaces ge-0/0/0 mac 08:00:69:02:01:fc
 set interfaces ge-0/0/0 unit 0 family inet dhcp
 set interfaces vlan unit 0 family inet address 192.168.1.1/24
 set security alg sip disable            
 set security screen ids-option untrust-screen icmp ping-death
 set security screen ids-option untrust-screen ip source-route-option
 set security screen ids-option untrust-screen ip tear-drop
 set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
 set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
 set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
 set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
 set security screen ids-option untrust-screen tcp syn-flood timeout 20
 set security screen ids-option untrust-screen tcp land
 set security nat source rule-set trust-to-untrust from zone trust
 set security nat source rule-set trust-to-untrust to zone untrust
 set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
 set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
 set security nat destination pool dst-nat-pool-1 address 192.168.1.2/32
 set security nat destination rule-set rs1 from zone untrust
 set security nat destination rule-set rs1 rule r1 match destination-address 0.0.0.0/0
 set security nat destination rule-set rs1 rule r1 then destination-nat pool dst-nat-pool-1
 set security nat proxy-arp interface ge-0/0/0.0 address 1.1.1.100/32 to 1.1.1.101/32
 set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
 set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
 set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
 set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
 set security policies from-zone untrust to-zone trust policy server-access match source-address any
 set security policies from-zone untrust to-zone trust policy server-access match destination-address server-1
 set security policies from-zone untrust to-zone trust policy server-access match application any
 set security policies from-zone untrust to-zone trust policy server-access then permit
 set security zones security-zone trust address-book address server-1 192.168.1.2/32
 set security zones security-zone trust host-inbound-traffic system-services all
 set security zones security-zone trust host-inbound-traffic protocols all
 set security zones security-zone trust interfaces vlan.0
 set security zones security-zone untrust screen untrust-screen
 set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
 set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services tftp
 set vlans vlan-trust vlan-id 3          
 set vlans vlan-trust l3-interface vlan.0
                                        
 [edit]
	root# show
	## Last changed: 2011-07-09 23:20:02 UTC
	version 11.1R3.5;
	system {
	root-authentication {
	encrypted-password "PAPA MAMA"; ## SECRET-DATA
	}
	name-server {
	195.130.130.1;
	195.130.131.1;
	}
	services {
	ssh;
	telnet;
	web-management {
	http {
	interface vlan.0;
	}
	https {
	system-generated-certificate;
	interface vlan.0;
	}
	}
	dhcp {
	router {
	192.168.1.1;
	}
	pool 192.168.1.0/24 {
	address-range low 192.168.1.2 high 192.168.1.254;
	}
	propagate-settings ge-0/0/0.0;
	}
	}
	syslog {
	archive size 100k files 3;
	user * {
	any emergency;
	}
	file messages {
	any critical;
	authorization info;
	}
	file interactive-commands {
	interactive-commands error;
	}
	}
	max-configurations-on-flash 5;
	max-configuration-rollbacks 5;
	license {
	autoupdate {
	url https://ae1.juniper.net/junos/key_retrieval;
	}
	}
	}
	interfaces {
	interface-range interfaces-trust {
	member ge-0/0/1;
	member fe-0/0/2;
	member fe-0/0/3;
	member fe-0/0/4;
	member fe-0/0/5;
	member fe-0/0/6;
	member fe-0/0/7;
	unit 0 {
	family ethernet-switching {
	vlan {
	members vlan-trust;
	}
	}
	}
	}
	ge-0/0/0 {
	mac 08:00:69:02:01:fc;
	unit 0 {
	family inet {
	dhcp;
	}
	}
	}
	vlan {
	unit 0 {
	family inet {
	address 192.168.1.1/24;
	}
	}
	}
	}
	security {
	alg {
	sip disable;
	}
	screen {
	ids-option untrust-screen {
	icmp {
	ping-death;
	}
	ip {
	source-route-option;
	tear-drop;
	}
	tcp {
	syn-flood {
	alarm-threshold 1024;
	attack-threshold 200;
	source-threshold 1024;
	destination-threshold 2048;
	timeout 20;
	}
	land;
	}
	}
	}
	nat {
	source {
	rule-set trust-to-untrust {
	from zone trust;
	to zone untrust;
	rule source-nat-rule {
	match {
	source-address 0.0.0.0/0;
	}
	then {
	source-nat {
	interface;
	}
	}
	}
	}
	}
	destination {
	pool dst-nat-pool-1 {
	address 192.168.1.2/32;
	}
	rule-set rs1 {
	from zone untrust;
	rule r1 {
	match {
	destination-address 0.0.0.0/0;
	}
	then {
	destination-nat pool dst-nat-pool-1;
	}
	}
	}
	}
	proxy-arp {
	interface ge-0/0/0.0 {
	address {
	1.1.1.100/32 to 1.1.1.101/32;
	}
	}
	}
	}
	policies {
	from-zone trust to-zone untrust {
	policy trust-to-untrust {
	match {
	source-address any;
	destination-address any;
	application any;
	}
	then {
	permit;
	}
	}
	}
	from-zone untrust to-zone trust {
	policy server-access {
	match {
	source-address any;
	destination-address server-1;
	application any;
	}
	then {
	permit;
	}
	}
	}
	}
	zones {
	security-zone trust {
	address-book {
	address server-1 192.168.1.2/32;
	}
	host-inbound-traffic {
	system-services {
	all;
	}
	protocols {
	all;
	}
	}
	interfaces {
	vlan.0;
	}
	}
	security-zone untrust {
	screen untrust-screen;
	interfaces {
	ge-0/0/0.0 {
	host-inbound-traffic {
	system-services {
	dhcp;
	tftp;
	}
	}
	}
	}
	}
	}
	}
	vlans {
	vlan-trust {
	vlan-id 3;
	l3-interface vlan.0;
	}
	}

	[edit]
	set version 11.1R3.5
	set system root-authentication encrypted-password "PAPA MAMA"
	set system name-server 195.130.130.1
	set system name-server 195.130.131.1
	set system services ssh
	set system services telnet
	set system services web-management http interface vlan.0
	set system services web-management https system-generated-certificate
	set system services web-management https interface vlan.0
	set system services dhcp router 192.168.1.1
	set system services dhcp pool 192.168.1.0/24 address-range low 192.168.1.2
	set system services dhcp pool 192.168.1.0/24 address-range high 192.168.1.254
	set system services dhcp propagate-settings ge-0/0/0.0
	set system syslog archive size 100k
	set system syslog archive files 3
	set system syslog user * any emergency
	set system syslog file messages any critical
	set system syslog file messages authorization info
	set system syslog file interactive-commands interactive-commands error
	set system max-configurations-on-flash 5
	set system max-configuration-rollbacks 5
	set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval

	set interfaces interface-range interfaces-trust member ge-0/0/1
	set interfaces interface-range interfaces-trust member fe-0/0/2
	set interfaces interface-range interfaces-trust member fe-0/0/3
	set interfaces interface-range interfaces-trust member fe-0/0/4
	set interfaces interface-range interfaces-trust member fe-0/0/5
	set interfaces interface-range interfaces-trust member fe-0/0/6
	set interfaces interface-range interfaces-trust member fe-0/0/7
	set interfaces interface-range interfaces-trust unit 0 family ethernet-switching vlan members vlan-trust
	set interfaces ge-0/0/0 mac 08:00:69:02:01:fc
	set interfaces ge-0/0/0 unit 0 family inet dhcp
	set interfaces vlan unit 0 family inet address 192.168.1.1/24
	set security alg sip disable
	set security screen ids-option untrust-screen icmp ping-death
	set security screen ids-option untrust-screen ip source-route-option
	set security screen ids-option untrust-screen ip tear-drop
	set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
	set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
	set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
	set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
	set security screen ids-option untrust-screen tcp syn-flood timeout 20
	set security screen ids-option untrust-screen tcp land
	set security nat source rule-set trust-to-untrust from zone trust
	set security nat source rule-set trust-to-untrust to zone untrust
	set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
	set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
	set security nat destination pool dst-nat-pool-1 address 192.168.1.2/32
	set security nat destination rule-set rs1 from zone untrust
	set security nat destination rule-set rs1 rule r1 match destination-address 0.0.0.0/0
	set security nat destination rule-set rs1 rule r1 then destination-nat pool dst-nat-pool-1
	set security nat proxy-arp interface ge-0/0/0.0 address 1.1.1.100/32 to 1.1.1.101/32
	set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
	set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
	set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
	set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
	set security policies from-zone untrust to-zone trust policy server-access match source-address any
	set security policies from-zone untrust to-zone trust policy server-access match destination-address server-1
	set security policies from-zone untrust to-zone trust policy server-access match application any
	set security policies from-zone untrust to-zone trust policy server-access then permit
	set security zones security-zone trust address-book address server-1 192.168.1.2/32
	set security zones security-zone trust host-inbound-traffic system-services all
	set security zones security-zone trust host-inbound-traffic protocols all
	set security zones security-zone trust interfaces vlan.0
	set security zones security-zone untrust screen untrust-screen
	set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
	set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services tftp
	set vlans vlan-trust vlan-id 3
	set vlans vlan-trust l3-interface vlan.0

	[edit]