Hi Arzo

You mention that you have already found some documentation on the topic but I just want to make sure that you have seen the following:

1) Configuring SSH Service

2) Configuring SNMP Trap Options and Groups

For SSH access this will work:

lab@router# show system services 
ftp;
ssh;
telnet;

[edit]
lab@router# 

For basic SNMP trap a configuration as this would already be enough.

lab@router# show snmp    
trap-group public {
    targets {
        10.0.0.1;
    }
}

[edit]
lab@router# 

---

Arzo wrote:

thank you G for the great example. i have a small question..

 

set firewall family inet filter RE_FILTER term DEFAULT then accept

 

since after the word TERM should be (name).. how can the word default point to ANY other protocol, i didnt got that sorry.

---

Hi again,

No problem, I'm glad You found it useful.

You're right, after the 'term' keyword should be name of the term, so 'DEFAULT' in our case is just that - name of the term (I choose DEFAULT to make the purpose of it quite obvious). Then, term can (it is optional) have some 'from' statements to match which packets we're interested in, and 'then' statement to inform what to do with those previously matched packets. If You specify no 'from' conditions, that term would match everything (all protocols, ports, etc; just everything else, not matched in upper terms). Please have a look here to get more infos:

http://www.juniper.net/techpubs/software/junos/junos92/swconfig-policy/filter-match-conditions.html#id-10829544

Have a nice day,

All the best,

G.

thank you so much G, it was really a stupid question i realized it after i sent you the replay, i found one that i configured once. thanks again. anyway you all gave me a great help, i will paste all my collection for this case hat i finished with your help all so it will be usefull for other members, if you found anything wrong in my configuration please inform.

term everything-else {
                then accept;

the configuration lines.

TACACS PLUS CONFIGERATION:

set system authentiction-order [tacplus password]

set system tacplus-server TAC_IP source-address SRC_IP

set system login user remote full-name "TACACS+ User Template" class super-user

Notes :

1. tacplus password is better to include, if the router were unable to reach tacacs server, it will authenticate locally, if you dont want that option you can remove it.

2. the user remote is the templete for tacacs to to access the router. so its mandatory

SNMP CONFIGERATION:

set snmp location WORK

set snmp contact EMAIL

set snmp community NAME

set snmp trap-options source-address lo0

set snmp trap-group public targets SNMP_SERVER_IP

SSH ACCESS AND FILTERING:

set system services ssh root-login deny-password

set system services ssh protocol-version v2

set system services ssh connection-limit 10

set system services ssh rate-limit 10

set firewall family inet filter RE_FILTER term SSH from source-address 10.0.0.1/32

set firewall family inet filter RE_FILTER term SSH from source-address 10.0.0.2/32

set firewall family inet filter RE_FILTER term SSH from protocol tcp

set firewall family inet filter RE_FILTER term SSH from destination-port 22

set firewall family inet filter RE_FILTER term SSH then accept

set firewall family inet filter RE_FILTER term SSH_BLOCK from protocol tcp

set firewall family inet filter RE_FILTER term SSH_BLOCK from destination-port 22

set firewall family inet filter RE_FILTER term SSH_BLOCK then discard

set firewall family inet filter RE_FILTER term everything-else then accept

set interfaces lo0 unit 0 family inet filter input RE_FILTER

Notes:

1. Do NOT remove or alter the everything-else term or all connections to the router will stop functioning (BGP, Telnet, NTP, etc.)

2. root-login deny-password, so root won’t be access through ssh

Hi again,

Someone said that there are no stupid questions, so don't worry about it

I'm glad to hear that it is useful for You. Also, big thanks to AntonD cause it was a team work

Have a nice day,

All the best,

Gniewko