# show | display set
set version 15.1X49-D70.3
set system host-name <host name>
set system root-authentication encrypted-password <password>
set system name-server 8.8.8.8
set system name-server 8.8.4.4
set system name-server <DNS server>
set system login message "Authorized users ONLY!!!"
set system login user jtech uid 2001
set system login user jtech class operator
set system login user jtech authentication encrypted-password
set system login user uid 2000
set system login user <user> class super-user
set system login user authentication encrypted-password <password>
set system services ssh
set system services xnm-clear-text
set system services netconf ssh
set system services dhcp-local-server group jdhcp-group interface fxp0.0
set system services dhcp-local-server group jdhcp-group interface irb.0
set system services web-management https system-generated-certificate
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any notice
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set system syslog file policy_session user info
set system syslog file policy_session match RT_FLOW
set system syslog file policy_session archive size 1000k
set system syslog file policy_session archive world-readable
set system syslog file policy_session structured-data
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set security ike policy ike-dyn-vpn-policy mode aggressive
set security ike policy ike-dyn-vpn-policy proposal-set standard
set security ike policy ike-dyn-vpn-policy pre-shared-key ascii-text
set security ike gateway dyn-vpn-local-gw ike-policy ike-dyn-vpn-policy
set security ike gateway dyn-vpn-local-gw dynamic hostname dynvpn
set security ike gateway dyn-vpn-local-gw dynamic connections-limit 60
set security ike gateway dyn-vpn-local-gw dynamic ike-user-type group-ike-id
set security ike gateway dyn-vpn-local-gw external-interface ge-0/0/0.0
set security ike gateway dyn-vpn-local-gw xauth access-profile dyn-vpn-access-profile
set security ipsec policy ipsec-dyn-vpn-policy proposal-set standard
set security ipsec vpn dyn-vpn ike gateway dyn-vpn-local-gw
set security ipsec vpn dyn-vpn ike ipsec-policy ipsec-dyn-vpn-policy
set security dynamic-vpn access-profile dyn-vpn-access-profile
set security dynamic-vpn clients all remote-protected-resources 192.0.0.0/8
set security dynamic-vpn clients all remote-exceptions 0.0.0.0/0
set security dynamic-vpn clients all ipsec-vpn dyn-vpn
set security dynamic-vpn clients all user <username>
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
set security nat destination pool citrix-dst-nat description "Citrix Destination NAT Pool"
set security nat destination pool citrix-dst-nat routing-instance default
set security nat destination pool citrix-dst-nat address
set security nat destination pool pbx-dst-nat-01 address
set security nat destination pool pbx-dst-nat-02 address
set security nat destination pool pbx-dst-nat-03 address
set security nat destination rule-set dst-rs-01 description "Untrusted Destination Rule Set"
set security nat destination rule-set dst-rs-01 from zone untrust
set security nat destination rule-set dst-rs-01 rule citrix-rule-01 description "Citrix NAT Pool"
set security nat destination rule-set dst-rs-01 rule citrix-rule-01 match destination-address <Citrix Public IP address>
set security nat destination rule-set dst-rs-01 rule citrix-rule-01 then destination-nat pool citrix-dst-nat
set security nat destination rule-set dst-rs-01 rule pbx-dst-nat-01 description "PBX NAT Pool"
set security nat destination rule-set dst-rs-01 rule pbx-dst-nat-01 match destination-address <PBX Publix IP address>
set security nat destination rule-set dst-rs-01 rule pbx-dst-nat-01 match destination-port <port #>
set security nat destination rule-set dst-rs-01 rule pbx-dst-nat-01 match protocol udp
set security nat destination rule-set dst-rs-01 rule pbx-dst-nat-01 then destination-nat pool pbx-dst-nat-01
set security nat destination rule-set dst-rs-01 rule pbx-dst-nat-02 match destination-address <PBX Public IP Address>
set security nat destination rule-set dst-rs-01 rule pbx-dst-nat-02 match destination-port <port #>
set security nat destination rule-set dst-rs-01 rule pbx-dst-nat-02 match protocol udp
set security nat destination rule-set dst-rs-01 rule pbx-dst-nat-02 then destination-nat pool pbx-dst-nat-02
set security nat destination rule-set dst-rs-01 rule pbx-dst-nat-03 match destination-address <PBX Public IP Address>
set security nat destination rule-set dst-rs-01 rule pbx-dst-nat-03 match protocol udp
set security nat destination rule-set dst-rs-01 rule pbx-dst-nat-03 then destination-nat pool pbx-dst-nat-03
set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match application any
set security policies from-zone trust to-zone trust policy trust-to-trust then permit
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security policies from-zone untrust to-zone trust policy citrix-connections description "Permit Citrix Connections from Untrusted Zone"
set security policies from-zone untrust to-zone trust policy citrix-connections match source-address any
set security policies from-zone untrust to-zone trust policy citrix-connections match destination-address citrix
set security policies from-zone untrust to-zone trust policy citrix-connections match application citrix-ica
set security policies from-zone untrust to-zone trust policy citrix-connections match application junos-https
set security policies from-zone untrust to-zone trust policy citrix-connections then permit
set security policies from-zone untrust to-zone trust policy pbx-connections description "Permit PBX Connections from Untrusted Zone"
set security policies from-zone untrust to-zone trust policy pbx-connections match source-address any
set security policies from-zone untrust to-zone trust policy pbx-connections match destination-address pbx
set security policies from-zone untrust to-zone trust policy pbx-connections match application pbx-udp-ports
set security policies from-zone untrust to-zone trust policy pbx-connections then permit
set security policies from-zone untrust to-zone trust policy dyn-vpn-policy match source-address any
set security policies from-zone untrust to-zone trust policy dyn-vpn-policy match destination-address any
set security policies from-zone untrust to-zone trust policy dyn-vpn-policy match application any
set security policies from-zone untrust to-zone trust policy dyn-vpn-policy then permit tunnel ipsec-vpn dyn-vpn
set security zones security-zone trust address-book address citrix <Internal Citrix Server IP Address>
set security zones security-zone trust address-book address pbx range-address <Internal PBX IP Address>
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces irb.0
set security zones security-zone trust interfaces irb.50
set security zones security-zone trust interfaces irb.60
set security zones security-zone trust interfaces irb.90
set security zones security-zone trust interfaces irb.200
set security zones security-zone trust interfaces irb.70
set security zones security-zone trust interfaces irb.20
set security zones security-zone trust interfaces irb.91
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services tftp
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ike
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services https
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh
set interfaces ge-0/0/0 unit 0 family inet address <Public Citrix IP Address>
set interfaces ge-0/0/0 unit 0 family inet address <Public PBX IP Address>
set interfaces ge-0/0/0 unit 0 family inet address <Public VPN IP Address>
set interfaces ge-0/0/1 unit 0 family ethernet-switching interface-mode trunk
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members vlan50
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members vlan60
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members vlan90
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members vlan200
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members vlan70
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members vlan20
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members vlan91
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/4 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/6 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/7 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/8 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/9 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/10 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/11 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/12 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/13 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/14 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/15 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fxp0 unit 0 family inet address 192.168.1.1/24
set interfaces irb unit 0 family inet address <Internal Network>
set interfaces irb unit 20 family inet address <Internal Network>
set interfaces irb unit 50 family inet address <Internal Network>
set interfaces irb unit 60 family inet address <Internal Network>
set interfaces irb unit 70 family inet address <Internal Network>
set interfaces irb unit 90 family inet address <Internal Network>
set interfaces irb unit 91 family inet address <Internal Network>
set interfaces irb unit 200 family inet address <Internal Network>
set forwarding-options dhcp-relay server-group DHCP_Servers <Internal DHCP Server>
set forwarding-options dhcp-relay server-group DHCP_Servers <Internal DHCP Server>
set forwarding-options dhcp-relay active-server-group DHCP_Servers
set forwarding-options dhcp-relay group All interface irb.50
set forwarding-options dhcp-relay group All interface irb.60
set forwarding-options dhcp-relay group All interface irb.70
set forwarding-options dhcp-relay group All interface irb.200
set routing-options static route 0.0.0.0/0 next-hop <Public Gateway>
set protocols l2-learning global-mode switching
set access profile dyn-vpn-access-profile client <user> firewall-user password <password>
set access profile dyn-vpn-access-profile address-assignment pool dyn-vpn-address-pool
set access address-assignment pool junosDHCPPool1 family inet network 192.168.1.0/24
set access address-assignment pool junosDHCPPool1 family inet range junosRange low 192.168.1.2
set access address-assignment pool junosDHCPPool1 family inet range junosRange high 192.168.1.254
set access address-assignment pool junosDHCPPool1 family inet dhcp-attributes router 192.168.1.1
set access address-assignment pool junosDHCPPool1 family inet dhcp-attributes propagate-settings ge-0/0/0.0
set access address-assignment pool junosDHCPPool2 family inet network 192.168.2.0/24
set access address-assignment pool junosDHCPPool2 family inet range junosRange low 192.168.2.2
set access address-assignment pool junosDHCPPool2 family inet range junosRange high 192.168.2.254
set access address-assignment pool junosDHCPPool2 family inet dhcp-attributes router 192.168.2.1
set access address-assignment pool junosDHCPPool2 family inet dhcp-attributes propagate-settings ge-0/0/0.0
set access address-assignment pool dyn-vpn-address-pool family inet network 192.168.199.0/24
set access address-assignment pool dyn-vpn-address-pool family inet xauth-attributes primary-dns <Internal DNS Server>
set access address-assignment pool dyn-vpn-address-pool family inet xauth-attributes secondary-dns <Internal DNS Server>
set access firewall-authentication web-authentication default-profile dyn-vpn-access-profile
set applications application citrix-ica protocol tcp
set applications application citrix-ica destination-port <Internal Citrix Port>
set applications application citrix-ica description "Citrix Applications and Desktops"
set applications application pbx-ctrl-signals protocol udp
set applications application pbx-ctrl-signals destination-port <Internal PBX Ports>
set applications application pbx-ctrl-signals description "PBX Control Signals"
set applications application pbx-voice-paths protocol udp
set applications application pbx-voice-paths destination-port <Internal PBX Ports>
set applications application pbx-voice-paths description "PBX Voice Paths"
set applications application-set pbx-udp-ports description "PBX UDP Communicatio n Ports"
set applications application-set pbx-udp-ports application pbx-ctrl-signals
set applications application-set pbx-udp-ports application pbx-voice-paths
set vlans vlan-trust vlan-id 3
set vlans vlan-trust l3-interface irb.0
set vlans vlan20 description <Internal Network>
set vlans vlan20 vlan-id 20
set vlans vlan20 l3-interface irb.20
set vlans vlan200 <Internal Network>
set vlans vlan200 vlan-id 200
set vlans vlan200 l3-interface irb.200
set vlans vlan50 description <Internal Network>
set vlans vlan50 vlan-id 50
set vlans vlan50 l3-interface irb.50
set vlans vlan60 description <Internal Network>
set vlans vlan60 vlan-id 60
set vlans vlan60 l3-interface irb.60
set vlans vlan70 description <Internal Network>
set vlans vlan70 vlan-id 70
set vlans vlan70 l3-interface irb.70
set vlans vlan90 description <Internal Network>
set vlans vlan90 vlan-id 90
set vlans vlan90 l3-interface irb.90
set vlans vlan91 description <Internal Network>
set vlans vlan91 vlan-id 91
set vlans vlan91 l3-interface irb.91