## Last changed: 2019-01-15 07:23:12 GMT-6 version 15.1X49-D70.3; system { host-name xyz; time-zone GMT-6; root-authentication { encrypted-password "xxx"; } name-server { 8.8.8.8; 8.8.4.4; } name-resolution { no-resolve-on-input; } services { ssh; telnet; xnm-clear-text; dhcp-local-server { group jweb-default-group { interface irb.0; } } web-management { http; https { system-generated-certificate; } session { idle-timeout 60; } } } } } security { log { mode event; } ike { policy ike_pol_vpn_to_headquarters { mode aggressive; proposal-set basic; pre-shared-key ascii-text "xyz"; } gateway gw_vpn_to_headquarters { ike-policy ike_pol_vpn_to_headquarters; address xx.xxx.xx.107; dead-peer-detection; external-interface ge-0/0/0.0; } } ipsec { policy ipsec_pol_vpn_to_headquarters { perfect-forward-secrecy { keys group5; } proposal-set basic; } vpn vpn_to_headquarters { bind-interface st0.0; vpn-monitor; ike { gateway gw_vpn_to_headquarters; ipsec-policy ipsec_pol_vpn_to_headquarters; } establish-tunnels immediately; } } nat { source { rule-set nsw_srcnat { from zone Internal; to zone Internet; rule nsw-src-interface { match { source-address 0.0.0.0/0; destination-address 0.0.0.0/0; } then { source-nat { interface; } } } } } } policies { from-zone Internal to-zone Internet { policy All_Internal_Internet { match { source-address any; destination-address any; application any; } then { permit; } } policy policy_out_vpn_to_headquarters { match { source-address addr_192_168_0_0_24; destination-address addr_192_168_3_0_24; application any; } then { permit; } } } from-zone Internal to-zone Internal { policy All_Internal_Internal { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone Internet to-zone Internal { policy policy_in_vpn_to_headquarters { match { source-address addr_192_168_3_0_24; destination-address addr_192_168_0_0_24; application any; } then { permit; } } } default-policy { permit-all; } } zones { security-zone Internal { address-book { address addr_192_168_0_0_24 192.168.0.0/24; } host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { irb.0; } } security-zone Internet { address-book { address addr_192_168_3_0_24 192.168.3.0/24; } host-inbound-traffic { system-services { ike; ssh; https; http; traceroute; } } interfaces { ge-0/0/0.0 { host-inbound-traffic { system-services { tftp; dhcp; http; https; ssh; } } } ge-0/0/7.0 { host-inbound-traffic { system-services { tftp; dhcp; } } } st0.0; } } } } interfaces { ge-0/0/0 { unit 0 { family inet { address xx.xxx.xx.254/30; } } } ge-0/0/1 { unit 0 { family ethernet-switching { vlan { members vlan0; } } } } ge-0/0/2 { unit 0 { family ethernet-switching { interface-mode access; vlan { members vlan0; } } } } ge-0/0/3 { unit 0 { family ethernet-switching { interface-mode access; vlan { members vlan0; } } } } } } } irb { unit 0 { family inet { address 192.168.0.1/24; } } } st0 { unit 0 { family inet; } } } routing-options { static { route 192.168.3.0/24 next-hop st0.0; route 0.0.0.0/0 next-hop xx.xx.xx.253; ##isp gateway address## } } protocols { l2-learning { global-mode switching; } rstp { interface all; } } access { address-assignment { pool jweb-default-pool { family inet { network 192.168.0.0/24; range jweb-default-range { low 192.168.0.2; high 192.168.0.254; } dhcp-attributes { name-server { 8.8.8.8; } router { 192.168.0.1; } } } } } } vlans { vlan0 { vlan-id 2; l3-interface irb.0; } }