## Last changed: 2016-05-05 17:59:32 UTC version 12.1X46-D40.2; system { host-name TLFW01; time-zone UTC; root-authentication { encrypted-password "$1$j2VuJnct$XWn9LO9kPSWta/iax/yPk/"; ## SECRET-DATA } name-server { 208.67.222.222; 208.67.220.220; } services { ssh; telnet; xnm-clear-text; web-management { http { interface [ ge-0/0/4.0 ge-0/0/15.0 ]; } https { system-generated-certificate; interface [ ge-0/0/4.0 ge-0/0/15.0 ]; } } dhcp { router { 192.168.1.1; } pool 192.168.1.0/24 { address-range low 192.168.1.2 high 192.168.1.254; } propagate-settings ge-0/0/0.0; } } syslog { archive size 100k files 3; user * { any emergency; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } } max-configurations-on-flash 5; max-configuration-rollbacks 5; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } } interfaces { ge-0/0/0 { gigether-options { auto-negotiation; } unit 0 { family inet { address 200.0.0.254/23; } } } ge-0/0/1 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } ge-0/0/2 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } ge-0/0/3 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } ge-0/0/4 { gigether-options { auto-negotiation; } unit 0 { family inet { address 172.16.2.29/29; } } } ge-0/0/5 { unit 0; } ge-0/0/6 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } ge-0/0/7 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } ge-0/0/8 { unit 0 { family inet { address 172.16.2.129/28; } } } ge-0/0/9 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } ge-0/0/10 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } ge-0/0/11 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } ge-0/0/12 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } ge-0/0/13 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } ge-0/0/14 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } ge-0/0/15 { unit 0 { family inet { address 172.16.8.32/21 { preferred; } } } } st0 { unit 1 { family inet; } unit 2 { family inet; family inet6; } unit 3 { family inet; } } vlan { unit 0 { family inet { address 192.168.1.1/24; } } } } routing-options { static { route 0.0.0.0/0 next-hop 200.0.0.1; route 172.16.8.0/21 next-hop 172.16.2.25; route 172.16.34.0/23 next-hop 172.16.2.25; route 172.16.32.0/23 next-hop 172.16.2.25; route 172.16.54.0/23 next-hop 172.16.2.25; route 172.16.36.0/23 next-hop 172.16.2.25; route 172.16.38.0/23 next-hop 172.16.2.25; route 172.16.40.0/23 next-hop 172.16.2.25; route 172.16.42.0/23 next-hop 172.16.2.25; route 172.16.16.0/21 next-hop 172.16.2.25; route 172.16.24.0/21 next-hop 172.16.2.25; route 172.16.60.0/22 next-hop 172.16.2.25; route 172.16.58.0/23 next-hop 172.16.2.25; route 10.0.0.0/24 next-hop st0.1; route 172.16.51.0/26 next-hop st0.3; route 172.31.254.0/24 next-hop st0.2; } router-id 172.16.2.29; } protocols { ospf { area 0.0.0.0 { interface ge-4/0/0.0; } } stp; } security { ike { proposal azure-proposal { authentication-method pre-shared-keys; dh-group group2; authentication-algorithm sha1; encryption-algorithm aes-256-cbc; lifetime-seconds 28800; } policy ike_pol_Scalable { mode main; proposal-set standard; pre-shared-key ascii-text "$9$N8b24ikmQ36q.eMWx-dfTQFCu0BRlKWEhYg"; ## SECRET-DATA } policy ike_Unit4_pol { mode main; proposal-set standard; pre-shared-key ascii-text "$9$4Waiq.m5n/t5QSrevLXbs2g4JTQF"; ## SECRET-DATA } policy azure-policy { mode main; proposals azure-proposal; pre-shared-key ascii-text "$9$Bd6RSlWL7sgJXxs4aJjituORye-VY4JGSr24aJHkz36/A0RhyrvWYgkPTFtpX7-bgoHkPT39Ap87dV2g69AuEyeK8Vb28X"; ## SECRET-DATA } gateway gw_Scalable { ike-policy ike_pol_Scalable; address 83.244.232.146; dead-peer-detection; external-interface ge-0/0/0.0; } gateway gw_Unit4 { ike-policy ike_Unit4_pol; address 31.221.71.33; external-interface ge-0/0/0.0; } gateway azure-gateway { ike-policy azure-policy; address 23.100.62.172; external-interface ge-0/0/0.0; version v2-only; } } ipsec { vpn-monitor-options; proposal azure-ipsec-proposal { protocol esp; authentication-algorithm hmac-sha1-96; encryption-algorithm aes-256-cbc; lifetime-seconds 3600; } policy ipsec_pol_Scalable { proposal-set standard; } policy ipsec_Unit4_pol { proposal-set standard; } policy azure-vpn-policy { proposals azure-ipsec-proposal; } vpn Scalable { bind-interface st0.1; vpn-monitor; ike { gateway gw_Scalable; ipsec-policy ipsec_pol_Scalable; } establish-tunnels immediately; } vpn Unit4 { bind-interface st0.2; vpn-monitor; ike { gateway gw_Unit4; ipsec-policy ipsec_Unit4_pol; } establish-tunnels immediately; } vpn azure-ipsec-vpn { bind-interface st0.3; vpn-monitor; ike { gateway azure-gateway; ipsec-policy azure-vpn-policy; } } } alg { sccp { application-screen { unknown-message { permit-nat-applied; permit-routed; } call-flood threshold 300; } } } flow { tcp-mss { ipsec-vpn { mss 1350; } } } screen { ids-option untrust-screen { icmp { ping-death; } ip { source-route-option; tear-drop; } tcp { syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; timeout 20; } land; } } } nat { source { rule-set Trust-Untrust { from zone trust; to zone untrust; rule VoIP { match { source-address 0.0.0.0/0; destination-address 0.0.0.0/0; } then { source-nat { interface; } } } } } static { rule-set KCC-DC { from zone untrust; rule TLSIRSI01 { match { destination-address 200.0.0.3/32; } then { static-nat { prefix { 172.16.8.3/32; } } } } rule KCC-BMS { match { destination-address 200.0.0.23/32; } then { static-nat { prefix { 172.16.8.23/32; } } } } rule TLRAP01 { match { destination-address 200.0.0.11/32; } then { static-nat { prefix { 172.16.8.11/32; } } } } rule TLAPP03 { match { destination-address 200.0.0.19/32; } then { static-nat { prefix { 172.16.8.19/32; } } } } rule TLDC01 { match { destination-address 200.0.0.2/32; } then { static-nat { prefix { 172.16.8.1/32; } } } } rule TLDC02 { match { destination-address 200.0.0.99/32; } then { static-nat { prefix { 172.16.8.2/32; } } } } rule TLCEL02 { match { destination-address 200.0.0.29/32; } then { static-nat { prefix { 172.16.8.29/32; } } } } rule TLAPP06 { match { destination-address 200.0.0.35/32; } then { static-nat { prefix { 172.16.8.35/32; } } } } rule TLCEL01 { match { destination-address 200.0.0.39/32; } then { static-nat { prefix { 172.16.8.39/32; } } } } rule TLUAG01 { match { destination-address 200.0.0.50/32; } then { static-nat { prefix { 172.16.8.50/32; } } } } rule TLAPP05 { match { destination-address 200.0.1.13/32; } then { static-nat { prefix { 172.16.16.13/32; } } } } rule TLOLLY01 { match { destination-address 200.0.1.12/32; } then { static-nat { prefix { 172.16.16.12/32; } } } } rule TLSP03 { match { destination-address 200.0.1.26/32; } then { static-nat { prefix { 172.16.16.26/32; } } } } rule TLEPS01 { match { destination-address 200.0.1.38/32; } then { static-nat { prefix { 172.16.16.38/32; } } } } rule TLOPLA04 { match { destination-address 200.0.1.4/32; } then { static-nat { prefix { 172.16.16.4/32; } } } } rule TLMAIL04 { match { destination-address 200.0.1.52/32; } then { static-nat { prefix { 172.16.16.52/32; } } } } rule TLNS01 { match { destination-address 200.0.1.2/32; } then { static-nat { prefix { 172.16.2.130/32; } } } } } } proxy-arp { interface ge-0/0/0.0 { address { 200.0.0.11/32; 200.0.0.19/32; 200.0.0.2/32; 200.0.0.23/32; 200.0.0.29/32; 200.0.0.35/32; 200.0.0.39/32; 200.0.0.50/32; 200.0.0.3/32; 200.0.1.13/32; 200.0.1.12/32; 200.0.1.26/32; 200.0.1.38/32; 200.0.1.4/32; 200.0.1.52/32; 200.0.1.2/32; 200.0.0.99/32; } } } } policies { from-zone trust to-zone untrust { policy TLCMD-VoIP { match { source-address TLCMD-VoIP; destination-address any; application junos-sccp; } then { permit; } } policy azure-security-trust-to-untrust-0 { match { source-address any; destination-address azure-networks-1; application any; } then { permit; } } policy policy_out_Scalable { match { source-address KCC-Server-VLAN; destination-address Scalable-Internal-LAN; application any; } then { permit; } } policy Unit4-VPN { match { source-address KCC-Server-VLAN; destination-address AGRESSO-LAN-STONEGATE; application any; } then { permit; } } policy permit-all { match { source-address [ TLRAP01 TLAPP03 TLDC01 TLDC02 KCC-BMS TLCEL02 TLAPP06 TLCEL01 TLUAG01 TLSIRSI01 TLAPP05 TLOLLY01 TLSP03 TLEPS01 TLOPLA04 TLMAIL04 ]; destination-address any; application any; } then { permit; } } policy TLCMD-Data { match { source-address TLCMD-Data; destination-address any; application any; } then { permit; } } } from-zone untrust to-zone trust { policy Server-Web-Access { match { source-address any; destination-address [ TLRAP01 TLAPP03 KCC-BMS TLCEL02 TLAPP06 TLCEL01 TLUAG01 TLAPP05 TLOLLY01 TLSP03 TLEPS01 TLOPLA04 ]; application [ junos-https junos-http-ext junos-http ]; } then { permit; } } policy Server-LDAP { match { source-address Moodle-All; destination-address [ TLDC01 TLDC02 ]; application [ junos-ldap junos-internet-locator-service ]; } then { permit; } } policy Sirsi { match { source-address any; destination-address TLSIRSI01; application [ SIRSI junos-ssh junos-ftp junos-http junos-https ]; } then { permit; } } policy Server-Mail-Access { match { source-address any; destination-address TLMAIL04; application [ junos-http junos-https junos-mail ]; } then { permit; } } policy policy_in_Scalable { match { source-address Scalable-Internal-LAN; destination-address KCC-Server-VLAN; application [ junos-https junos-http-ext junos-http junos-ssh junos-snmp-agentx ]; } then { permit; } } policy Unit4-VPN { match { source-address AGRESSO-LAN-STONEGATE; destination-address KCC-Server-VLAN; application any; } then { permit; } } policy azure-security-untrust-to-trust-0 { match { source-address azure-networks-1; destination-address any; application any; } then { permit; } } } from-zone DMZ to-zone untrust { policy permit-all { match { source-address TLNS01; destination-address any; application any; } then { permit; } } } from-zone untrust to-zone DMZ { policy DNS { match { source-address any; destination-address TLNS01; application [ junos-dns-tcp junos-dns-udp ]; } then { permit; } } } from-zone trust to-zone trust { policy Trust-Intra-Zone { match { source-address ARKLE.UCAS.AC.UK; destination-address any; application UCAS; } then { permit; } } } from-zone trust to-zone DMZ { policy Trust-DMZ { match { source-address any; destination-address any; application any; } then { permit; } } } } zones { security-zone trust { address-book { address TLRAP01 172.16.8.11/32; address TLDC02 172.16.8.2/32; address TLAPP01 172.16.8.22/32; address TLAPP06 172.16.8.35/32; address TLUAG01 172.16.8.50/32; address Any { wildcard-address 0.0.0.0/0; } address ARKLE.UCAS.AC.UK 194.80.160.88/32; address BHH-DATA-VLAN { range-address 172.16.40.0 { to { 172.16.41.255; } } } address KCC-DATA-VLAN { range-address 172.16.32.0 { to { 172.16.33.255; } } } address LAB-DATA-VLAN { range-address 172.16.36.0 { to { 172.16.37.255; } } } address BHH-VoIP-VLAN { range-address 172.16.42.0 { to { 172.16.43.255; } } } address KCC-VoIP-VLAN { range-address 172.16.34.0 { to { 172.16.35.255; } } } address LAB-VoIP-VLAN { range-address 172.16.38.0 { to { 172.16.39.255; } } } address KCC-Server-VLAN { range-address 172.16.8.0 { to { 172.16.15.255; } } } address LAB-Server-VLAN { range-address 172.16.16.0 { to { 172.16.23.255; } } } address BHH-Server-VLAN { range-address 172.16.24.0 { to { 172.16.31.255; } } } address onprem-networks-1 172.16.16.0/21; address TLCRM04 172.16.16.24/32; address TLSQL01 172.16.8.21/32; address TLSQL02 172.16.8.14/32; address TLSSS01 172.16.16.3/32; address TLSSS03 172.16.8.5/32; address TLSSS04 172.16.8.6/32; address TLAPP03 172.16.8.19/32; address TLDC01 172.16.8.1/32; address KCC-BMS 172.16.8.23/32; address TLCEL02 172.16.8.29/32; address TLCEL01 172.16.8.39/32; address TLSIRSI01 172.16.8.3/32; address TLAPP05 172.16.16.13/32; address TLOLLY01 172.16.16.12/32; address TLSP03 172.16.16.26/32; address TLEPS01 172.16.16.38/32; address TLOPLA04 172.16.16.4/32; address TLMAIL04 172.16.16.52/32; address TLNS01 172.16.2.130/32; address-set TLCMD-VoIP { address KCC-VoIP-VLAN; address BHH-VoIP-VLAN; address LAB-VoIP-VLAN; } address-set TLCMD-Data { address KCC-DATA-VLAN; address LAB-DATA-VLAN; address BHH-DATA-VLAN; } } host-inbound-traffic { system-services { all; ssh; ping; http; ike; } protocols { all; ospf; } } interfaces { vlan.0; ge-0/0/15.0; ge-0/0/4.0 { host-inbound-traffic { protocols { ospf; } } } } } security-zone untrust { address-book { address AGRESSO-LAN-STONEGATE { range-address 172.31.254.0 { to { 172.31.254.255; } } } address AIB-PCI-DSS-1 212.126.37.156/32; address AIB-PCI-DSS-2 { range-address 92.51.244.128 { to { 92.51.244.159; } } } address Any { wildcard-address 0.0.0.0/0; } address azure-networks-1 172.16.51.0/26; address datas.sirsi.net 206.187.4.232/32; address LAB-DATA-VLAN { range-address 172.16.36.0 { to { 172.16.37.255; } } } address LAB-SERVER-VLAN { range-address 172.16.16.0 { to { 172.16.23.255; } } } address Moodle-2 128.86.134.16/32; address Moodle-1 128.86.130.50/32; address Moodle-3 128.86.132.76/32; address Moodle-4 128.86.137.25/32; address TLCMD-WWW 162.13.205.192/32; address Scalable-Internal-LAN { range-address 10.0.0.0 { to { 10.0.0.255; } } } address sirsi-chesham 150.147.68.20/32; address sirsi-ftp 90.152.57.195/32; address sirsi-ftp2 192.150.149.248/32; address sirsi-network 192.206.158.10/32; address sipcom-pbx 195.219.58.101/32; address-set Moodle-All { address Moodle-2; address Moodle-1; address Moodle-3; address Moodle-4; address azure-networks-1; } } screen untrust-screen; host-inbound-traffic { system-services { ike; } } interfaces { ge-0/0/0.0; st0.1; st0.2; st0.3; } } security-zone DMZ { address-book { address TLNS01 172.16.2.130/32; } interfaces { ge-0/0/8.0; } } } } applications { application UCAS-UDP { protocol udp; source-port 1524-1528; destination-port 1524-1528; } application UCAS-TCP { protocol tcp; source-port 1524-1528; destination-port 1524-1528; } application https-ext { protocol tcp; source-port 0-65535; destination-port 8080; } application SOFTLINK-UDP { protocol udp; source-port 7920-7921; destination-port 7920-7921; } application SOFTLINK-tcp { protocol tcp; source-port 7920-7921; destination-port 7920-7921; } application SOFTLINK-TCP { protocol tcp; source-port 7920-7921; destination-port 7920-7921; } application SIRSI-TCP-1 { protocol tcp; source-port 5100-5101; destination-port 5100-5101; } application SIRSI-UDP-1 { protocol udp; source-port 5100-5101; destination-port 5100-5101; } application SIRSI-UDP-2 { protocol udp; source-port 2201; destination-port 2201; } application SIRSI-TCP-2 { protocol tcp; source-port 2201; destination-port 2201; } application-set UCAS { application UCAS-UDP; application UCAS-TCP; } application-set SOFTLINK { application SOFTLINK-UDP; application SOFTLINK-TCP; } application-set SIRSI { application SIRSI-TCP-1; application SIRSI-TCP-2; application SIRSI-UDP-2; application SIRSI-UDP-1; } } vlans { vlan-trust { vlan-id 3; l3-interface vlan.0; } }