## Last commit: 2010-07-14 20:09:13 CDT by root version 10.1R1.8; system { host-name WLS-SRX-01; domain-name scrubbed.com; time-zone America/Chicago; root-authentication { encrypted-password ""; ## SECRET-DATA } name-server { x.x.x.x; x.x.x.x; } scripts { commit { file templates.xsl; } } services { ssh; telnet; web-management { http { interface [ vlan.0 vlan.100 ]; } https { system-generated-certificate; interface [ vlan.0 vlan.100 ]; } } } syslog { archive size 100k files 3; user * { any emergency; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } } max-configurations-on-flash 5; max-configuration-rollbacks 5; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } } interfaces { interface-range interfaces-internet { member ge-0/0/14; member ge-0/0/15; member ge-0/1/0; member ge-0/2/0; unit 0 { family ethernet-switching { vlan { members vlan-internet; } } } } interface-range interfaces-untrust { member-range ge-0/0/1 to ge-0/0/7; unit 0 { family ethernet-switching { vlan { members vlan-untrust; } } } } ge-0/0/0 { description TWTelecom; unit 0 { family ethernet-switching { vlan { members vlan-untrust; } } } } ge-0/0/1 { description Reserved; } ge-0/0/2 { description SA2500; disable; } ge-0/0/3 { description Cisco_VPN3000; } ge-0/0/4 { description Ironport; } ge-0/0/7 { description Robison; } ge-0/0/8 { description iPrism_Internal; disable; } ge-0/0/9 { description iPrism_External; disable; } ge-0/0/15 { description Patient_Temp; } ge-0/1/0 { description SW01_1; } ge-0/2/0 { description SW01_2; } lo0 { unit 0 { family inet { address 127.0.0.1/32; } } } st0 { unit 0 { family inet; } } vlan { inactive: unit 0 { family inet { address 192.168.1.1/24; } } inactive: unit 20 { description Patient; family inet { address 10.x.x.254/32; } } unit 100 { description Internet; family inet { address 10.y.y.10/24; } } unit 175 { description untrust; family inet { address 209.x.x.x/28 { primary; preferred; } inactive: address 209.x.x.x/28; } } } } snmp { name WLS-SRX-01; description SRX-240H; location M2; contact x3514; community x { clients { 10.x.x.x/24; } } } routing-options { static { route 0.0.0.0/0 next-hop 209.x.x.x; route 10.x.0.0/16 next-hop 10.x.x.2; route 10.x.x.0/16 next-hop 10.x.x.2; route 10.x.x.0/16 next-hop 10.x.x.2; } } security { idp { ....... ....... } ike { traceoptions { file ike_trace; flag all; } proposal 3des-md5-group2-86400 { description 3desmd5; authentication-method pre-shared-keys; dh-group group2; authentication-algorithm md5; encryption-algorithm 3des-cbc; lifetime-seconds 86400; } policy ARIS { mode main; description 3desmd5; proposals 3des-md5-group2-86400; pre-shared-key ascii-text "$9$sY2gaGDk.PQ-d6CAtOBxN-wJUmfQ/9paJ6A"; ## SECRET-DATA } gateway ARIS { ike-policy ARIS; address x.x.x.x; external-interface ge-0/0/0.0; } } ipsec { traceoptions { flag all; } vpn-monitor-options { interval 60; threshold 5; } proposal 3des-md5-28800 { description 3des-md5-28800; authentication-algorithm hmac-md5-96; encryption-algorithm 3des-cbc; lifetime-seconds 28800; } policy ARIS { description ARIS; proposals 3des-md5-28800; } vpn ARIS { ike { gateway ARIS; ipsec-policy ARIS; } establish-tunnels immediately; } } nat { source { rule-set trust-to-untrust { from zone trust; to zone untrust; rule source-nat-rule { match { source-address 0.0.0.0/0; } then { source-nat { interface; } } } } } destination { pool mxgw { address 10.x.x.x/32; } pool exchange { address 10.x.x.x/32; } rule-set mail { from zone untrust; rule mxgw { match { destination-address 209.x.x.x/32; destination-port 25; } then { destination-nat pool mxgw; } } rule mxgw_83 { match { destination-address 209.x.x.x/32; destination-port 83; } then { destination-nat pool mxgw; } } rule exchange_80 { match { destination-address 209.x.x.x/32; destination-port 80; } then { destination-nat pool exchange; } } rule exchange_443 { match { destination-address 209.x.x.x/32; destination-port 443; } then { destination-nat pool exchange; } } rule exchange_993 { match { destination-address 209.x.x.x/32; destination-port 993; } then { destination-nat pool exchange; } } rule exchange_995 { match { destination-address 209.x.x.x/32; destination-port 995; } then { destination-nat pool exchange; } } } } } screen { ids-option untrust-screen { icmp { ping-death; } ip { source-route-option; tear-drop; } tcp { syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; timeout 20; } land; } } } zones { security-zone trust { address-book { address mxgw 10.x.x.x/32; address exchange 10.x.x.x/32; address rad_router1 10.y.x.x/32; address rad_router2 10.y.x.x/32; address rad_router3 10.y.x.x/32; address-set rad_pacs_router { address rad_router1; address rad_router2; address rad_router3; } } host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { vlan.100; } } security-zone untrust { address-book { address aris_x_x_x_x-32 x.x.x.x/32; address aris_x_x_x_x-32 x.x.x.x/32; address aris_x_x_x_x-32 x.x.x.x/32; address aris_x_x_x_x-32 x.x.x.x/32; address aris_x_x_x_x-32 x.x.x.x/32; address aris_x_x_x_x-32 x.x.x.x/32; address aris_x_x_x_x-32 x.x.x.x/32; address aris_x_x_x_x-32 x.x.x.x/32; address aris_x_x_x_x-32 x.x.x.x/32; address-set aris_ip_set { address aris_x_x_x_x-32; address aris_x_x_x_x-32; address aris_x_x_x_x-32; address aris_x_x_x_x-32; address aris_x_x_x_x-32; address aris_x_x_x_x-32; address aris_x_x_x_x-32; address aris_x_x_x_x-32; address aris_x_x_x_x-32; } } screen untrust-screen; host-inbound-traffic { system-services { ike; } } interfaces { vlan.175 { host-inbound-traffic { system-services { ssh; ping; } } } ge-0/0/0.0; } } security-zone patient; } } policies { from-zone trust to-zone untrust { policy trust-to-untrust { match { source-address any; destination-address any; application any; } then { permit { application-services { idp; } } } } policy trust-to-ARIS { match { source-address rad_pacs_router; destination-address aris_ip_set; application any; } then { permit { tunnel { ipsec-vpn ARIS; } } log { session-init; } count; } } } from-zone untrust to-zone trust { policy untrust-to-mxgw { match { source-address any; destination-address mxgw; application any; } then { permit { application-services { idp; } } count; } } policy untrust-to-exchange { match { source-address any; destination-address exchange; application any; } then { permit { application-services { idp; } } count; } } policy untrust-default-deny { match { source-address any; destination-address any; application any; } then { deny; count; } } policy ARIS-to-trust { match { source-address aris_ip_set; destination-address rad_pacs_router; application any; } then { permit { tunnel { ipsec-vpn ARIS; } } log { session-init; } count; } } } } } applications { application port83 { protocol tcp; source-port 83; } application smtp { protocol tcp; source-port 25; } application imaps { protocol tcp; source-port 993; } application pop3s { protocol tcp; source-port 995; } application https { protocol tcp; source-port 443; } application http { protocol tcp; source-port 80; } application port26 { protocol tcp; source-port 26; } application-set mxgw { application port83; application smtp; } } vlans { vlan-internet { vlan-id 100; l3-interface vlan.100; } inactive: vlan-patient { vlan-id 20; l3-interface vlan.20; } vlan-untrust { vlan-id 175; l3-interface vlan.175; } } root@WLS-SRX-01>