root> show configuration | no-more ## Last commit: 2017-01-07 00:27:55 UTC by root version 15.1X49-D45; groups { jweb-security-logging { system { syslog { file security.log { any any; archive files 1; structured-data; } } } } } system { root-authentication { encrypted-password "$5$QjeiorOz$f4vnjL4z/IZkxmYvTeldGhMYldOp86mJ6HRpjnfVGHA"; ## SECRET-DATA } name-server { 208.67.222.222; 208.67.220.220; } services { ssh; telnet; xnm-clear-text; web-management { http { interface [ ge-0/0/1.0 ge-0/0/2.0 ge-0/0/3.0 ge-0/0/4.0 ge-0/0/5.0 ]; } https { system-generated-certificate; interface [ ge-0/0/1.0 ge-0/0/2.0 ge-0/0/3.0 ge-0/0/4.0 ge-0/0/5.0 ]; } } dhcp { pool 172.16.1.10/24 { address-range low 172.16.1.10 high 172.16.1.80; default-lease-time 1440; name-server { 64.222.212.243; 64.222.165.243; } router { 172.16.1.1; } } } } syslog { archive size 100k files 3; user * { any emergency; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } file security.log { any any; archive files 1; structured-data; } file kmd-logs { daemon info; match KMD; } } max-configurations-on-flash 5; max-configuration-rollbacks 5; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } } security { log { mode event; } ike { traceoptions { file ike.log size 5m files 3; flag all; } proposal pre-g2-3des-md5 { authentication-method pre-shared-keys; dh-group group2; authentication-algorithm md5; encryption-algorithm 3des-cbc; lifetime-seconds 28800; } policy vpnphone-gw { mode aggressive; proposals pre-g2-3des-md5; pre-shared-key ascii-text "$9$EEHcevM8Xx-Vrl"; ## SECRET-DATA } gateway vpnphone-gw { ike-policy vpnphone-gw; dynamic { user-at-hostname "vpnphone@oganization.org"; connections-limit 200; ike-user-type shared-ike-id; } nat-keepalive 300; external-interface ge-0/0/0.0; xauth access-profile xauth; } } ipsec { proposal g2-esp-aes128-sha { authentication-algorithm hmac-sha1-96; encryption-algorithm aes-128-cbc; lifetime-seconds 3600; } policy policy-vpnphone-vpn { perfect-forward-secrecy { keys group2; } proposals g2-esp-aes128-sha; } vpn vpnphone-vpn { ike { gateway vpnphone-gw; ipsec-policy policy-vpnphone-vpn; } } } alg { h323 disable; } screen { ids-option untrust-screen { icmp { ping-death; } ip { source-route-option; tear-drop; } tcp { syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; timeout 20; } land; } } } nat { source { rule-set trust-to-untrust { from zone trust; to zone untrust; rule source-nat-rule { match { source-address 0.0.0.0/0; } then { source-nat { interface; } } } } } static { rule-set static-nat-untrust { from zone untrust; rule rule-1 { match { destination-address 64.64.64.65/32; } then { static-nat { prefix { 192.168.1.8/32; } } } } rule rule-2 { match { destination-address 64.64.64.67/32; } then { static-nat { prefix { 192.168.1.7/32; } } } } rule rule-3 { match { destination-address 64.64.64.68/32; } then { static-nat { prefix { 192.168.1.26/32; } } } } rule rule-4 { match { destination-address 64.64.64.69/32; } then { static-nat { prefix { 192.168.1.34/32; } } } } rule rule-5 { match { destination-address 64.64.64.70/32; } then { static-nat { prefix { 192.168.1.35/32; } } } } rule rule-6 { match { destination-address 64.64.64.71/32; } then { static-nat { prefix { 192.168.1.11/32; } } } } } } proxy-arp { interface ge-0/0/0.0 { address { 64.64.64.67/32; 64.64.64.68/32; 64.64.64.69/32; 64.64.64.70/32; 64.64.64.71/32; 64.64.64.65/32; } } } } policies { from-zone trust to-zone trust { policy trust-to-trust { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone trust to-zone untrust { policy trust-to-untrust { match { source-address any; destination-address vpnphones-pool; application any; } then { permit { ## ## Warning: configuration block ignored: unsupported platform (srx320) ## tunnel { ipsec-vpn vpnphone-vpn; } } } } policy 1 { match { source-address any; destination-address any; application any; } then { permit; log { session-init; } } } } from-zone untrust to-zone trust { policy VPN_Phones_In { match { source-address any; destination-address any; application any; } then { permit { ## ## Warning: configuration block ignored: unsupported platform (srx320) ## tunnel { ipsec-vpn vpnphone-vpn; } } } } policy 2 { match { source-address any; destination-address Bouncer; application junos-smtp; } then { permit; log { session-init; } } } policy 6 { match { source-address any; destination-address 192.168.1.8/32; application junos-https; } then { permit; log { session-init; } } } policy 7 { match { source-address any; destination-address SSL-VPN; application [ junos-http junos-https NetConnectVPN ]; } then { permit; log { session-init; } } } policy 11 { match { source-address any; destination-address 192.168.1.7/32; application junos-smtp; } then { permit; log { session-init; } } } policy 13 { match { source-address any; destination-address 192.168.1.34/32; application [ junos-http junos-https NetConnectVPN ]; } then { permit; log { session-init; } } } policy 14 { match { source-address any; destination-address Rocky2; application junos-https; } then { permit; log { session-init; } } } } from-zone untrust to-zone untrust { policy untrust-to-untrust { match { source-address any; destination-address any; application any; } then { permit; } } } } zones { security-zone trust { address-book { address 192.168.1.7/32 192.168.1.7/32; address All_oganization_LAN 192.168.0.0/16; address Bouncer 192.168.1.26/32; address Bullwinkle2 192.168.3.9/32; address Mail-server 192.168.1.9/32; address Rocky2 192.168.1.11/32; address SSL-VPN 192.168.1.35/32; address Tweety 192.168.1.218/32; address 192.168.1.8/32 192.168.1.8/32; address 192.168.1.34/32 192.168.1.34/32; address 192.168.0.0/16 192.168.0.0/16; } host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { ge-0/0/1.0; } } security-zone untrust { address-book { address 64.64.64.65/32 64.64.64.65/32; address 64.64.64.67/32 64.64.64.67/32; address 64.64.64.68/32 64.64.64.68/32; address 64.64.64.69/32 64.64.64.69/32; address 64.64.64.70/32 64.64.64.70/32; address 64.64.64.71/32 64.64.64.71/32; address vpnphones-pool 192.168.250.0/24; } screen untrust-screen; host-inbound-traffic { system-services { ike; ping; traceroute; } } interfaces { ge-0/0/0.0 { host-inbound-traffic { system-services { ping; ike; } } } st0.0 { host-inbound-traffic { system-services { ike; } } } } } } } interfaces { ge-0/0/0 { unit 0 { description Internet; family inet { address 64.222.180.114/30; } } } ge-0/0/1 { unit 0 { family inet { address 192.168.1.2/24; } } } st0 { unit 0 { family inet; } } } snmp { name SRX320; } routing-options { static { route 192.168.0.0/16 next-hop 192.168.1.1; route 172.16.8.0/24 next-hop 192.168.1.1; route 192.168.200.0/24 next-hop 192.168.1.36; route 0.0.0.0/0 next-hop 64.222.180.113; } } access { address-pool Remote_User_Pool { address-range low 192.168.99.1 high 192.168.99.50; } address-pool vpnphonespool { address-range low 172.16.150.1 high 172.16.150.50; } profile xauth { authentication-order password; client achaine { client-group remoteuser-grp; firewall-user { password "$9$gIaDi.P5/ApF3"; ## SECRET-DATA } } client acolby { client-group remoteuser-grp; firewall-user { password "$9$/uieAO1hSrKWL1I"; ## SECRET-DATA } } client adadura { client-group remoteuser-grp; firewall-user { password "$9$DnHfTz36Cp06/"; ## SECRET-DATA } } client ahannan { client-group remoteuser-grp; firewall-user { password "$9$VfsoJDikQ36.m"; ## SECRET-DATA } } client angel { client-group remoteuser-grp; firewall-user { password "$9$iq5Qn/CA0Bn6"; ## SECRET-DATA } } client areed { client-group remoteuser-grp; firewall-user { password "$9$m536Ap0IhSOB"; ## SECRET-DATA } } client asanborn { client-group remoteuser-grp; firewall-user { password "$9$m536Ap0IhSpu"; ## SECRET-DATA } } client asmith { client-group remoteuser-grp; firewall-user { password "$9$QyMs3CtO1RrKMcS"; ## SECRET-DATA } } client aswihart { client-group remoteuser-grp; firewall-user { password "$9$HqTz9ApIhSpuxN"; ## SECRET-DATA } } client bgenschel { client-group remoteuser-grp; firewall-user { password "$9$NkV24ZUjHmfDj"; ## SECRET-DATA } } client bjoyce { client-group remoteuser-grp; firewall-user { password "$9$sJgZUHqm3/CmP"; ## SECRET-DATA } } client cgrant { client-group remoteuser-grp; firewall-user { password "$9$9u9StBIcylKWLle"; ## SECRET-DATA } } client cmorse { client-group remoteuser-grp; firewall-user { password "$9$m536Ap0OIEpu"; ## SECRET-DATA } } client dcook { pap-password "$9$2toUjqmfT36q."; ## SECRET-DATA client-group remoteuser-grp; firewall-user { password "$9$DNHP5Fn/CuOF3"; ## SECRET-DATA } } client ecurtis { client-group remoteuser-grp; firewall-user { password "$9$CV5np1RSreMLxhc"; ## SECRET-DATA } } client geri { client-group remoteuser-grp; firewall-user { password "$9$TF9A0BIlvWSy"; ## SECRET-DATA } } client hsantos { client-group remoteuser-grp; firewall-user { password "$9$ZjDqmTz3t0BQz"; ## SECRET-DATA } } client jolinn { client-group remoteuser-grp; firewall-user { password "$9$sg2ZUqmf3/Cf5hS"; ## SECRET-DATA } } client jpreble { client-group remoteuser-grp; firewall-user { password "$9$TF9A0BIrKMIR"; ## SECRET-DATA } } client jrexford { client-group remoteuser-grp; firewall-user { password "$9$6w//CO1RhSlvWhc"; ## SECRET-DATA } } client jwolinski { client-group remoteuser-grp; firewall-user { password "$9$GHj.PQFn6Apf5"; ## SECRET-DATA } } client kaustin { client-group remoteuser-grp; firewall-user { password "$9$SzBrWLdbsaGDsYQF"; ## SECRET-DATA } } client kbell { client-group remoteuser-grp; firewall-user { password "$9$FPtUntuRhSv8XSygo"; ## SECRET-DATA } } client kcaldwell { client-group remoteuser-grp; firewall-user { password "$9$SYhlWLNdbwgo8L"; ## SECRET-DATA } } client kcheney { client-group remoteuser-grp; firewall-user { password "$9$DeHP5Fn/CuO3n"; ## SECRET-DATA } } client kcline { client-group remoteuser-grp; firewall-user { password "$9$buYaZjHqTFnHk"; ## SECRET-DATA } } client kitchen { client-group remoteuser-grp; firewall-user { password "$9$zxqmFCtp0BIcypu"; ## SECRET-DATA } } client lcaron { client-group remoteuser-grp; firewall-user { password "$9$uF0SBhSevW7dbKv"; ## SECRET-DATA } } client ljohnson { client-group remoteuser-grp; firewall-user { password "$9$Q0wSnApEcylvWyr"; ## SECRET-DATA } } client lking { client-group remoteuser-grp; firewall-user { password "$9$upnaBcylKML7-W8"; ## SECRET-DATA } } client lkingsbury { client-group remoteuser-grp; firewall-user { password "$9$1.eEreWLx7db8L"; ## SECRET-DATA } } client lsanborn { client-group remoteuser-grp; firewall-user { password "$9$yj/e8X-VwgaZx7"; ## SECRET-DATA } } client lwoods { client-group remoteuser-grp; firewall-user { password "$9$ecsMxNbs2Uikoa"; ## SECRET-DATA } } client mgarnett { client-group remoteuser-grp; firewall-user { password "$9$8QzXVwoJGkmfGUAp"; ## SECRET-DATA } } client mlachance { client-group remoteuser-grp; firewall-user { password "$9$25oUjqmf5FnHk"; ## SECRET-DATA } } client mlambert { client-group remoteuser-grp; firewall-user { password "$9$ogZikP5QF/CmP"; ## SECRET-DATA } } client msmith { client-group remoteuser-grp; firewall-user { password "$9$VnsoJDikqP5Hk"; ## SECRET-DATA } } client nance { client-group remoteuser-grp; firewall-user { password "$9$kmQF/CtOIEtp"; ## SECRET-DATA } } client nmichaud { client-group remoteuser-grp; firewall-user { password "$9$eSsMxNbs2JUjsY"; ## SECRET-DATA } } client nora { client-group remoteuser-grp; firewall-user { password "$9$mf36p0BcreB1db"; ## SECRET-DATA } } client remuser1 { client-group remoteuser-grp; firewall-user { password "$9$aBZHqTz3AuO3nev"; ## SECRET-DATA } } client rmorrell { client-group remoteuser-grp; firewall-user { password "$9$zufanApBIErKMB1"; ## SECRET-DATA } } client robynne { client-group remoteuser-grp; firewall-user { password "$9$H.Tz69ApBIAt"; ## SECRET-DATA } } client sbrown { client-group remoteuser-grp; firewall-user { password "$9$9RPptBIcyl8xNSy"; ## SECRET-DATA } } client sday { client-group remoteuser-grp; firewall-user { password "$9$X1tNwYoJGDHq2g"; ## SECRET-DATA } } client spettegrow { client-group remoteuser-grp; firewall-user { password "$9$E1sSKMX7-ds2x7"; ## SECRET-DATA } } client sshay { client-group remoteuser-grp; firewall-user { password "$9$.fFnCtuRcyOB"; ## SECRET-DATA } } client tcaso { client-group remoteuser-grp; firewall-user { password "$9$s9gZUHqmPQF.m"; ## SECRET-DATA } } client tsanders { client-group remoteuser-grp; firewall-user { password "$9$1-KEreWLx7VweK"; ## SECRET-DATA } } client vcole { client-group remoteuser-grp; firewall-user { password "$9$dIsoJk.PTFniH"; ## SECRET-DATA } } address-assignment { pool vpn-phone-pool; } } profile Local { authentication-order password; } profile auth { authentication-order password; } profile ike { client vpnphoneike client-group vpnphoneike3; } address-assignment { pool vpn-phone-pool { family inet { network 192.168.250.0/24; range vpn_range { low 192.168.250.10; high 192.168.250.200; } } } } firewall-authentication { pass-through { default-profile auth; } web-authentication { default-profile auth; } } } applications { application NetConnectVPN { term NetConnectVPN protocol udp source-port 0-65535 destination-port 4500-4500; } application Custom_ANY { term Custom_ANY protocol tcp source-port 0-65535 destination-port 0-65535; term Custom_ANY_1 protocol udp source-port 0-65535 destination-port 0-65535; } application BES { term BES protocol tcp source-port 3101-3101 destination-port 3101-3101; } application cust-icmp-info { term t1 protocol icmp icmp-type 15 icmp-code 0 inactivity-timeout 1800; } } root>