## Last changed: 2016-11-27 00:52:40 HKT version 12.1X46-D35.1; system { host-name SRX220H2; time-zone Asia/Hong_Kong; root-authentication { encrypted-password "$1$B6fXP7Y7$hMqyicmYZBPZLUIp.Auxd0"; ## SECRET-DATA } name-server { 202.130.97.65; 202.130.97.66; } login { user administrator { full-name "MJB Admin"; uid 2001; class super-user; authentication { encrypted-password "$1$yj397hlV$MXGjoeWdP/SDmBnr8MJgT."; ## SECRET-DATA } } user peter { full-name "Peter Wong"; uid 2003; class super-user; authentication { encrypted-password "$1$nhDcFcfB$Xk8NrdrXzEruVhs367Tu2."; ## SECRET-DATA } } } services { ssh; telnet; web-management { management-url admin; http { interface ge-0/0/1.0; } https { system-generated-certificate; interface [ ge-0/0/1.0 ge-0/0/0.0 vlan.0 ]; } session { idle-timeout 60; } } dhcp { pool 192.168.20.0/24 { address-range low 192.168.20.50 high 192.168.20.60; name-server { 192.168.20.1; } router { 192.168.20.1; } propagate-settings ge-0/0/2.0; } } } syslog { archive size 100k files 3; user * { any emergency; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } file policy_session { user info; match RT_FLOW; archive size 1000k world-readable; structured-data; } file kmd-logs { daemon info; match KMD; } } max-configurations-on-flash 5; max-configuration-rollbacks 5; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } ntp { server 118.103.146.184; } } interfaces { ge-0/0/0 { unit 0 { family inet { address 218.255.187.42/29; } } } ge-0/0/1 { unit 0 { family inet { address 192.168.0.90/24; } } } ge-0/0/2 { unit 0 { family inet { address 192.168.20.1/24; } } } ge-0/0/3 { unit 0 { family ethernet-switching; } } ge-0/0/4 { unit 0 { family ethernet-switching; } } ge-0/0/5 { unit 0 { family ethernet-switching; } } ge-0/0/6 { unit 0 { family ethernet-switching; } } ge-0/0/7 { unit 0 { family ethernet-switching; } } st0 { unit 1 { family inet { address 192.168.200.11/32; } } } vlan { unit 0 { family inet { address 218.255.187.42/29; } } } } routing-options { static { route 0.0.0.0/0 next-hop 218.255.187.41; route 192.168.6.0/24 next-hop st0.1; } } protocols { stp; } security { ike { policy client-vpn-ike-pol { mode aggressive; proposal-set standard; pre-shared-key ascii-text "$9$mPz6/9tOIcCtxds4DjCtu0BESre"; ## SECRET-DATA } policy ike_pol_BFSQLMW-WarehouseB { mode main; proposal-set standard; pre-shared-key ascii-text "$9$QfXZ3nC0ORhylOBLx-dsYfTQnApRhSyKM0O-Vws4oFn6"; ## SECRET-DATA } gateway client-vpn-gw { ike-policy client-vpn-ike-pol; dynamic { hostname dynvpn; connections-limit 10; ike-user-type group-ike-id; } external-interface ge-0/0/0; xauth access-profile client-vpn-access-profile; } gateway gw_BFSQLMW-WarehouseB { ike-policy ike_pol_BFSQLMW-WarehouseB; address 113.105.118.111; local-identity inet 218.255.187.43; external-interface ge-0/0/0.0; } } ipsec { policy client-vpn-ipsec-pol { proposal-set standard; } policy ipsec_pol_BFSQLMW-WarehouseB { perfect-forward-secrecy { keys group2; } proposal-set standard; } vpn client-vpn { ike { gateway client-vpn-gw; ipsec-policy client-vpn-ipsec-pol; } establish-tunnels immediately; } vpn BFSQLMW-WarehouseB { bind-interface st0.1; ike { gateway gw_BFSQLMW-WarehouseB; ipsec-policy ipsec_pol_BFSQLMW-WarehouseB; } establish-tunnels immediately; } } dynamic-vpn { access-profile client-vpn-access-profile; clients { all { remote-protected-resources { 192.168.0.0/24; } remote-exceptions { 0.0.0.0/0; } ipsec-vpn client-vpn; user { CarmenVPN; Ghassan; Tony; branford1; branford2; tony; warehouse1; warehouse2; warehouse3; warehouse4; } } dany { remote-protected-resources { 192.168.0.0/24; } ipsec-vpn client-vpn; user { dany; } } WarehouseB { remote-protected-resources { 192.168.0.0/24; } remote-exceptions { 0.0.0.0/0; } ipsec-vpn client-vpn; user { Huajunx; } } } } screen { ids-option untrust-screen { icmp { ping-death; } ip { source-route-option; tear-drop; } tcp { syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; timeout 20; } land; } } } nat { source { rule-set nsw_srcnat { from zone Internal; to zone Internet; rule nsw-src-interface { match { source-address 0.0.0.0/0; destination-address 0.0.0.0/0; } then { source-nat { interface; } } } } } destination { pool 192_168_0_90_ { address 192.168.0.90/32; } pool Terminal-Server { address 192.168.0.13/32 port 3389; } pool Middleware-In { address 192.168.20.25/32 port 3389; } rule-set nsw_destnat { from zone Internet; rule Terminal-Server { description "Access I-Trader Terminal server"; match { source-address [ 107.161.13.161/28 70.52.214.121/32 103.253.10.170/32 210.177.243.8/32 218.189.193.69/32 ]; destination-address 218.255.187.42/32; destination-port 3389; } then { destination-nat { pool { Terminal-Server; } } } } } } static { rule-set Middleware { from zone Internet; rule Middleware { match { destination-address 218.255.187.43/32; } then { static-nat { prefix { 192.168.20.25/32; } } } } } } proxy-arp { interface vlan.0 { address { 192.168.15.50/32 to 192.168.15.60/32; } } interface ge-0/0/0.0 { address { 218.255.187.43/32 to 218.255.187.43/32; } } } } policies { from-zone Internet to-zone Internal { policy Terminal-Server { match { source-address [ MJB Group-Erc-PublicP Kevin-BT2spoke Kevin-SysScan Tecnica-IT ]; destination-address Branford_lan; application any; } then { permit; } } policy client-vpn-access { match { source-address any; destination-address any; application any; } then { permit { tunnel { ipsec-vpn client-vpn; } } log { session-init; session-close; } } } } from-zone Internal to-zone Internet { policy A-internal-internet { match { source-address Branford_lan; destination-address any; application any; } then { permit; } } policy Allow-Internet { match { source-address BFTS; destination-address any; application any; source-identity any; } then { permit; } } } from-zone Internal to-zone DMZ { policy Internal-DMZ { match { source-address Branford_lan; destination-address BFSQL-MW; application any; } then { permit; } } } from-zone DMZ to-zone Internal { policy DMZ-BFSQL { match { source-address BFSQL-MW; destination-address BFSQL; application any; } then { permit; } } } from-zone DMZ to-zone Internet { policy DMZ-Internet { match { source-address BFSQL-MW; destination-address any; application any; } then { permit; } } policy policy_out_BFSQLMW-WarehouseB { match { source-address addr_192_168_20_0_24; destination-address addr_192_168_6_0_24; application any; } then { permit; } } } from-zone Internet to-zone DMZ { policy policy_in_BFSQLMW-WarehouseB { match { source-address addr_192_168_6_0_24; destination-address addr_192_168_20_0_24; application any; } then { permit; } } } } zones { security-zone Internal { address-book { address Branford_lan 192.168.0.0/24; address BFTS 192.168.0.13/32; address BFSQL 192.168.0.16/32; } host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { ge-0/0/1.0 { host-inbound-traffic { system-services { ping; http; https; ssh; telnet; } } } ge-0/0/3.0; ge-0/0/4.0; ge-0/0/5.0; ge-0/0/6.0; ge-0/0/7.0; vlan.0; } } security-zone Internet { address-book { address MJB 107.161.13.160/28; address Group-Erc-PublicP 70.52.214.121/32; address Kevin-BT2spoke 103.253.10.170/32; address Kevin-SysScan 210.177.243.8/32; address addr_192_168_6_0_24 192.168.6.0/24; address Tecnica-IT 218.189.193.69/32; } host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { ge-0/0/0.0 { host-inbound-traffic { system-services { https; ike; } } } st0.1; } } security-zone DMZ { address-book { address BFSQL-MW 192.168.20.25/32; address addr_192_168_20_0_24 192.168.20.0/24; } host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { ge-0/0/2.0 { host-inbound-traffic { system-services { dhcp; ike; ping; } } } } } } } access { profile client-vpn-access-profile { authentication-order password; client CarmenVPN { firewall-user { password "$9$vnyWXNwY4ZDHdbs4JG.m0B1Iyl"; ## SECRET-DATA } } client Ghassan { firewall-user { password "$9$HmQ3n/tu0I36eWLXbwgoJGkPQF/9tu"; ## SECRET-DATA } } client Huajunx { firewall-user { password "$9$mTn9CtOhclP51REhrls2goUj"; ## SECRET-DATA } } client branford1 { firewall-user { password "$9$ybhlv8NdwgaGX7-w24jiCtp0Ec"; ## SECRET-DATA } } client branford2 { firewall-user { password "$9$pgFO01EreMXNVcylMLxsYP5TQ/C"; ## SECRET-DATA } } client dany { firewall-user { password "$9$NPVbY2gaDHmaZUHk.F3Srle8XxNdVs2"; ## SECRET-DATA } } client tony { firewall-user { password "$9$BumEyeX7Vg4ZNdDk.fn6evWLxdYgoGjH2g"; ## SECRET-DATA } } client warehouse1 { firewall-user { password "$9$-GVsgZUi.fQoJGiqm3nSrle8X"; ## SECRET-DATA } } client warehouse2 { firewall-user { password "$9$B2CIhyvWX-bYlKMXNd4oQF36tu"; ## SECRET-DATA } } client warehouse3 { firewall-user { password "$9$j7H.fFn9pOITz39tuhcVws2ZU"; ## SECRET-DATA } } client warehouse4 { firewall-user { password "$9$R2Yhye8XNbY4vWLNVwJZ36/tBI"; ## SECRET-DATA } } address-assignment { pool client-vpn-pool; } } address-assignment { pool client-vpn-pool { family inet { network 192.168.15.0/24; range client-vpn-pool { low 192.168.15.50; high 192.168.15.60; } xauth-attributes { primary-dns 192.168.0.8/32; } } } } firewall-authentication { web-authentication { default-profile client-vpn-access-profile; } } } vlans { Internet-VLAN { vlan-id 5; l3-interface vlan.0; } }