## Last changed: 2012-07-11 01:09:59 BST version 12.1R2.9; system { host-name router.mydomain; domain-name mydomain; domain-search mydomain; time-zone Europe/London; root-authentication { encrypted-password "xxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; } name-server { 212.159.13.49; 212.159.13.50; 192.168.253.230; } login { user john { full-name "John Baker"; uid 2000; class super-user; authentication { encrypted-password "xxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; } } user monitor { full-name "Monitor User"; uid 2001; class read-only; authentication { encrypted-password "xxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; } } } services { ssh { protocol-version v2; connection-limit 3; } xnm-clear-text; dns { max-cache-ttl 600; max-ncache-ttl 300; forwarders { 192.168.253.230; 212.159.13.49; 212.159.13.50; } } web-management { management-url jweb-noaccess; http { interface vlan.0; } https { pki-local-certificate SRX; interface at-1/0/0.0; } session { idle-timeout 30; session-limit 3; } } dhcp { maximum-lease-time 10800; default-lease-time 3600; domain-name mydomain; name-server { 192.168.253.230; 212.159.13.49; 212.159.13.50; } domain-search { mydomain; } pool 192.168.252.0/24 { address-range low 192.168.252.1 high 192.168.252.253; router { 192.168.252.254; } option 42 array ip-address [ 192.168.252.254 192.168.253.230 ]; } pool 192.168.253.0/24 { address-range low 192.168.253.80 high 192.168.253.99; router { 192.168.253.254; } option 42 array ip-address [ 192.168.253.254 192.168.253.230 ]; } pool 192.168.25.0/24 { address-range low 192.168.25.80 high 192.168.25.99; router { 192.168.25.254; } option 42 array ip-address [ 192.168.25.254 192.168.253.230 ]; } static-binding 00:0c:42:70:61:3f { fixed-address { 192.168.253.99; } host-name routerboard.mydomain; } static-binding 50:67:f0:61:38:62 { fixed-address { 192.168.252.1; } host-name vag.mydomain; } } } syslog { archive size 100k files 3; user * { any emergency; } host 192.168.253.219 { any any; port 514; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } } max-configurations-on-flash 5; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } ntp { boot-server 192.168.253.230; server 192.168.253.230 prefer; server 93.186.33.42; server 217.114.59.66; } } inactive: chassis { routing-engine { usb-wwan { port 1; } } } interfaces { ge-0/0/0 { description ""; unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } ge-0/0/1 { description "TEST VLAN 192.168.25.0/24 with 192.168.25.254 gateway"; gigether-options { auto-negotiation; } unit 0 { family ethernet-switching { vlan { members TEST_VLAN; } } } } fe-0/0/2 { description "TEST VLAN 192.168.25.0/24 with 192.168.25.254 gateway"; fastether-options { auto-negotiation; } unit 0 { family ethernet-switching { vlan { members TEST_VLAN; } } } } fe-0/0/3 { description "Interface connected to Grandstream GXP3140 SIP/SKYPE Phone via POE"; fastether-options { auto-negotiation; } unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } fe-0/0/4 { description ""; unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } fe-0/0/5 { description "DMZ Interface connected to Juniper SA700 SSL VPN WAN Port 192.168.252.253"; fastether-options { auto-negotiation; } unit 0 { family ethernet-switching { vlan { members DMZ_VLAN; } } } } fe-0/0/6 { description "DMZ Interface connected to Vodafone Sure Signal 192.168.252.1"; fastether-options { auto-negotiation; } unit 0 { family ethernet-switching { vlan { members DMZ_VLAN; } } } } fe-0/0/7 { description "Interface connected to Dell Switch Port 1"; unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } at-1/0/0 { description "ADSL2+ Annex M connection to Plusnet"; encapsulation atm-pvc; atm-options { vpi 0; } dsl-options { operating-mode auto; } unit 0 { description "PPPoA to PlusNet"; encapsulation atm-ppp-vc-mux; vci 0.38; ppp-options { chap { default-chap-secret "PPP PASSWORD"; local-name "PPP USERNAMEt"; passive; } } keepalives interval 5 up-count 3 down-count 6; family inet { sampling { input; output; } negotiate-address; } } } st0 { unit 0 { family inet { } } } vlan { unit 0 { family inet { address 192.168.253.254/24; } } unit 1 { family inet { address 192.168.252.254/24; } } unit 2 { family inet { address 192.168.25.254/24; } } } } snmp { description Router; location Office; contact "John; community public { authorization read-only; clients { 192.168.253.0/24; } } } routing-options { static { route 0.0.0.0/0 { qualified-next-hop at-1/0/0.0 { metric 1; } } route 192.168.0.0/24 next-hop st0.0; } } security { log { cache; utc-timestamp; } key-protection; pki { ca-profile SRX { ca-identity COMODO; revocation-check { disable; crl { disable on-download-failure; } } } } ike { proposal ike-proposal-cfgr { authentication-method pre-shared-keys; dh-group group5; authentication-algorithm sha1; encryption-algorithm aes-256-cbc; lifetime-seconds 14400; } proposal ike-proposal-aes-256 { authentication-method pre-shared-keys; dh-group group14; authentication-algorithm sha-256; encryption-algorithm aes-256-cbc; lifetime-seconds 14400; } proposal ike-proposal-aes-128 { authentication-method pre-shared-keys; dh-group group5; authentication-algorithm sha1; encryption-algorithm aes-128-cbc; lifetime-seconds 14400; } policy ike-policy-cfgr { mode main; proposals ike-proposal-aes-256; pre-shared-key ascii-text "xxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; } policy ike_pol_wizard_dyn_vpn { mode aggressive; proposals ike-proposal-cfgr; pre-shared-key ascii-text "xxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; } gateway ike-gate-cfgr { ike-policy ike-policy-cfgr; address xxx.xxx.xxx.xx9; dead-peer-detection { interval 30; threshold 2; } local-identity inet xxx.xxx.xxx.xx5; external-interface at-1/0/0.0; version v2-only; } gateway gw_wizard_dyn_vpn { ike-policy ike_pol_wizard_dyn_vpn; dynamic { hostname router.mydomain; connections-limit 6; ike-user-type group-ike-id; } external-interface at-1/0/0.0; xauth access-profile remote_access_profile; } } ipsec { vpn-monitor-options { interval 10; threshold 10; } proposal ipsec-proposal-cfgr { protocol esp; authentication-algorithm hmac-sha1-96; encryption-algorithm aes-256-cbc; lifetime-seconds 3600; } proposal ipsec-proposal-aes-256 { protocol esp; authentication-algorithm hmac-sha-256-128; encryption-algorithm aes-256-cbc; lifetime-seconds 14400; } proposal ipsec-proposal-aes-128 { protocol esp; authentication-algorithm hmac-sha1-96; encryption-algorithm aes-128-cbc; lifetime-seconds 14400; } policy ipsec-policy-cfgr { perfect-forward-secrecy { keys group14; } proposals ipsec-proposal-aes-256; } policy ipsec_pol_wizard_dyn_vpn { perfect-forward-secrecy { keys group5; } proposals ipsec-proposal-cfgr; } vpn ipsec-vpn-cfgr { bind-interface st0.0; ike { gateway ike-gate-cfgr; idle-time 120; proxy-identity { local 192.168.253.0/24; remote 192.168.0.0/24; } ipsec-policy ipsec-policy-cfgr; } establish-tunnels on-traffic; } vpn wizard_dyn_vpn { ike { gateway gw_wizard_dyn_vpn; ipsec-policy ipsec_pol_wizard_dyn_vpn; } } } alg { dns disable; ftp disable; h323 disable; mgcp disable; msrpc disable; sunrpc disable; real disable; rsh disable; rtsp disable; sccp disable; sip disable; sql disable; talk disable; tftp disable; pptp disable; ike-esp-nat { enable; } } application-tracking { disable; } dynamic-vpn { access-profile remote_access_profile; clients { wizard-dyn-group { remote-protected-resources { 192.168.253.0/24; 192.168.252.0/24; 192.168.25.0/24; } remote-exceptions { 0.0.0.0/0; } ipsec-vpn wizard_dyn_vpn; user { john; john-backup; } } } } flow { allow-dns-reply; syn-flood-protection-mode syn-cookie; tcp-mss { all-tcp { mss 1452; } ipsec-vpn { mss 1400; } } tcp-session { rst-invalidate-session; rst-sequence-check; strict-syn-check; } } screen { ids-option untrust-screen { icmp { large; ping-death; } ip { bad-option; security-option; inactive: spoofing; source-route-option; strict-source-route-option; tear-drop; } tcp { syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; timeout 10; } land; winnuke; } } } nat { source { pool ADSL_WAN_IP_0 { address { xxx.xxx.xxx.xx5/32; } } pool ADSL_WAN_IP_1 { address { xxx.xxx.xxx.xx6/32; } } pool ADSL_WAN_IP_2 { address { xxx.xxx.xxx.xx7/32; } } pool ADSL_WAN_IP_3 { address { xxx.xxx.xxx.xx8/32; } } rule-set trust-to-untrust { from zone trust; to zone untrust; rule trust-source-nat-rule { match { source-address 192.168.253.0/24; } then { source-nat { pool { ADSL_WAN_IP_1; } } } } } rule-set DMZ_to_untrust { from zone DMZ_ZONE; to zone untrust; rule dmz-source-nat-rule { match { source-address 192.168.252.0/24; } then { source-nat { pool { ADSL_WAN_IP_2; } } } } } rule-set TEST_to_untrust { from zone TEST_ZONE; to zone untrust; rule test-source-nat-rule { match { source-address 192.168.25.0/24; } then { source-nat { pool { ADSL_WAN_IP_3; } } } } } } destination { pool DSTNAT-SSL-VPN-LAN-HTTPS { address 192.168.252.253/32 port 443; } pool DSTNAT-SSL-VPN-LAN-ESP { address 192.168.252.253/32 port 4500; } rule-set PAT_FROM_UNTRUST_TO_TRUST { from zone untrust; rule PAT_SSL_VPN { match { destination-address xxx.xxx.xxx.xx7/32; destination-port 4500; protocol udp; } then { destination-nat pool DSTNAT-SSL-VPN-LAN-ESP; } } rule PAT_HTTPS_SSL_VPN { match { destination-address xxx.xxx.xxx.xx7/32; destination-port 443; protocol tcp; } then { destination-nat pool DSTNAT-SSL-VPN-LAN-HTTPS; } } } } proxy-arp { interface vlan.0 { address { 192.168.253.170/32 to 192.168.253.179/32; } } } } policies { from-zone trust to-zone untrust { policy trust-to-untrust-allow-DNS { match { source-address addr_192_168_253_0_24; destination-address any; application [ junos-dns-udp junos-dns-tcp ]; } then { permit; } } policy trust-to-untrust-allow-http { match { source-address addr_192_168_253_0_24; destination-address any; application junos-http; } then { permit; } } policy trust-to-untrust-allow-HTTPS { match { source-address addr_192_168_253_0_24; destination-address any; application junos-https; } then { permit; } } policy trust-to-any-allow-email { match { source-address addr_192_168_253_0_24; destination-address any; application [ junos-pop3 junos-imap junos-smtp IMAPS SSMTP ]; } then { permit; } } policy trust-to-untrust-allow-ftp { match { source-address addr_192_168_253_0_24; destination-address any; application junos-ftp; } then { permit; } } policy trust-to-any-allow-ALL { match { source-address addr_192_168_253_0_24; destination-address any; application any; } then { permit; } } } from-zone DMZ_ZONE to-zone untrust { policy DMZVLAN-to-untrust { match { source-address addr_192_168_252_0_24; destination-address any; application any; } then { permit; } } } from-zone trust to-zone DMZ_ZONE { policy Allow_John_to_DMZ_VLAN { match { source-address JOHN; destination-address addr_192_168_252_0_24; application any; } then { permit; } } } from-zone DMZ_ZONE to-zone trust { policy DMZ_VLAN_ALLOW_NTP { match { source-address addr_192_168_252_0_24; destination-address zeroshell; application junos-ntp; } then { permit; } } policy DMZ_VLAN_ALLOW_SYSLOG_TO_SERVER { match { source-address addr_192_168_252_0_24; destination-address SERVER; application junos-syslog; } then { permit; } } policy DMZ_VLAN_ALLOW_DNS { match { source-address addr_192_168_252_0_24; destination-address zeroshell; application [ junos-dns-udp junos-dns-tcp ]; } then { permit; } } } from-zone untrust to-zone DMZ_ZONE { policy WAN_SSL_ALLOW { match { source-address any; destination-address SSL-VPN-WAN; application [ junos-https junos-ike-nat ]; } then { permit; } } } from-zone untrust to-zone trust { policy policy_in_wizard_dyn_vpn { match { source-address any; destination-address any; application any; } then { permit { tunnel { ipsec-vpn wizard_dyn_vpn; } } } } } from-zone trust to-zone jbvpn { policy trust-jbvpn-cfgr { match { source-address addr_192_168_253_0_24; destination-address addr_192_168_0_0_24; application any; } then { permit; } } } from-zone jbvpn to-zone trust { policy jbvpn-trust-cfgr { match { source-address addr_192_168_0_0_24; destination-address addr_192_168_253_0_24; application any; } then { permit; } } } from-zone TEST_ZONE to-zone trust { policy TEST_to_TRUST { description "All from TEST to TRUST"; match { source-address any; destination-address any; application any; } then { permit; } } } from-zone trust to-zone TEST_ZONE { policy TRUST_to_TEST { description "All from TRUST to TEST ZONE"; match { source-address any; destination-address any; application any; } then { permit; } } } from-zone TEST_ZONE to-zone untrust { policy TEST_to_UNTRUST { match { source-address addr_192_168_25_0_24; destination-address any; application any; } then { permit; } } } default-policy { deny-all; } } zones { security-zone trust { address-book { address addr_192_168_253_0_24 192.168.253.0/24; address bluecoat 192.168.253.1/32; address dd-wrt-x86 192.168.253.2/32; address JOHN 192.168.253.10/32; address teresa 192.168.253.11/32; address TX-NR906 192.168.253.40/32; address BLURAY 192.168.253.41/32; address FOXSAT-HDR 192.168.253.42/32; address tv 192.168.253.44/32; address LAN-DHCP-80 192.168.253.80/32; address LAN-DHCP-81 192.168.253.81/32; address LAN-DHCP-82 192.168.253.82/32; address LAN-DHCP-83 192.168.253.83/32; address LAN-DHCP-84 192.168.253.84/32; address LAN-DHCP-86 192.168.253.86/32; address LAN-DHCP-87 192.168.253.87/32; address LAN-DHCP-88 192.168.253.88/32; address LAN-DHCP-89 192.168.253.89/32; address LAN-DHCP-90 192.168.253.90/32; address LAN-DHCP-91 192.168.253.91/32; address LAN-DHCP-92 192.168.253.92/32; address LAN-DHCP-93 192.168.253.93/32; address LAN-DHCP-94 192.168.253.94/32; address LAN-DHCP-95 192.168.253.95/32; address LAN-DHCP-96 192.168.253.96/32; address LAN-DHCP-97 192.168.253.97/32; address LAN-DHCP-98 192.168.253.98/32; address routerboard 192.168.253.235/32; address USER-JOHN-SSL-VPN-PROXY-ARP-160 192.168.253.160/32; address USER-UNDEFINED-SSL-VPN-PROXY-ARP-161 192.168.253.161/32; address USER-UNDEFINED-SSL-VPN-PROXY-ARP-162 192.168.253.162/32; address USER-UNDEFINED-SSL-VPN-PROXY-ARP-163 192.168.253.163/32; address USER-UNDEFINED-SSL-VPN-PROXY-ARP-164 192.168.253.164/32; address USER-UNDEFINED-SSL-VPN-PROXY-ARP-165 192.168.253.165/32; address USER-UNDEFINED-SSL-VPN-PROXY-ARP-166 192.168.253.166/32; address USER-UNDEFINED-SSL-VPN-PROXY-ARP-167 192.168.253.167/32; address USER-UNDEFINED-SSL-VPN-PROXY-ARP-168 192.168.253.168/32; address USER-UNDEFINED-SSL-VPN-PROXY-ARP-169 192.168.253.169/32; address SRX-VPN-PROXY-ARP-USER-170 192.168.253.170/32; address SRX-VPN-PROXY-ARP-USER-171 192.168.253.171/32; address SRX-VPN-PROXY-ARP-USER-172 192.168.253.172/32; address SRX-VPN-PROXY-ARP-USER-173 192.168.253.173/32; address SRX-VPN-PROXY-ARP-USER-174 192.168.253.174/32; address SRX-VPN-PROXY-ARP-USER-175 192.168.253.175/32; address SRX-VPN-PROXY-ARP-USER-176 192.168.253.176/32; address SRX-VPN-PROXY-ARP-USER-177 192.168.253.177/32; address SRX-VPN-PROXY-ARP-USER-178 192.168.253.178/32; address SRX-VPN-PROXY-ARP-USER-179 192.168.253.179/32; address SSL-VPN-PROXY-ARP-180 192.168.253.180/32; address SSL-VPN-PROXY-ARP-181 192.168.253.181/32; address SSL-VPN-PROXY-ARP-182 192.168.253.182/32; address SSL-VPN-PROXY-ARP-183 192.168.253.183/32; address SSL-VPN-PROXY-ARP-184 192.168.253.184/32; address SSL-VPN-PROXY-ARP-185 192.168.253.185/32; address SSL-VPN-PROXY-ARP-186 192.168.253.186/32; address SSL-VPN-PROXY-ARP-187 192.168.253.187/32; address SSL-VPN-PROXY-ARP-188 192.168.253.188/32; address SSL-VPN-PROXY-ARP-189 192.168.253.189/32; address Brother-A3-Printer 192.168.253.201/32; address sip 192.168.253.212/32; address SERVER 192.168.253.219/32; address NAS 192.168.253.220/32; address SWITCH-2716 192.168.253.223/32; address hp-microserver 192.168.253.225/32; address zeroshell 192.168.253.230/32; address DD-WRT-54 192.168.253.250/32; address edimax 192.168.253.251/32; address SWITCH-6224 192.168.253.252/32; address SSL-VPN-LAN 192.168.253.253/32; address router 192.168.253.254/32; } host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { vlan.0 { host-inbound-traffic { system-services { all; } } } } } security-zone untrust { address-book { address adsl.mydomain xxx.xxx.xxx.xx5/32; } screen untrust-screen; host-inbound-traffic { system-services { https; ike; } } interfaces { at-1/0/0.0; } } security-zone jbvpn { address-book { address addr_192_168_0_0_24 192.168.0.0/24; } interfaces { st0.0; } } security-zone junos-host; security-zone DMZ_ZONE { address-book { address vag 192.168.252.1/32; address SSL-VPN-WAN 192.168.252.253/32; address addr_192_168_252_0_24 192.168.252.0/24; address addr_192_168_253_0_24 192.168.253.0/24; } host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { vlan.1 { host-inbound-traffic { system-services { all; } } } } } security-zone TEST_ZONE { address-book { address addr_192_168_25_0_24 192.168.25.0/24; address addr_192_168_252_0_24 192.168.252.0/24; address addr_192_168_253_0_24 192.168.253.0/24; } host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { vlan.2; } } } } access { profile remote_access_profile { client john { firewall-user { password "xxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; } } client john-backup { firewall-user { password "xxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; } } address-assignment { pool dyn-vpn-address-pool; } } address-assignment { pool dyn-vpn-address-pool { family inet { network 192.168.253.0/24; range dvpn-range { low 192.168.253.170; high 192.168.253.179; } dhcp-attributes { domain-name mydomain; name-server { 192.168.253.230; } wins-server { 192.168.253.219; } } xauth-attributes { primary-dns 192.168.253.230/32; } } } } firewall-authentication { web-authentication { default-profile remote_access_profile; } } } services { rpm { probe dns_check { test adsl_ping { probe-type icmp-ping; target address 212.159.13.49; probe-count 2; test-interval 120; source-address xxx.xxx.xxx.xx5; thresholds { total-loss 1; } } } probe adsl_check { test adsl_ping { probe-type icmp-ping; target address xxx.xxx.xxx.xx5; probe-count 2; test-interval 120; source-address 192.168.253.254; thresholds { total-loss 1; } } } } } applications { application SSMTP { protocol tcp; destination-port 465; } application IMAPS { protocol tcp; destination-port 993; } } smtp { primary-server { address 94.136.40.63; login "server@mydomain" { password "xxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; } } } vlans { DMZ_VLAN { vlan-id 2; l3-interface vlan.1; } TEST_VLAN { vlan-id 4; l3-interface vlan.2; } vlan-trust { vlan-id 3; l3-interface vlan.0; } }