## Last changed: 2021-07-20 19:35:52 CDT version 21.2R1.10; system { host-name wineries; root-authentication { encrypted-password ; ## SECRET-DATA } login { user { full-name "J Rzeznik"; uid 2001; class super-user; authentication { encrypted-password ; ## SECRET-DATA } } message "************************************************************************************\nWARNING: UNAUTHORIZED ACCESS TO THIS SYSTEM IS PROHIBITED\n\nThis system is for the use of authorized users only. Any or all uses of this system and all data on this system may be intercepted, monitored, recorded, copied, audited, inspected, and disclosed for network monitoring, to law enforcement personnel, and for any other lawful purposes. Users have no explicit or implicit expectation of privacy regarding any communications or data transiting or stored on this system.\n\nBy continuing to use this system, you expressly indicate your awareness of the above terms and consent to such disclosure at the discretion of authorized system personnel. Unauthorized or improper use of this system is a violation of state and federal laws and may result in civil or criminal penalties.\n\nDISCONNECT IMMEDIATELY if you do not agree to the conditions stated in this warning.\n************************************************************************************"; } services { ssh; dhcp-local-server { dhcpv6 { overrides { interface-client-limit 100; rapid-commit; delegated-pool 6Pool; } group 6Local { overrides { interface-client-limit 200; } interface ge-0/0/4.0; interface ge-0/0/6.0; interface wl-1/0/0.0; } } group jdhcp-group { interface ge-0/0/6.0; interface wl-1/0/0.0; interface irb.0; interface st0.0; } group Phone { interface ge-0/0/4.0; } } web-management { http; https { pki-local-certificate 004; } } } time-zone America/Chicago; authentication-order password; name-server { 8.8.8.8; 8.8.4.4; } syslog { archive size 100k files 3; user * { any emergency; } file interactive-commands { interactive-commands any; } file kmd-logs { daemon info; match KMD; } file messages { any notice; authorization info; } } max-configurations-on-flash 5; max-configuration-rollbacks 24; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } } services { application-identification; ssl { termination { profile Term { server-certificate 001; } } proxy { profile SSL { preferred-ciphers strong; trusted-ca all; root-ca ssl-inspect-ca; actions { log { errors; } renegotiation allow; } } } } } security { log { utc-timestamp; mode stream; format syslog; report; source-interface ge-0/0/6.0; stream Syslog-Splunk { format sd-syslog; host { 10.10.1.8; } } } pki { ca-profile Local_1 { ca-identity Local_1; } ca-profile Local_2 { ca-identity Local_2; } ca-profile Local_3 { ca-identity Local_3; } ca-profile Local_4 { ca-identity Local_4; } ca-profile Local_5 { ca-identity Local_5; } ca-profile Local_6 { ca-identity Local_6; } ca-profile Local_7 { ca-identity Local_7; } ca-profile Local_8 { ca-identity Local_8; } ca-profile Local_9 { ca-identity Local_9; } ca-profile Local_10 { ca-identity Local_10; } ca-profile Local_11 { ca-identity Local_11; } ca-profile Local_12 { ca-identity Local_12; } ca-profile Local_13 { ca-identity Local_13; } ca-profile Local_14 { ca-identity Local_14; } ca-profile Local_15 { ca-identity Local_15; } ca-profile Local_16 { ca-identity Local_16; } ca-profile Local_17 { ca-identity Local_17; } ca-profile Local_18 { ca-identity Local_18; } ca-profile Local_19 { ca-identity Local_19; } ca-profile Local_20 { ca-identity Local_20; } ca-profile Local_21 { ca-identity Local_21; } ca-profile Local_22 { ca-identity Local_22; } ca-profile Local_23 { ca-identity Local_23; } ca-profile Local_24 { ca-identity Local_24; } ca-profile Local_25 { ca-identity Local_25; } ca-profile Local_26 { ca-identity Local_26; } ca-profile Local_27 { ca-identity Local_27; } ca-profile Local_28 { ca-identity Local_28; } ca-profile Local_29 { ca-identity Local_29; } ca-profile Local_30 { ca-identity Local_30; } ca-profile Local_31 { ca-identity Local_31; } ca-profile Local_32 { ca-identity Local_32; } ca-profile Local_33 { ca-identity Local_33; } ca-profile Local_34 { ca-identity Local_34; } ca-profile Local_35 { ca-identity Local_35; } ca-profile Local_36 { ca-identity Local_36; } ca-profile Local_37 { ca-identity Local_37; } ca-profile Local_38 { ca-identity Local_38; } ca-profile Local_39 { ca-identity Local_39; } ca-profile Local_40 { ca-identity Local_40; } ca-profile Local_41 { ca-identity Local_41; } ca-profile Local_42 { ca-identity Local_42; } ca-profile Local_43 { ca-identity Local_43; } ca-profile Local_44 { ca-identity Local_44; } ca-profile Local_45 { ca-identity Local_45; } ca-profile Local_46 { ca-identity Local_46; } ca-profile Local_47 { ca-identity Local_47; } ca-profile Local_48 { ca-identity Local_48; } ca-profile Local_49 { ca-identity Local_49; } ca-profile Local_50 { ca-identity Local_50; } ca-profile Local_51 { ca-identity Local_51; } ca-profile Local_52 { ca-identity Local_52; } ca-profile Local_53 { ca-identity Local_53; } ca-profile Local_54 { ca-identity Local_54; } ca-profile Local_55 { ca-identity Local_55; } ca-profile Local_56 { ca-identity Local_56; } ca-profile Local_57 { ca-identity Local_57; } ca-profile Local_58 { ca-identity Local_58; } ca-profile Local_59 { ca-identity Local_59; } ca-profile Local_60 { ca-identity Local_60; } ca-profile Local_61 { ca-identity Local_61; } ca-profile Local_62 { ca-identity Local_62; } ca-profile Local_63 { ca-identity Local_63; } ca-profile Local_64 { ca-identity Local_64; } ca-profile Local_65 { ca-identity Local_65; } ca-profile Local_66 { ca-identity Local_66; } ca-profile Local_67 { ca-identity Local_67; } ca-profile Local_68 { ca-identity Local_68; } ca-profile Local_69 { ca-identity Local_69; } ca-profile Local_70 { ca-identity Local_70; } ca-profile Local_71 { ca-identity Local_71; } ca-profile Local_72 { ca-identity Local_72; } ca-profile Local_73 { ca-identity Local_73; } ca-profile Local_74 { ca-identity Local_74; } ca-profile Local_75 { ca-identity Local_75; } ca-profile Local_76 { ca-identity Local_76; } ca-profile Local_77 { ca-identity Local_77; } ca-profile Local_78 { ca-identity Local_78; } ca-profile Local_79 { ca-identity Local_79; } ca-profile Local_80 { ca-identity Local_80; } ca-profile Local_81 { ca-identity Local_81; } ca-profile Local_82 { ca-identity Local_82; } ca-profile Local_83 { ca-identity Local_83; } ca-profile Local_84 { ca-identity Local_84; } ca-profile Local_85 { ca-identity Local_85; } ca-profile Local_86 { ca-identity Local_86; } ca-profile Local_87 { ca-identity Local_87; } ca-profile Local_88 { ca-identity Local_88; } ca-profile Local_89 { ca-identity Local_89; } ca-profile Local_90 { ca-identity Local_90; } ca-profile Local_91 { ca-identity Local_91; } ca-profile Local_92 { ca-identity Local_92; } ca-profile Local_93 { ca-identity Local_93; } ca-profile Local_94 { ca-identity Local_94; } ca-profile Local_95 { ca-identity Local_95; } ca-profile Local_96 { ca-identity Local_96; } ca-profile Local_97 { ca-identity Local_97; } ca-profile Local_98 { ca-identity Local_98; } ca-profile Local_99 { ca-identity Local_99; } ca-profile Local_100 { ca-identity Local_100; } ca-profile Local_101 { ca-identity Local_101; } ca-profile Local_102 { ca-identity Local_102; } ca-profile Local_103 { ca-identity Local_103; } ca-profile Local_104 { ca-identity Local_104; } ca-profile Local_105 { ca-identity Local_105; } ca-profile Local_106 { ca-identity Local_106; } ca-profile Local_107 { ca-identity Local_107; } ca-profile Local_108 { ca-identity Local_108; } ca-profile Local_109 { ca-identity Local_109; } ca-profile Local_110 { ca-identity Local_110; } ca-profile Local_111 { ca-identity Local_111; } ca-profile Local_112 { ca-identity Local_112; } ca-profile Local_113 { ca-identity Local_113; } ca-profile Local_114 { ca-identity Local_114; } ca-profile Local_115 { ca-identity Local_115; } ca-profile Local_116 { ca-identity Local_116; } ca-profile Local_117 { ca-identity Local_117; } ca-profile Local_118 { ca-identity Local_118; } ca-profile Local_119 { ca-identity Local_119; } ca-profile Local_120 { ca-identity Local_120; } ca-profile Local_121 { ca-identity Local_121; } ca-profile Local_122 { ca-identity Local_122; } ca-profile Local_123 { ca-identity Local_123; } ca-profile Local_124 { ca-identity Local_124; } ca-profile Local_125 { ca-identity Local_125; } ca-profile Local_126 { ca-identity Local_126; } ca-profile Local_127 { ca-identity Local_127; } ca-profile Local_128 { ca-identity Local_128; } ca-profile Local_129 { ca-identity Local_129; } ca-profile Local_130 { ca-identity Local_130; } ca-profile Local_131 { ca-identity Local_131; } ca-profile Local_132 { ca-identity Local_132; } ca-profile Local_133 { ca-identity Local_133; } ca-profile Local_134 { ca-identity Local_134; } ca-profile Local_135 { ca-identity Local_135; } ca-profile sec-cert { ca-identity winereis; revocation-check { disable; } administrator { email-address ; } } ca-profile Sec-CA-Group_1 { ca-identity Sec-CA-Group_1; } ca-profile Sec-CA-Group_2 { ca-identity Sec-CA-Group_2; } ca-profile Sec-CA-Group_3 { ca-identity Sec-CA-Group_3; } ca-profile Sec-CA-Group_4 { ca-identity Sec-CA-Group_4; } ca-profile Sec-CA-Group_5 { ca-identity Sec-CA-Group_5; } ca-profile Sec-CA-Group_6 { ca-identity Sec-CA-Group_6; } ca-profile Sec-CA-Group_7 { ca-identity Sec-CA-Group_7; } ca-profile Sec-CA-Group_8 { ca-identity Sec-CA-Group_8; } ca-profile Sec-CA-Group_9 { ca-identity Sec-CA-Group_9; } ca-profile Sec-CA-Group_10 { ca-identity Sec-CA-Group_10; } ca-profile Sec-CA-Group_11 { ca-identity Sec-CA-Group_11; } ca-profile Sec-CA-Group_12 { ca-identity Sec-CA-Group_12; } ca-profile Sec-CA-Group_13 { ca-identity Sec-CA-Group_13; } ca-profile Sec-CA-Group_14 { ca-identity Sec-CA-Group_14; } ca-profile Sec-CA-Group_15 { ca-identity Sec-CA-Group_15; } ca-profile Sec-CA-Group_16 { ca-identity Sec-CA-Group_16; } ca-profile Sec-CA-Group_17 { ca-identity Sec-CA-Group_17; } ca-profile Sec-CA-Group_18 { ca-identity Sec-CA-Group_18; } ca-profile Sec-CA-Group_19 { ca-identity Sec-CA-Group_19; } ca-profile Sec-CA-Group_20 { ca-identity Sec-CA-Group_20; } ca-profile Sec-CA-Group_21 { ca-identity Sec-CA-Group_21; } ca-profile Sec-CA-Group_22 { ca-identity Sec-CA-Group_22; } ca-profile Sec-CA-Group_23 { ca-identity Sec-CA-Group_23; } ca-profile Sec-CA-Group_24 { ca-identity Sec-CA-Group_24; } ca-profile Sec-CA-Group_25 { ca-identity Sec-CA-Group_25; } ca-profile Sec-CA-Group_26 { ca-identity Sec-CA-Group_26; } ca-profile Sec-CA-Group_27 { ca-identity Sec-CA-Group_27; } ca-profile Sec-CA-Group_28 { ca-identity Sec-CA-Group_28; } ca-profile Sec-CA-Group_29 { ca-identity Sec-CA-Group_29; } ca-profile Sec-CA-Group_30 { ca-identity Sec-CA-Group_30; } ca-profile Sec-CA-Group_31 { ca-identity Sec-CA-Group_31; } ca-profile Sec-CA-Group_32 { ca-identity Sec-CA-Group_32; } ca-profile Sec-CA-Group_33 { ca-identity Sec-CA-Group_33; } ca-profile Sec-CA-Group_34 { ca-identity Sec-CA-Group_34; } ca-profile Sec-CA-Group_35 { ca-identity Sec-CA-Group_35; } ca-profile Sec-CA-Group_36 { ca-identity Sec-CA-Group_36; } ca-profile Sec-CA-Group_37 { ca-identity Sec-CA-Group_37; } ca-profile Sec-CA-Group_38 { ca-identity Sec-CA-Group_38; } ca-profile Sec-CA-Group_39 { ca-identity Sec-CA-Group_39; } ca-profile Sec-CA-Group_40 { ca-identity Sec-CA-Group_40; } ca-profile Sec-CA-Group_41 { ca-identity Sec-CA-Group_41; } ca-profile Sec-CA-Group_42 { ca-identity Sec-CA-Group_42; } ca-profile Sec-CA-Group_43 { ca-identity Sec-CA-Group_43; } ca-profile Sec-CA-Group_44 { ca-identity Sec-CA-Group_44; } ca-profile Sec-CA-Group_45 { ca-identity Sec-CA-Group_45; } ca-profile Sec-CA-Group_46 { ca-identity Sec-CA-Group_46; } ca-profile Sec-CA-Group_47 { ca-identity Sec-CA-Group_47; } ca-profile Sec-CA-Group_48 { ca-identity Sec-CA-Group_48; } ca-profile Sec-CA-Group_49 { ca-identity Sec-CA-Group_49; } ca-profile Sec-CA-Group_50 { ca-identity Sec-CA-Group_50; } ca-profile Sec-CA-Group_51 { ca-identity Sec-CA-Group_51; } ca-profile Sec-CA-Group_52 { ca-identity Sec-CA-Group_52; } ca-profile Sec-CA-Group_53 { ca-identity Sec-CA-Group_53; } ca-profile Sec-CA-Group_54 { ca-identity Sec-CA-Group_54; } ca-profile Sec-CA-Group_55 { ca-identity Sec-CA-Group_55; } ca-profile Sec-CA-Group_56 { ca-identity Sec-CA-Group_56; } ca-profile Sec-CA-Group_57 { ca-identity Sec-CA-Group_57; } ca-profile Sec-CA-Group_58 { ca-identity Sec-CA-Group_58; } ca-profile Sec-CA-Group_59 { ca-identity Sec-CA-Group_59; } ca-profile Sec-CA-Group_60 { ca-identity Sec-CA-Group_60; } ca-profile Sec-CA-Group_61 { ca-identity Sec-CA-Group_61; } ca-profile Sec-CA-Group_62 { ca-identity Sec-CA-Group_62; } ca-profile Sec-CA-Group_63 { ca-identity Sec-CA-Group_63; } ca-profile Sec-CA-Group_64 { ca-identity Sec-CA-Group_64; } ca-profile Sec-CA-Group_65 { ca-identity Sec-CA-Group_65; } ca-profile Sec-CA-Group_66 { ca-identity Sec-CA-Group_66; } ca-profile Sec-CA-Group_67 { ca-identity Sec-CA-Group_67; } ca-profile Sec-CA-Group_68 { ca-identity Sec-CA-Group_68; } ca-profile Sec-CA-Group_69 { ca-identity Sec-CA-Group_69; } ca-profile Sec-CA-Group_70 { ca-identity Sec-CA-Group_70; } ca-profile Sec-CA-Group_71 { ca-identity Sec-CA-Group_71; } ca-profile Sec-CA-Group_72 { ca-identity Sec-CA-Group_72; } ca-profile Sec-CA-Group_73 { ca-identity Sec-CA-Group_73; } ca-profile Sec-CA-Group_74 { ca-identity Sec-CA-Group_74; } ca-profile Sec-CA-Group_75 { ca-identity Sec-CA-Group_75; } ca-profile Sec-CA-Group_76 { ca-identity Sec-CA-Group_76; } ca-profile Sec-CA-Group_77 { ca-identity Sec-CA-Group_77; } ca-profile Sec-CA-Group_78 { ca-identity Sec-CA-Group_78; } ca-profile Sec-CA-Group_79 { ca-identity Sec-CA-Group_79; } ca-profile Sec-CA-Group_80 { ca-identity Sec-CA-Group_80; } ca-profile Sec-CA-Group_81 { ca-identity Sec-CA-Group_81; } ca-profile Sec-CA-Group_82 { ca-identity Sec-CA-Group_82; } ca-profile Sec-CA-Group_83 { ca-identity Sec-CA-Group_83; } ca-profile Sec-CA-Group_84 { ca-identity Sec-CA-Group_84; } ca-profile Sec-CA-Group_85 { ca-identity Sec-CA-Group_85; } ca-profile Sec-CA-Group_86 { ca-identity Sec-CA-Group_86; } ca-profile Sec-CA-Group_87 { ca-identity Sec-CA-Group_87; } ca-profile Sec-CA-Group_88 { ca-identity Sec-CA-Group_88; } ca-profile Sec-CA-Group_89 { ca-identity Sec-CA-Group_89; } ca-profile Sec-CA-Group_90 { ca-identity Sec-CA-Group_90; } ca-profile Sec-CA-Group_91 { ca-identity Sec-CA-Group_91; } ca-profile Sec-CA-Group_92 { ca-identity Sec-CA-Group_92; } ca-profile Sec-CA-Group_93 { ca-identity Sec-CA-Group_93; } ca-profile Sec-CA-Group_94 { ca-identity Sec-CA-Group_94; } ca-profile Sec-CA-Group_95 { ca-identity Sec-CA-Group_95; } ca-profile Sec-CA-Group_96 { ca-identity Sec-CA-Group_96; } ca-profile Sec-CA-Group_97 { ca-identity Sec-CA-Group_97; } ca-profile Sec-CA-Group_98 { ca-identity Sec-CA-Group_98; } ca-profile Sec-CA-Group_99 { ca-identity Sec-CA-Group_99; } ca-profile Sec-CA-Group_100 { ca-identity Sec-CA-Group_100; } ca-profile Sec-CA-Group_101 { ca-identity Sec-CA-Group_101; } ca-profile Sec-CA-Group_102 { ca-identity Sec-CA-Group_102; } ca-profile Sec-CA-Group_103 { ca-identity Sec-CA-Group_103; } ca-profile Sec-CA-Group_104 { ca-identity Sec-CA-Group_104; } ca-profile Sec-CA-Group_105 { ca-identity Sec-CA-Group_105; } ca-profile Sec-CA-Group_106 { ca-identity Sec-CA-Group_106; } ca-profile Sec-CA-Group_107 { ca-identity Sec-CA-Group_107; } ca-profile Sec-CA-Group_108 { ca-identity Sec-CA-Group_108; } ca-profile Sec-CA-Group_109 { ca-identity Sec-CA-Group_109; } ca-profile Sec-CA-Group_110 { ca-identity Sec-CA-Group_110; } ca-profile Sec-CA-Group_111 { ca-identity Sec-CA-Group_111; } ca-profile Sec-CA-Group_112 { ca-identity Sec-CA-Group_112; } ca-profile Sec-CA-Group_113 { ca-identity Sec-CA-Group_113; } ca-profile Sec-CA-Group_114 { ca-identity Sec-CA-Group_114; } ca-profile Sec-CA-Group_115 { ca-identity Sec-CA-Group_115; } ca-profile Sec-CA-Group_116 { ca-identity Sec-CA-Group_116; } ca-profile Sec-CA-Group_117 { ca-identity Sec-CA-Group_117; } ca-profile Sec-CA-Group_118 { ca-identity Sec-CA-Group_118; } ca-profile Sec-CA-Group_119 { ca-identity Sec-CA-Group_119; } ca-profile Sec-CA-Group_120 { ca-identity Sec-CA-Group_120; } ca-profile Sec-CA-Group_121 { ca-identity Sec-CA-Group_121; } ca-profile Sec-CA-Group_122 { ca-identity Sec-CA-Group_122; } ca-profile Sec-CA-Group_123 { ca-identity Sec-CA-Group_123; } ca-profile Sec-CA-Group_124 { ca-identity Sec-CA-Group_124; } ca-profile Sec-CA-Group_125 { ca-identity Sec-CA-Group_125; } ca-profile Sec-CA-Group_126 { ca-identity Sec-CA-Group_126; } ca-profile Sec-CA-Group_127 { ca-identity Sec-CA-Group_127; } ca-profile Sec-CA-Group_128 { ca-identity Sec-CA-Group_128; } ca-profile Sec-CA-Group_129 { ca-identity Sec-CA-Group_129; } ca-profile Sec-CA-Group_130 { ca-identity Sec-CA-Group_130; } ca-profile Sec-CA-Group_131 { ca-identity Sec-CA-Group_131; } ca-profile Sec-CA-Group_132 { ca-identity Sec-CA-Group_132; } ca-profile Sec-CA-Group_133 { ca-identity Sec-CA-Group_133; } ca-profile Sec-CA-Group_134 { ca-identity Sec-CA-Group_134; } ca-profile Sec-CA-Group_135 { ca-identity Sec-CA-Group_135; } ca-profile-group Local { cert-base-count 135; } ca-profile-group Sec-CA-Group { cert-base-count 1; } } ike { proposal Vineyard-VPN { description "Remote Access"; authentication-method pre-shared-keys; dh-group group20; authentication-algorithm sha-256; encryption-algorithm aes-256-cbc; lifetime-seconds 28800; } policy Vineyard-VPN { mode aggressive; description "Remote Access"; proposals Vineyard-VPN; pre-shared-key ascii-text ; ## SECRET-DATA } gateway Vineyard-VPN { ike-policy Vineyard-VPN; dynamic { user-at-hostname ""; ike-user-type shared-ike-id; } dead-peer-detection { optimized; interval 10; threshold 5; } external-interface ge-0/0/0; aaa { access-profile VPN-Access; } version v1-only; tcp-encap-profile SSL; } } ipsec { proposal Vineyard-VPN { description "Remote Access"; protocol esp; encryption-algorithm aes-256-gcm; lifetime-seconds 3600; } policy Vineyard-VPN { description "Remote Access"; perfect-forward-secrecy { keys group20; } proposals Vineyard-VPN; } vpn Vineyard-VPN { bind-interface st0.0; df-bit clear; copy-outer-dscp; ike { gateway Vineyard-VPN; ipsec-policy Vineyard-VPN; } traffic-selector ts-1 { local-ip 0.0.0.0/0; remote-ip 0.0.0.0/0; } } } remote-access { profile Vineyard-VPN { description "Remote Access"; ipsec-vpn Vineyard-VPN; access-profile VPN-Access; client-config Vineyard-VPN; } client-config Vineyard-VPN { connection-mode manual; dead-peer-detection { interval 60; threshold 5; } } default-profile Vineyard-VPN; } dynamic-application { profile Redirect { redirect-message { type { custom-text { content "This application has been restricted or blocked per local network policy. "; } } } } } forwarding-options { family { inet6 { mode flow-based; } } } screen { ids-option untrust-screen { icmp { ping-death; } ip { source-route-option; tear-drop; } tcp { syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; timeout 20; } land; } } } nat { source { rule-set trust-to-untrust { from zone trust; to zone untrust; rule source-nat-rule { match { source-address 0.0.0.0/0; } then { source-nat { interface; } } } } rule-set vineyard-vpn { description "Remote Access"; from zone trust; to zone trust; rule vineyard-vpn { match { source-address 0.0.0.0/0; } then { source-nat { interface; } } } rule Vineyard-VPN { match { source-address 0.0.0.0/0; } then { source-nat { interface; } } } } } } policies { from-zone trust to-zone trust { policy trust-to-trust { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone trust to-zone untrust { policy trust-to-untrust { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone junos-host to-zone trust { policy vineyard-vpn-1 { match { source-address any; destination-address any; application any; } then { permit; log { session-close; } } } } from-zone trust to-zone junos-host { policy vineyard-vpn-2 { match { source-address any; destination-address any; application any; } then { permit; log { session-close; } } } } pre-id-default-policy { then { log { session-close; } } } } tcp-encap { profile SSLVPN { ssl-profile Term; } profile SSL { ssl-profile Term; } global-options { enable-tunnel-tracking; } } zones { security-zone trust { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { irb.0; ge-0/0/6.0 { host-inbound-traffic { system-services { all; } protocols { all; } } } st0.0 { host-inbound-traffic { system-services { ping; } } } ge-0/0/4.0 { host-inbound-traffic { system-services { all; } protocols { all; } } } wl-1/0/0.0; st0.1 { host-inbound-traffic { system-services { ping; } } } } } security-zone untrust { screen untrust-screen; interfaces { ge-0/0/0.0 { host-inbound-traffic { system-services { dhcp; tftp; ike; ping; ntp; traceroute; tcp-encap; dhcpv6; https; } } } ge-0/0/7.0 { host-inbound-traffic { system-services { dhcp; tftp; } } } dl0.0 { host-inbound-traffic { system-services { tftp; } } } } } } } interfaces { ge-0/0/0 { unit 0 { family inet { dhcp { vendor-id Juniper-srx320; } } family inet6 { dhcpv6-client { client-type stateful; client-ia-type ia-na; client-ia-type ia-pd; rapid-commit; client-identifier duid-type duid-ll; vendor-id Juniper-srx320; req-option dns-server; retransmission-attempt 6; update-router-advertisement { interface ge-0/0/6.0; interface wl-1/0/0.0; interface ge-0/0/4.0; } update-server; } } } } ge-0/0/1 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } ge-0/0/2 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } ge-0/0/3 { unit 0 { family ethernet-switching { interface-mode trunk; vlan { members all; } } } } ge-0/0/4 { unit 0 { description Servers; family inet { address 10.10.0.1/24; } family inet6 { address 2600:6c44:7002:100::3/64; } } } ge-0/0/5 { unit 0 { family ethernet-switching { interface-mode access; vlan { members default; } } } } ge-0/0/6 { unit 0 { family inet { address 10.10.1.1/24; } family inet6 { address 2600:6c44:7002:100::1/64; } } } ge-0/0/7 { unit 0 { family inet { dhcp { vendor-id Juniper-srx320; } } } } cl-1/0/0 { dialer-options { pool 1 priority 100; } } wl-1/0/0 { description WLAN; per-unit-scheduler; link-mode full-duplex; unit 0 { family inet { address 10.10.2.1/24; } family inet6 { address 2600:6c44:7002:100::2/64; } } } dl0 { unit 0 { family inet { negotiate-address; } family inet6 { negotiate-address; } dialer-options { pool 1; dial-string 1234; always-on; } } } irb { unit 0 { family inet { address 192.168.1.1/24; } } } st0 { unit 0 { family inet; } unit 1 { family inet; } } } firewall { filter DHCP { term 1 { from { destination-port [ 67 68 ]; } then accept; } } } access { profile VPN-Access { client { firewall-user { password ; ## SECRET-DATA } } address-assignment { pool Local_LAN; } } address-assignment { pool Local_LAN { family inet { network 10.10.1.0/24; range localrange { low 10.10.1.21; high 10.10.1.249; } dhcp-attributes { domain-name vineyard.local; name-server { 208.67.220.220; 208.67.222.222; 10.10.0.4; } router { 10.10.1.1; } propagate-settings ge-0/0/6.0; } } } pool WLAN { family inet { network 10.10.2.0/24; range wifirange { low 10.10.2.6; high 10.10.2.253; } dhcp-attributes { domain-name vineyard.local; name-server { 208.67.220.220; 208.67.222.222; 10.10.0.4; } router { 10.10.2.1; } } } } pool Phone { family inet { network 10.10.0.0/24; range Phone { low 10.10.0.21; high 10.10.0.254; } dhcp-attributes { maximum-lease-time 86400; name-server { 10.10.0.4; 208.67.222.222; 208.67.220.220; } router { 10.10.0.1; } propagate-settings ge-0/0/4.0; } } } pool 6Pool { family inet6 { prefix 2600:6c44:597f:cb1f::/64; range prefix-range prefix-length 64; } } } firewall-authentication { web-authentication { default-profile VPN-Access; } } } vlans { Ciena { description CienaManagement; vlan-id 159; } vlan-trust { vlan-id 3; l3-interface irb.0; } } protocols { router-advertisement { interface ge-0/0/0.0; } l2-learning { global-mode switching; } lldp { advertisement-interval 30; transmit-delay 2; hold-multiplier 4; ptopo-configuration-trap-interval 30; ptopo-configuration-maximum-hold-time 300; lldp-configuration-notification-interval 30; interface all { disable; } interface ge-0/0/6; } rstp { interface all; } } wlan { access-point Not_Your_Wifi { interface { wl-1/0/0; } captive-portal { authentication { simple-pass { key ; ## SECRET-DATA } } } radio 1 { radio-options { mode acn; channel { number auto; bandwidth 40; } transmit-power 100; } virtual-access-point 0 { description "Not Your Wifi"; ssid Not_Your_Wifi; security { wpa-personal { wpa-version { v2; } cipher-suites { ccmp; } key ; ## SECRET-DATA key-type ascii; } } } } radio 2 { radio-options { mode gn; channel { bandwidth 20; } transmit-power 100; } virtual-access-point 0 { ssid Not_Your_Wifi; security { wpa-personal { wpa-version { v2; } cipher-suites { ccmp; } key ; ## SECRET-DATA key-type ascii; } } } } } }