version 12.1X46-D65.4; system { host-name Node_0_Bottom; root-authentication { encrypted-password "$1$MPcqgtCu$raaoKtW3J9LybXKaklvsO0"; } services { ssh; xnm-clear-text; web-management { http { interface vlan.0; } https { system-generated-certificate; interface vlan.0; } } } syslog { archive size 100k files 3; user * { any emergency; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } file kmd-logs { daemon info; match KMD; } } max-configurations-on-flash 5; max-configuration-rollbacks 5; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } } interfaces { ge-0/0/0 { description LAN; unit 0 { family inet { address 10.1.0.250/24; } } } gr-0/0/0 { unit 0 { description GRE; tunnel { source 212.48.226.94; destination 212.48.226.93; } family inet { mtu 1476; address 10.10.10.2/24; } } } ge-0/0/1 { unit 0; } ge-0/0/2 { description ISP; unit 0 { family inet { address 212.48.226.94/29; } } } ge-0/0/3 { disable; unit 0; } ge-0/0/4 { disable; unit 0; } ge-0/0/5 { disable; unit 0; } ge-0/0/6 { disable; unit 0; } ge-0/0/7 { disable; } lo0 { unit 0 { family inet { address 1.1.1.1/32; } } } st0 { unit 0 { description "'VPN'"; family inet; } } vlan { unit 0 { family inet; } } } protocols { ospf { area 0.0.0.0 { interface gr-0/0/0.0; interface ge-0/0/0.0; interface st0.0; } } stp; } security { ike { proposal IKE_prop { description Propor_IKE; authentication-method pre-shared-keys; dh-group group2; authentication-algorithm sha1; encryption-algorithm aes-256-cbc; lifetime-seconds 28800; } policy IKE_Policy { mode aggressive; proposals IKE_prop; pre-shared-key ascii-text "$9$SznrM8xNdsgo7Nqm5Qn6M8LXbs"; } gateway IKE_Gate { ike-policy IKE_Policy; address 212.48.226.93; local-identity inet 212.48.226.94; external-interface ge-0/0/2.0; } } ipsec { proposal IPSEC_prop { protocol esp; authentication-algorithm hmac-sha1-96; encryption-algorithm aes-128-cbc; lifetime-seconds 28800; } policy IPSEC_POL { perfect-forward-secrecy { keys group14; } proposals IPSEC_prop; } vpn VPN_J-2-J { bind-interface st0.0; df-bit clear; ike { gateway IKE_Gate; proxy-identity { service any; } ipsec-policy IPSEC_POL; } establish-tunnels immediately; } } address-book { global { address Local_Area 10.1.0.0/24; address PC-1 10.1.0.1/32; } } nat { source { inactive: rule-set NAT { from zone trust; to zone ISP; rule PAT { match { source-address 10.1.0.0/24; destination-address 0.0.0.0/0; } then { source-nat { interface; } } } } } destination { pool RDP { address 10.1.0.1/32 port 3389; } rule-set DNAT { from zone ISP; rule dnat_RDP { match { destination-address 212.48.226.94/32; destination-port 3389; } then { destination-nat { pool { RDP; } } } } } } } policies { from-zone trust to-zone ISP { policy trust-to-ISP { match { source-address any; destination-address any; application any; } then { permit; } } policy PAT { match { source-address Local_Area; destination-address any-ipv4; application any; } then { permit; } } } from-zone ISP to-zone trust { policy RDP_access { match { source-address any; destination-address PC-1; application any; } then { permit; } } } from-zone trust to-zone trust { policy trust-to-trust { match { source-address any; destination-address any; application any; } then { permit; } } } default-policy { permit-all; } } zones { security-zone trust { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { ge-0/0/0.0; gr-0/0/0.0; st0.0; lo0.0; ge-0/0/2.0; } } security-zone ISP { host-inbound-traffic { system-services { ping; ike; ssh; all; } protocols { all; } } } } }