## Last changed: 2009-08-13 12:31:31 PDT version "9.5I0 [arunb]"; system { host-name HongKong-SRX240; domain-name jnpr.net; backup-router 172.19.83.254 destination 172.16.0.0/12; time-zone America/Los_Angeles; root-authentication { encrypted-password "$1$m9qG3q5r$w.uIe9nPaDWSD7XG4g1gU."; ## SECRET-DATA } name-server { 172.24.16.10; 172.24.36.10; 172.24.80.10; } login { user jnpr { uid 2000; class super-user; authentication { encrypted-password "$1$2pmd.xXI$MTMIdEI6jmqDCyts.7CaG."; ## SECRET-DATA } } } services { ftp; ssh; netconf { ssh; } web-management { http { interface ge-0/0/0.0; } } } syslog { user * { any emergency; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } } max-configurations-on-flash 5; max-configuration-rollbacks 5; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } } interfaces { ge-0/0/0 { description "MGT Interface - Do Not Delete"; unit 0 { family inet { address 172.19.83.225/27; } } } gr-0/0/0 { unit 0 { tunnel { source 192.168.11.1; destination 192.168.10.1; } family inet { address 10.11.0.1/24; } } } ge-0/0/1 { unit 0 { family inet { address 10.1.0.1/24; } } } ge-0/0/2 { unit 0 { family inet { address 20.1.0.1/30; } } } lo0 { unit 0 { family inet { address 192.168.11.1/32; } } } st0 { unit 0 { family inet; } } } routing-options { static { route 172.16.0.0/12 { next-hop 172.19.83.254; retain; } route 192.168.10.1/32 next-hop st0.0; route 10.0.0.0/24 next-hop gr-0/0/0.0; route 20.0.0.0/30 next-hop 20.1.0.2; } router-id 192.168.11.1; } protocols { ospf { area 0.0.0.0 { interface gr-0/0/0.0; interface lo0.0 { passive; } } area 0.0.0.9 { interface ge-0/0/1.0 { passive; } } } } security { ike { proposal ike_proposal { authentication-method pre-shared-keys; dh-group group2; authentication-algorithm md5; encryption-algorithm des-cbc; lifetime-seconds 3600; } policy ike_policy { proposals ike_proposal; pre-shared-key ascii-text "$9$kq5F/Cu1EyikBEhcMWgoJGHq"; ## SECRET-DATA } gateway ike_gw { ike-policy ike_policy; address 20.0.0.1; external-interface ge-0/0/2; } } ipsec { proposal ipsec_proposal { protocol esp; authentication-algorithm hmac-md5-96; encryption-algorithm 3des-cbc; lifetime-seconds 3600; } policy ipsec_policy { proposals ipsec_proposal; } vpn vpn1 { bind-interface st0.0; ike { gateway ike_gw; ipsec-policy ipsec_policy; } establish-tunnels immediately; } } screen { ids-option untrust-screen { icmp { ping-death; } ip { source-route-option; tear-drop; } tcp { syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; queue-size 2000; timeout 20; } land; } } } zones { functional-zone management { interfaces { ge-0/0/0.0 { host-inbound-traffic { system-services { all; } } } } } security-zone untrust { screen untrust-screen; interfaces { ge-0/0/2.0; } } security-zone trust { host-inbound-traffic { system-services { ping; } } interfaces { ge-0/0/1.0; lo0.0; } } security-zone vpn { interfaces { st0.0; gr-0/0/0.0 { host-inbound-traffic { system-services { telnet; } } } } } } policies { from-zone vpn to-zone trust { policy allow { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone trust to-zone vpn { policy allow-out { match { source-address any; destination-address any; application any; } then { permit; } } } policy-rematch; } flow { inactive: traceoptions { file mm size 100000; flag basic-datapath; packet-filter mm { source-prefix 192.168.11.1/32; } } tcp-mss { gre-in { mss 1380; } gre-out { mss 1380; } } } } applications { application protocol_53 protocol 53; application protocol_55 protocol 55; application protocol_77 protocol 77; application pim protocol pim; application tcp_srcRange_1433-1434 { protocol tcp; source-port 1433-1434; } application udp_srcRange_1433-1434 { protocol udp; source-port 1433-1434; } application udp_dstPort-135 { protocol udp; destination-port 135; } application udp_dstPort-445 { protocol udp; destination-port 445; } application tcp_dstPort-445 { protocol tcp; destination-port 445; } application tcp_dstPort-4444 { protocol tcp; destination-port 4444; } application-set PSS-denied-services { application protocol_53; application protocol_55; application pim; application tcp_dstPort-4444; application tcp_dstPort-445; application tcp_srcRange_1433-1434; application udp_dstPort-135; application udp_dstPort-445; application udp_srcRange_1433-1434; application protocol_77; } }