## Last changed: 2014-02-18 17:22:02 HKT version 12.1X46-D10.2; system { host-name SRX240H2; time-zone Asia/Hong_Kong; root-authentication { encrypted-password "xxxxxxxxxxxxxxxxxxxxxx"; ## SECRET-DATA } name-server { 208.67.222.222; 208.67.220.220; } services { ssh; telnet; xnm-clear-text; web-management { http { interface [ vlan.0 vlan.10 vlan.20 ]; } https { system-generated-certificate; interface [ vlan.0 vlan.10 vlan.20 ]; } } } syslog { archive size 100k files 3; user * { any emergency; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } file traffic-log { any any; match RT_FLOW_SESSION; } file policy_session { user info; match RT_FLOW; archive size 1000k world-readable; structured-data; } } max-configurations-on-flash 5; max-configuration-rollbacks 5; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } ntp { server 192.168.1.8; server 118.143.17.82 prefer; } } interfaces { ge-0/0/0 { unit 0 { family ethernet-switching; } } ge-0/0/1 { unit 0 { family ethernet-switching; } } ge-0/0/2 { unit 0 { family ethernet-switching; } } ge-0/0/3 { unit 0 { family ethernet-switching; } } ge-0/0/4 { unit 0 { family ethernet-switching; } } ge-0/0/5 { unit 0 { family ethernet-switching; } } ge-0/0/6 { unit 0 { family ethernet-switching; } } ge-0/0/7 { unit 0 { family ethernet-switching; } } ge-0/0/8 { unit 0 { family ethernet-switching; } } ge-0/0/9 { unit 0 { family ethernet-switching; } } ge-0/0/10 { unit 0 { family ethernet-switching; } } ge-0/0/11 { unit 0 { family ethernet-switching; } } ge-0/0/12 { unit 0 { family ethernet-switching; } } ge-0/0/13 { unit 0 { family ethernet-switching; } } ge-0/0/14 { unit 0 { family ethernet-switching; } } ge-0/0/15 { unit 0 { family ethernet-switching; } } st0 { unit 11 { family inet; family inet6; } unit 12 { family inet; family inet6; } unit 21 { family inet; family inet6; } unit 22 { family inet; family inet6; } unit 31 { family inet; family inet6; } unit 32 { family inet; family inet6; } } vlan { unit 0 { family inet { filter { input only-http-isp2-out; } address 192.168.1.1/24; address 192.168.201.201/24; } } unit 10 { family inet { filter { input isp1-in; } address 1.1.1.10/24; } } unit 20 { family inet { filter { input isp2-in; } address 2.2.2.10/29; } } } } routing-options { interface-routes { rib-group inet inside; } static { route 0.0.0.0/0 { next-hop 1.1.1.1; qualified-next-hop 2.2.2.1 { preference 10; } } route 192.168.4.0/24 { next-hop st0.11; qualified-next-hop st0.12 { preference 10; } } route 192.168.5.0/24 { next-hop st0.21; qualified-next-hop st0.22 { preference 10; } } route 192.168.6.0/24 { next-hop st0.31; qualified-next-hop st0.32 { preference 10; } } } rib-groups { inside { import-rib [ inet.0 TRUST-VRF.inet.0 isp1-routing.inet.0 isp2-routing.inet.0 ]; } } } security { log { mode event; } ike { traceoptions { file ike-trace size 5m files 5 world-readable; flag ike; flag general; flag all; } proposal pre-g2-3des-sha { authentication-method pre-shared-keys; dh-group group2; authentication-algorithm sha1; encryption-algorithm 3des-cbc; lifetime-seconds 3600; } proposal dyn-vpn-p1 { authentication-method pre-shared-keys; dh-group group2; authentication-algorithm sha1; encryption-algorithm 3des-cbc; lifetime-seconds 86400; } policy agg-pre-g2-3des-sha { mode aggressive; proposals pre-g2-3des-sha; pre-shared-key ascii-text "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; ## SECRET-DATA } policy main-pre-g2-3des-sha { mode main; proposals pre-g2-3des-sha; pre-shared-key ascii-text "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"## SECRET-DATA } policy main-pre-standard { mode main; proposal-set standard; pre-shared-key ascii-text "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx""; ## SECRET-DATA } policy ike-dyn-vpn-policy { mode aggressive; proposals dyn-vpn-p1; pre-shared-key ascii-text "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"## SECRET-DATA } gateway hk-gz-gw-isp1 { ike-policy main-pre-g2-3des-sha; address 3.3.3.1; no-nat-traversal; local-identity hostname HK; external-interface vlan.10; } gateway hk-gz-gw-isp2 { ike-policy main-pre-g2-3des-sha; address 3.3.3.1; no-nat-traversal; local-identity hostname HK2; external-interface vlan.20; } gateway hk-eu-gw-isp1 { ike-policy main-pre-standard; address 4.4.4.1; no-nat-traversal; local-identity hostname HK; external-interface vlan.10; } gateway hk-eu-gw-isp2 { ike-policy main-pre-standard; address 4.4.4.1; no-nat-traversal; local-identity hostname HK2; external-interface vlan.20; } gateway hk-sz-gw-isp1 { ike-policy agg-pre-g2-3des-sha; dynamic hostname Shenzhen; no-nat-traversal; external-interface vlan.10; } gateway hk-sz-gw-isp2 { ike-policy agg-pre-g2-3des-sha; dynamic hostname Shenzhen2; no-nat-traversal; external-interface vlan.20; } gateway dyn-vpn-local-gw1 { ike-policy ike-dyn-vpn-policy; dynamic { hostname westpex-dyn-vpn; connections-limit 10; ike-user-type group-ike-id; } external-interface vlan.10; xauth access-profile dyn-vpn-radius-auth; } gateway dyn-vpn-local-gw2 { ike-policy ike-dyn-vpn-policy; dynamic { hostname westpex-dyn-vpn; connections-limit 10; ike-user-type group-ike-id; } external-interface vlan.20; xauth access-profile dyn-vpn-radius-auth; } gateway dailup-vpn-gw1 { ike-policy ike-dyn-vpn-policy; dynamic { hostname westpex.com.hk; ike-user-type group-ike-id; } external-interface vlan.10; xauth access-profile dyn-vpn-radius-auth; } gateway dailup-vpn-gw2 { ike-policy ike-dyn-vpn-policy; dynamic { hostname westpex.com.hk; ike-user-type group-ike-id; } external-interface vlan.20; xauth access-profile dyn-vpn-radius-auth; } } ipsec { traceoptions { flag security-associations; flag packet-drops; flag packet-processing; } vpn-monitor-options { interval 2; threshold 3; } proposal esp-3des-sha { protocol esp; authentication-algorithm hmac-sha1-96; encryption-algorithm 3des-cbc; lifetime-seconds 3600; } proposal dyn-vpn-ipsec-p1 { protocol esp; authentication-algorithm hmac-sha1-96; encryption-algorithm 3des-cbc; } policy nopfs-esp-3des-sha { proposals esp-3des-sha; } policy g2-standard { perfect-forward-secrecy { keys group2; } proposal-set standard; } policy g2-esp-3des-sha { perfect-forward-secrecy { keys group2; } proposals esp-3des-sha; } policy ipsec-dyn-vpn-policy { proposals dyn-vpn-ipsec-p1; } vpn hk-gz-pri-vpn { bind-interface st0.11; vpn-monitor { optimized; source-interface vlan.0; destination-ip 192.168.4.1; } ike { gateway hk-gz-gw-isp1; proxy-identity { local 192.168.1.0/24; remote 192.168.4.0/24; service any; } ipsec-policy g2-standard; } establish-tunnels immediately; } vpn hk-gz-sec-vpn { bind-interface st0.12; vpn-monitor { optimized; source-interface vlan.0; destination-ip 192.168.4.1; } ike { gateway hk-gz-gw-isp2; proxy-identity { local 192.168.1.0/24; remote 192.168.4.0/24; service any; } ipsec-policy g2-standard; } establish-tunnels immediately; } vpn hk-eu-pri-vpn { bind-interface st0.21; vpn-monitor { optimized; source-interface vlan.0; destination-ip 192.168.5.6; } ike { gateway hk-eu-gw-isp1; proxy-identity { local 192.168.1.0/24; remote 192.168.5.0/24; service any; } ipsec-policy g2-standard; } establish-tunnels immediately; } vpn hk-eu-sec-vpn { bind-interface st0.22; vpn-monitor { optimized; source-interface vlan.0; destination-ip 192.168.5.6; } ike { gateway hk-eu-gw-isp2; proxy-identity { local 192.168.1.0/24; remote 192.168.5.0/24; service any; } ipsec-policy g2-standard; } establish-tunnels immediately; } vpn hk-sz-pri-vpn { bind-interface st0.31; vpn-monitor { optimized; source-interface vlan.0; destination-ip 192.168.6.1; } ike { gateway hk-sz-gw-isp1; proxy-identity { local 192.168.1.0/24; remote 192.168.6.0/24; service any; } ipsec-policy g2-esp-3des-sha; } establish-tunnels immediately; } vpn hk-sz-sec-vpn { bind-interface st0.32; vpn-monitor { optimized; source-interface vlan.0; destination-ip 192.168.6.1; } ike { gateway hk-sz-gw-isp2; proxy-identity { local 192.168.1.0/24; remote 192.168.6.0/24; service any; } ipsec-policy g2-esp-3des-sha; } establish-tunnels immediately; } vpn dyn-vpn-isp1 { ike { gateway dyn-vpn-local-gw1; ipsec-policy ipsec-dyn-vpn-policy; } } vpn dyn-vpn-isp2 { ike { gateway dyn-vpn-local-gw2; ipsec-policy ipsec-dyn-vpn-policy; } } vpn dailup-vpn-isp1 { ike { gateway dailup-vpn-gw1; ipsec-policy ipsec-dyn-vpn-policy; } } vpn dailup-vpn-isp2 { ike { gateway dailup-vpn-gw2; ipsec-policy ipsec-dyn-vpn-policy; } } } address-book { local { address ftp1 192.168.1.10/32; address cctv1 192.168.1.2/32; address fs1 192.168.1.5/32; address fs3 192.168.1.7/32; address db1 192.168.1.4/32; address bk1 192.168.1.9/32; address Iky 192.168.1.188/32; address Zuri 192.168.1.110/32; address Ricky 192.168.1.126/32; address Blanche 192.168.1.124/32; address hk-office 192.168.1.0/24; address exchange2 192.168.1.8/32; address fs2 192.168.1.11/32; address hk-office-201 192.168.201.0/24; address Arthur 192.168.1.101/32; address Nic 192.168.1.132/32; address hk-office-10 192.168.10.0/24; address ha1 192.168.201.1/32; address ha2 192.168.201.2/32; address ws54 192.168.1.154/32; address-set management { address Iky; address Zuri; address Ricky; address Blanche; } address-set it { address Arthur; address Nic; } address-set server { address ftp1; address cctv1; address fs1; address fs3; address db1; address bk1; address exchange2; address ha1; address ha2; address fs2; } attach { zone trust; } } branch-office { address gz-office 192.168.4.0/24; address eu-office 192.168.5.0/24; address sz-office 192.168.6.0/24; attach { zone vpn; } } } application-tracking; dynamic-vpn { access-profile dyn-vpn-radius-auth; clients { dynamic-vpn-isp1 { remote-protected-resources { 192.168.201.0/24; } remote-exceptions { 0.0.0.0/0; } ipsec-vpn dyn-vpn-isp1; user { ArthurLai; ChristineLam; ClintonCheong; Zur; } } dynamic-vpn-isp2 { remote-protected-resources { 192.168.201.0/24; } remote-exceptions { 0.0.0.0/0; } ipsec-vpn dyn-vpn-isp2; user { ArthurLai; ChristineLam; ClintonCheong; Zur; } } } } screen { ids-option untrust-screen { icmp { ping-death; } ip { source-route-option; tear-drop; } tcp { syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; timeout 20; } land; } } } nat { source { rule-set trust-to-untrust { from zone trust; to zone [ isp2 isp1 untrust ]; rule source-nat-rule { match { source-address 0.0.0.0/0; } then { source-nat { interface; } } } } } static { rule-set isp1-mapping { from interface vlan.10; rule mail1 { match { destination-address 1.1.1.11/32; } then { static-nat { prefix { 192.168.1.8/32; } } } } rule ftp1 { match { destination-address 1.1.1.12/32; } then { static-nat { prefix { 192.168.1.10/32; } } } } rule cctv1 { match { destination-address 1.1.1.13/32; } then { static-nat { prefix { 192.168.1.154/32; } } } } } rule-set isp2-mapping { from interface vlan.20; rule mail2 { match { destination-address 2.2.2.11/32; } then { static-nat { prefix { 192.168.1.8/32; } } } } rule ftp2 { match { destination-address 2.2.2.12/32; } then { static-nat { prefix { 192.168.1.10/32; } } } } } } proxy-arp { interface vlan.20 { address { 2.2.2.11/32 to 2.2.2.12/32; } } interface vlan.10 { address { 1.1.1.11/32 to 1.1.1.13/32; } } } } policies { from-zone vpn to-zone trust { policy branches-to-hk { match { source-address [ gz-office eu-office sz-office ]; destination-address [ hk-office hk-office-201 ]; application any; } then { permit; log { session-close; } } } } from-zone trust to-zone vpn { policy hk-to-branches { match { source-address [ hk-office hk-office-201 ]; destination-address [ gz-office eu-office sz-office ]; application any; } then { permit; log { session-close; } } } } from-zone trust to-zone isp1 { policy ws54 { match { source-address ws54; destination-address any; application any; } then { permit; log { session-init; session-close; } } } policy server-to-isp1 { match { source-address server; destination-address any; application any; } then { permit; } } policy it-to-internet { match { source-address it; destination-address any; application any; } then { permit; log { session-close; } } } policy management-to-isp1 { match { source-address management; destination-address any; application any; } then { permit; } } policy trust-to-isp1 { match { source-address any; destination-address any; application internet; } then { permit; log { session-close; } } } } from-zone trust to-zone isp2 { policy server-to-isp2 { match { source-address server; destination-address any; application any; } then { permit; } } policy it-to-isp2 { match { source-address it; destination-address any; application any; } then { permit; log { session-close; } } } policy management-to-isp2 { match { source-address management; destination-address any; application any; } then { permit; } } policy trust-to-isp2 { match { source-address any; destination-address any; application internet; } then { permit; log { session-close; } } } } from-zone isp1 to-zone trust { policy mail1-isp1 { match { source-address any; destination-address exchange2; application e-mail; } then { permit; log { session-close; } } } policy ftp1-isp1 { match { source-address any; destination-address ftp1; application junos-ftp; } then { permit; log { session-close; } } } policy cctv1-isp1 { match { source-address any; destination-address [ cctv1 ws54 ]; application [ cctv1 junos-icmp-all ]; } then { permit; log { session-close; } } } policy dyn-vpn-isp1-policy { match { source-address any; destination-address any; application any; } then { permit { tunnel { ipsec-vpn dyn-vpn-isp1; } } log { session-close; } } } policy dailup-vpn-isp1-policy { match { source-address any; destination-address any; application any; } then { permit { tunnel { ipsec-vpn dailup-vpn-isp1; } } log { session-close; } } } } from-zone isp2 to-zone trust { policy mail2-isp2 { match { source-address any; destination-address exchange2; application e-mail; } then { permit; log { session-close; } } } policy ftp2-isp2 { match { source-address any; destination-address ftp1; application junos-ftp; } then { permit; log { session-close; } } } policy dyn-vpn-isp2-policy { match { source-address any; destination-address any; application any; } then { permit { tunnel { ipsec-vpn dyn-vpn-isp2; } } log { session-close; } } } policy dailup-vpn-isp2-policy { match { source-address any; destination-address any; application any; } then { permit { tunnel { ipsec-vpn dailup-vpn-isp2; } } log { session-close; } } } } from-zone trust to-zone untrust { policy trust-to-untrust { match { source-address any; destination-address any; application any; } then { permit; log { session-close; } } } } default-policy { permit-all; } } zones { security-zone trust { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { vlan.0; } } security-zone untrust { screen untrust-screen; host-inbound-traffic { system-services { http; https; ike; ping; ssh; } protocols { all; } } } security-zone isp1 { screen untrust-screen; interfaces { vlan.10 { host-inbound-traffic { system-services { dhcp; http; https; ike; ping; ssh; } protocols { all; } } } } } security-zone isp2 { screen untrust-screen; interfaces { vlan.20 { host-inbound-traffic { system-services { dhcp; http; https; ike; ping; ssh; } protocols { all; } } } } } security-zone vpn { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { st0.12 { host-inbound-traffic { protocols { all; } } } st0.22; st0.31; st0.32; st0.21 { host-inbound-traffic { protocols { all; } } } st0.11 { host-inbound-traffic { protocols { all; } } } } } } } firewall { filter only-http-isp2-out { term t1 { from { destination-address { 192.168.1.0/24; 192.168.5.0/24; 192.168.4.0/24; 192.168.6.0/24; } } then accept; } term t2 { from { source-address { 192.168.1.154/32 except; 192.168.1.2/32 except; 192.168.1.8/32 except; 192.168.1.10/32 except; } destination-address { 0.0.0.0/0; } destination-port [ http https 53 8443 ]; } then { routing-instance isp2-routing; } } term default { from { destination-address { 0.0.0.0/0; } } then accept; } } filter isp1-in { term 1 { from { destination-address { 1.1.1.0/29; } } then { routing-instance TRUST-VRF; } } term 2 { then accept; } } filter isp2-in { term 1 { from { destination-address { 2.2.2.0/29; } } then { routing-instance TRUST-VRF; } } term 2 { then accept; } } } access { profile dyn-vpn-radius-auth { authentication-order radius; address-assignment { pool dyn-vpn-address-pool; } radius-server { 192.168.1.11 { port 1812; secret "xxxxxxxxxxxxxxxxxxxxx"; ## SECRET-DATA } } } address-assignment { pool dyn-vpn-address-pool { family inet { network 10.10.10.0/24; xauth-attributes { primary-dns 192.168.1.8/32; } } } } firewall-authentication { pass-through { default-profile dyn-vpn-radius-auth; } web-authentication { default-profile dyn-vpn-radius-auth; } } } routing-instances { TRUST-VRF { instance-type forwarding; routing-options { static { route 192.168.1.0/24 next-hop 192.168.1.1; } } } isp2-routing { instance-type virtual-router; interface vlan.20; routing-options { interface-routes { rib-group inet inside; } static { route 0.0.0.0/0 { next-hop 2.2.2.1; qualified-next-hop 1.1.1.1 { preference 10; } } } } } isp1-routing { instance-type virtual-router; interface vlan.10; routing-options { interface-routes { rib-group inet inside; } static { route 0.0.0.0/0 { next-hop 1.1.1.1; qualified-next-hop 2.2.2.1 { preference 10; } } } } } } applications { application pop3-ssl { protocol tcp; source-port 0-65535; destination-port 995; } application smtp-ssl { protocol tcp; source-port 0-65535; destination-port 466; } application cctv1 { term t1 protocol tcp source-port 0-65535 destination-port 80; term t2 protocol tcp source-port 0-65535 destination-port 8000; term t3 protocol tcp source-port 0-65535 destination-port 8003; term t4 protocol tcp source-port 0-65535 destination-port 554; } application cebbank { term t1 protocol tcp source-port 0-65535 destination-port 8443; term t2 protocol tcp source-port 389 destination-port 389; } application rubiconretai { protocol tcp; source-port 0-65535; destination-port 81; } application isp1-billing { protocol tcp; source-port 0-65535; destination-port 8020; } application rpc-over-http { term t3 protocol tcp destination-port 6004; term t2 protocol tcp destination-port 6001-6002; term t1 protocol tcp destination-port 593; } application-set internet { application junos-ftp; application junos-http; application junos-https; application junos-dns-udp; application junos-dns-tcp; application junos-icmp-all; application cebbank; application isp1-billing; application rubiconretai; } application-set e-mail { application pop3-ssl; application smtp-ssl; application junos-pop3; application junos-https; application junos-smtp; application junos-imap; application junos-imaps; application rpc-over-http; } } vlans { vlan-isp2 { vlan-id 20; interface { ge-0/0/8.0; ge-0/0/9.0; ge-0/0/10.0; ge-0/0/11.0; } l3-interface vlan.20; } vlan-isp1 { vlan-id 10; interface { ge-0/0/4.0; ge-0/0/5.0; ge-0/0/6.0; ge-0/0/7.0; } l3-interface vlan.10; } vlan-trust { vlan-id 3; interface { ge-0/0/0.0; ge-0/0/1.0; ge-0/0/2.0; ge-0/0/3.0; } l3-interface vlan.0; } }