## Last changed: 2013-09-04 08:11:23 CEST version 12.1X44.4; system { host-name hosty.my-domain.local; domain-name my-domain.local; domain-search my-domain.local; time-zone Europe/Berlin; root-authentication { encrypted-password "XXXXXXXXXXXXXXXX"; ## SECRET-DATA } name-server { 192.168.123.245; 213.73.91.35; } name-resolution { no-resolve-on-input; } services { ssh; xnm-clear-text; dns { dns-proxy { propogate-setting enable; interface { vlan.0; } default-domain my-domain.local; cache { hostydns inet 192.168.123.245; cccdns inet 213.73.91.35; juniper inet 192.168.123.250; } } } web-management { traceoptions { level all; flag all; } management-url no-access-jweb; https { port 443; system-generated-certificate; interface [ vlan.0 ge-0/0/1.0 ]; } limits { debug-level 9; } session { idle-timeout 240; session-limit 7; } } } syslog { archive size 100k files 3; user * { any emergency; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } } max-configurations-on-flash 10; max-configuration-rollbacks 10; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } ntp { server 178.63.9.212; } } interfaces { ge-0/0/0 { unit 0 { family inet { address 217.XXX.XXX.XX8/29; } } } ge-0/0/1 { unit 0 { family inet { address 217.XXX.XXX.XX9/29; } } } ge-0/0/5 { unit 0 { family ethernet-switching; } } ge-0/0/6 { unit 0 { family ethernet-switching; } } ge-0/0/7 { description Netscreen; speed 100m; link-mode full-duplex; gigether-options { auto-negotiation; } unit 0 { family ethernet-switching { port-mode access; vlan { members vlan0; } } } } ge-0/0/8 { unit 0 { family ethernet-switching { vlan { members vlan0; } } } } ge-0/0/9 { unit 0 { family ethernet-switching { vlan { members vlan0; } } } } ge-0/0/10 { unit 0 { family ethernet-switching { vlan { members vlan0; } } } } ge-0/0/11 { unit 0 { family ethernet-switching { vlan { members vlan0; } } } } ge-0/0/12 { unit 0 { family ethernet-switching { vlan { members vlan0; } } } } ge-0/0/13 { unit 0 { family ethernet-switching { vlan { members vlan0; } } } } ge-0/0/14 { unit 0 { family ethernet-switching { vlan { members vlan0; } } } } ge-0/0/15 { unit 0 { family ethernet-switching { vlan { members vlan0; } } } } st0 { unit 1 { description Tunnel-Berlin; family inet { address 192.168.123.124/32; } family inet6; } unit 2 { description Tunnel-Tokio; family inet { address 192.168.123.125/32; } family inet6; } unit 3 { description Tunnel-Amsterdam; family inet { mtu 1500; address 192.168.123.126/32; } } unit 4 { description Tunnel-Wien; family inet { address 192.168.123.127/32; } family inet6; } unit 5 { description Tunnel-Kiev; family inet { address 192.168.123.130/32; } family inet6; } unit 7 { description "Tunnel Tobago"; family inet { address 192.168.123.132/32; } family inet6; } } vlan { unit 0 { family inet { address 192.168.123.250/24; } } } } routing-options { static { route 0.0.0.0/0 next-hop 2XX.XXX.XXX.XX8; route 192.168.10.0/24 next-hop 192.168.123.251; route 192.168.124.0/24 next-hop st0.1; route 192.168.125.0/24 next-hop st0.2; route 192.168.126.0/24 next-hop st0.3; route 192.168.127.0/24 next-hop st0.4; route 192.168.130.0/24 next-hop st0.5; route 192.168.0.0/24 next-hop st0.7; } } protocols { stp { disable; interface ge-0/0/7.0 { mode point-to-point; } } } security { log { mode event; } ike { proposal pre-g2-3des-sha { authentication-method pre-shared-keys; dh-group group2; authentication-algorithm sha1; encryption-algorithm 3des-cbc; lifetime-seconds 12000; } proposal PSK-3DES-SHA { authentication-method pre-shared-keys; dh-group group2; authentication-algorithm sha1; encryption-algorithm 3des-cbc; lifetime-seconds 8000; } proposal dyn_sha1_psk_aes_128 { authentication-method pre-shared-keys; dh-group group2; authentication-algorithm sha1; encryption-algorithm aes-128-cbc; lifetime-seconds 28800; } proposal dyn_sha1_psk_aes_256 { authentication-method pre-shared-keys; dh-group group2; authentication-algorithm sha1; encryption-algorithm aes-256-cbc; lifetime-seconds 28800; } policy ike_pol_Amsterdam { mode aggressive; proposals pre-g2-3des-sha; pre-shared-key ascii-text "XXXXXXXXXXXXXXXXXXXXXXX"; ## SECRET-DATA } policy ike_pol_Berlin { mode aggressive; proposals pre-g2-3des-sha; pre-shared-key ascii-text "XXXXXXXXXXXXXXXXXXXXXXX"; ## SECRET-DATA } policy ike_pol_Tokio { mode aggressive; proposals pre-g2-3des-sha; pre-shared-key ascii-text "XXXXXXXXXXXXXXXXXXXXXXX"; ## SECRET-DATA } policy ike_pol_Wien { mode aggressive; proposals pre-g2-3des-sha; pre-shared-key ascii-text "XXXXXXXXXXXXXXXXXXXXXXX"; ## SECRET-DATA } policy ike_pol_Kiev_Privat { mode aggressive; proposals pre-g2-3des-sha; pre-shared-key ascii-text "XXXXXXXXXXXXXXXXXXXXXXX"; ## SECRET-DATA } policy ike_pol_Tobago { mode aggressive; proposals pre-g2-3des-sha; pre-shared-key ascii-text "XXXXXXXXXXXXXXXXXXXXXXX"; ## SECRET-DATA } policy ike-dyn-vpn-policy { mode aggressive; proposals [ dyn_sha1_psk_aes_128 dyn_sha1_psk_aes_256 ]; pre-shared-key ascii-text "XXXXXXXXXXXXXXXXXXXXXXX"; ## SECRET-DATA } gateway gw_Berlin { ike-policy ike_pol_Berlin; address 217.XXX.XXX.XXX; external-interface ge-0/0/0.0; version v1-only; } gateway gw_Tokio { ike-policy ike_pol_Tokio; address 217.XXX.XXX.XXX; external-interface ge-0/0/0.0; version v1-only; } gateway gw_Amsterdam { ike-policy ike_pol_Amsterdam; address 217.XXX.XXX.XXX; external-interface ge-0/0/0.0; version v1-only; } gateway gw_Wien { ike-policy ike_pol_Wien; address 217.XXX.XXX.XXX; external-interface ge-0/0/0.0; version v1-only; } gateway gw_Kiev-Privat { ike-policy ike_pol_Kiev_Privat; address 217.XXX.XXX.XXX; external-interface ge-0/0/0.0; version v1-only; } gateway gw_Tobago { ike-policy ike_pol_Tobago; address 217.XXX.XXX.XXX; external-interface ge-0/0/0.0; version v1-only; } gateway dyn-vpn-local-gw { ike-policy ike-dyn-vpn-policy; dynamic { hostname hosty.my-domain.local; connections-limit 10; ike-user-type group-ike-id; } external-interface ge-0/0/1.0; xauth access-profile dyn-vpn-access-profile; } } ipsec { proposal g2-esp-3des-sha { protocol esp; authentication-algorithm hmac-sha1-96; encryption-algorithm 3des-cbc; lifetime-seconds 6000; } proposal dyn_vpn_sha1_aes128_esp { protocol esp; authentication-algorithm hmac-sha1-96; encryption-algorithm aes-128-cbc; lifetime-seconds 28800; } proposal dyn_vpn_sha1_aes256_esp { protocol esp; authentication-algorithm hmac-sha1-96; encryption-algorithm aes-256-cbc; lifetime-seconds 28800; } policy ipsec_pol_Amsterdam { perfect-forward-secrecy { keys group2; } proposals g2-esp-3des-sha; } policy ipsec_pol_Berlin { perfect-forward-secrecy { keys group2; } proposals g2-esp-3des-sha; } policy ipsec_pol_Wien { perfect-forward-secrecy { keys group2; } proposals g2-esp-3des-sha; } policy ipsec_pol_Tokio { perfect-forward-secrecy { keys group2; } proposals g2-esp-3des-sha; } policy ipsec_pol_Kiev_Privat { perfect-forward-secrecy { keys group2; } proposals g2-esp-3des-sha; } policy ipsec_pol_Tobago { perfect-forward-secrecy { keys group2; } proposals g2-esp-3des-sha; } policy ipsec-dyn-vpn-policy { perfect-forward-secrecy { keys group2; } proposals [ dyn_vpn_sha1_aes128_esp dyn_vpn_sha1_aes256_esp ]; } vpn Berlin { bind-interface st0.1; ike { gateway gw_Berlin; proxy-identity { local 192.168.123.0/24; remote 192.168.124.0/24; service any; } ipsec-policy ipsec_pol_Berlin; } establish-tunnels immediately; } vpn Tokio { bind-interface st0.2; vpn-monitor; ike { gateway gw_Tokio; proxy-identity { local 192.168.123.0/24; remote 192.168.125.0/24; service any; } ipsec-policy ipsec_pol_Tokio; } establish-tunnels immediately; } vpn Amsterdam { bind-interface st0.3; ike { gateway gw_Amsterdam; proxy-identity { local 192.168.123.0/24; remote 192.168.126.0/24; service any; } ipsec-policy ipsec_pol_Amsterdam; } establish-tunnels immediately; } vpn Wien { bind-interface st0.4; ike { gateway gw_Wien; proxy-identity { local 192.168.123.0/24; remote 192.168.127.0/24; service any; } ipsec-policy ipsec_pol_Wien; } establish-tunnels immediately; } vpn Kiev-Privat { bind-interface st0.5; vpn-monitor { optimized; source-interface st0.5; destination-ip 192.168.123.242; } ike { gateway gw_Kiev-Privat; proxy-identity { local 192.168.123.0/24; remote 192.168.130.0/24; service any; } ipsec-policy ipsec_pol_Kiev_Privat; } establish-tunnels immediately; } vpn Tobago { bind-interface st0.7; ike { gateway gw_Tobago; proxy-identity { local 192.168.123.0/24; remote 192.168.0.0/24; service any; } ipsec-policy ipsec_pol_Tobago; } establish-tunnels immediately; } vpn dyn-vpn { ike { gateway dyn-vpn-local-gw; ipsec-policy ipsec-dyn-vpn-policy; } } } application-tracking; dynamic-vpn { access-profile dyn-vpn-access-profile; clients { all { remote-protected-resources { 192.168.123.0/24; 192.168.124.0/24; 192.168.125.0/24; 192.168.127.0/24; } remote-exceptions { 0.0.0.0/0; } ipsec-vpn dyn-vpn; user { user111; } } } } screen { ids-option untrust-screen { icmp { ping-death; } ip { source-route-option; tear-drop; } tcp { syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; timeout 20; } land; } } } nat { source { rule-set nsw_srcnat { from zone internal; to zone internet; rule nsw-src-interface { match { source-address 0.0.0.0/0; destination-address 0.0.0.0/0; } then { source-nat { interface; } } } } } destination { pool HTTPS_to_Mailserver { address 192.168.123.246/32 port 443; } pool HTTP_to_Mailserver { address 192.168.123.246/32 port 80; } pool SMTP_to_Mailserver { address 192.168.123.246/32 port 25; } pool 3cx_to_Terminalserver { address 192.168.123.247/32 port 5060; } pool RSYNC_to_NAS { address 192.168.123.248/32 port 873; } rule-set nsw_destnat { from zone internet; rule 0_HTTPS--Mailserver_443 { match { source-address 0.0.0.0/0; destination-address 217.XXX.XXX.XX8/29; destination-port 443; } then { destination-nat pool HTTPS_to_Mailserver; } } rule 0_HTTP--Mailserver_80 { match { source-address 0.0.0.0/0; destination-address 217.XXX.XXX.XX8/29; destination-port 80; } then { destination-nat pool HTTP_to_Mailserver; } } rule 1_SMTP--Mailserver_25 { match { source-address 0.0.0.0/0; destination-address 217.XXX.XXX.XX8/29; destination-port 25; } then { destination-nat pool SMTP_to_Mailserver; } } rule 2_3cx_SIP--Terminalserver_5060 { match { destination-address 217.XXX.XXX.XX8/29; destination-port 5060; } then { destination-nat pool 3cx_to_Terminalserver; } } rule 3_RSYNC--NAS_873 { match { destination-address 217.XXX.XXX.XX8/29; destination-port 873; } then { destination-nat pool RSYNC_to_NAS; } } } } proxy-arp { interface vlan.0 { address { 192.168.123.180/32 to 192.168.123.191/32; } } } } policies { from-zone Internet to-zone Internal { policy PDS_Server_Internet_Internal { match { source-address any; destination-address any; application PDS-4444; } then { permit; } } policy Telnet_Server_Internet_Internal { match { source-address any; destination-address any; application junos-telnet; } then { permit; } } policy Web_Server_Internet_Internal { match { source-address any; destination-address any; application [ junos-http junos-https ]; } then { permit; } } policy Mail_Server_Internet_Internal { match { source-address any; destination-address any; application junos-smtp; } then { permit; } } policy 5060-873_Internet_Internal { match { source-address any; destination-address any; application nsw-5060-873_Internet_Internal_1_http; } then { permit; log { session-init; session-close; } } } policy SSH_Server_Internet_Internal { match { source-address any; destination-address any; application junos-ssh; } then { permit; } } policy policy_in_Berlin { match { source-address Netz-Berlin; destination-address Netz-intern; application any; } then { permit; } } policy policy_in_Tokio { match { source-address Netz-Tokio; destination-address Netz-intern; application any; } then { permit; } } policy policy_in_Amsterdam { match { source-address Netz-Amsterdam; destination-address Netz-intern; application any; } then { permit; log { session-init; session-close; } } } policy policy_in_Wien { match { source-address Netz-Wien; destination-address Netz-intern; application any; } then { permit; } } policy policy_in_Kiev-Privat { match { source-address Netz-Kiev-Privat; destination-address Netz-intern; application any; } then { permit; } } policy policy_in_Tobago { match { source-address Netz-Tobago; destination-address Netz-intern; application any; } then { permit; } } policy policy_in_dyn_vpn { match { source-address any; destination-address any; application any; } then { permit { tunnel { ipsec-vpn dyn-vpn; } } } } } from-zone Internal to-zone Internet { policy PDS_All_Internal_Internet { match { source-address any; destination-address any; application PDS-4444; } then { permit; } } policy All_Internal_Internet { match { source-address any; destination-address any; application any; } then { permit; } } policy policy_out_Berlin { match { source-address Netz-intern; destination-address Netz-Berlin; application any; } then { permit; } } policy policy_out_Tokio { match { source-address Netz-intern; destination-address Netz-Tokio; application any; } then { permit; } } policy policy_out_Amsterdam { match { source-address Netz-intern; destination-address Netz-Amsterdam; application any; } then { permit; } } policy policy_out_Wien { match { source-address Netz-intern; destination-address Netz-Wien; application any; } then { permit; } } policy policy_out_Kiev-Privat { match { source-address Netz-intern; destination-address Netz-Kiev-Privat; application any; } then { permit; } } policy policy_out_Tobago { match { source-address Netz-intern; destination-address Netz-Tobago; application any; } then { permit; } } } from-zone Internet to-zone Internet { policy 123GM-all { description "von allen Tunneln in alle Tunnel"; match { source-address 123GM; destination-address 123GM; application any; } then { permit; } } } from-zone Internal to-zone Internal { policy WIT-123-all-internal { match { source-address WIT-NETZ-10; destination-address Netz-intern; application any; } then { permit; } } policy All_Internal { match { source-address any; destination-address any; application any; } then { permit; } } } } zones { security-zone internal { address-book { address Netz-intern 192.168.123.0/24; address WIT-NETZ-10 192.168.10.0/24; } host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { vlan.0 { host-inbound-traffic { system-services { all; } protocols { all; } } } ge-0/0/10.0 { host-inbound-traffic { system-services { all; } protocols { all; } } } ge-0/0/9.0 { host-inbound-traffic { system-services { all; } protocols { all; } } } ge-0/0/7.0 { host-inbound-traffic { system-services { all; } protocols { all; } } } } application-tracking; } security-zone internet { address-book { address Netz-Tobago 192.168.0.0/24; address Netz-Berlin 192.168.124.0/24; address Netz-Tokio 192.168.125.0/24; address Netz-Amsterdam 192.168.126.0/24; address Netz-Wien 192.168.127.0/24; address Netz-Kiev-Privat 192.168.130.0/24; address-set 123GM { address Netz-Berlin; address Netz-Tokio; address Netz-Wien; address Netz-Kiev-Privat; address Netz-Tobago; address Netz-Amsterdam; } } host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { ge-0/0/0.0 { host-inbound-traffic { system-services { ping; https; http; ssh; ike; } } } ge-0/0/1.0 { host-inbound-traffic { system-services { ping; https; ike; ssh; } } } st0.1 { host-inbound-traffic { system-services { all; } } } st0.2 { host-inbound-traffic { system-services { all; } } } st0.3 { host-inbound-traffic { system-services { all; } } } st0.4 { host-inbound-traffic { system-services { all; } } } st0.5 { host-inbound-traffic { system-services { all; } } } st0.7 { host-inbound-traffic { system-services { all; } } } } application-tracking; } } } access { profile dyn-vpn-access-profile { authentication-order password; client user111 { firewall-user { password "XXXXXXXXXXXXXXXXXXXXXX"; ## SECRET-DATA } } address-assignment { pool dyn-vpn-address-pool; } } address-assignment { pool dyn-vpn-address-pool { family inet { network 192.168.123.0/24; range dvpn-range { low 192.168.123.180; high 192.168.123.191; } xauth-attributes { primary-dns 192.168.123.245/32; } } } } firewall-authentication { web-authentication { default-profile dyn-vpn-access-profile; banner { success ERFOLGREICH; } } } } applications { application nsw-5060-873_internet_internal_1_http { term 80-term protocol tcp destination-port 80; term 5060-term protocol tcp destination-port 5060; term 873-term protocol tcp destination-port 873; } application junos-telnet { protocol tcp; inactivity-timeout 28800; } application PDS-4444 { protocol tcp; destination-port 4444; inactivity-timeout 28800; } } vlans { vlan0 { vlan-id 2; interface { ge-0/0/7.0; } l3-interface vlan.0; } }