version 12.1R1.9; system { host-name BMI; domain-name bmi.local; time-zone Europe/Brussels; root-authentication { encrypted-password "$1$ocLI2tPN$hFkZbLXMQ2bwGpnCjZY5J0"; ## SECRET-DATA } name-server { 195.238.2.21; 195.238.2.22; } login { user PcManager { uid 2001; class super-user; authentication { encrypted-password "$1$YwU3Fupj$9qaLMZ1tcpIw5U8/L9Qdm/"; ## SECRET-DATA } } user support { uid 2000; class super-user; authentication { encrypted-password "$1$OqYZi7y5$ZcIZOJuU5BqEiMJWBOKx7/"; ## SECRET-DATA } } } services { ssh { root-login allow; protocol-version v2; } web-management { management-url admin; http { interface vlan.0; } https { port 443; system-generated-certificate; interface [ fe-0/0/0.0 pp0.0 ]; } } } syslog { archive size 100k files 3; user * { any emergency; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } } max-configurations-on-flash 5; ## ## Warning: statement ignored: unsupported platform (srx100b) ## max-configuration-rollbacks 5; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } ntp { server 207.46.232.182; } } interfaces { interface-range interfaces-trust { member fe-0/0/1; member fe-0/0/2; member fe-0/0/3; member fe-0/0/4; member fe-0/0/5; member fe-0/0/6; member fe-0/0/7; unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } fe-0/0/0 { unit 0 { encapsulation ppp-over-ether; } } pp0 { unit 0 { ppp-options { chap { default-chap-secret "$9$JeZDkzF/AtOqmu1hSW8bs2oDi"; ## SECRET-DATA local-name "fb882913@SKYNET"; passive; } } pppoe-options { underlying-interface fe-0/0/0.0; idle-timeout 0; auto-reconnect 5; client; } family inet { mtu 1492; negotiate-address; } } } st0 { unit 0 { family inet; } } vlan { unit 0 { family inet { address 192.168.1.254/24; } } } } routing-options { static { route 0.0.0.0/0 next-hop pp0.0; route 192.168.20.0/24 next-hop st0.0; } } security { ike { respond-bad-spi 5; proposal bmi-proposal { authentication-method pre-shared-keys; dh-group group2; authentication-algorithm sha1; encryption-algorithm aes-128-cbc; lifetime-seconds 3600; } policy bmi-policy { mode aggressive; proposals bmi-proposal; pre-shared-key ascii-text "$9$bV2oGUjHTF6sY6AtuREhcylM8"; ## SECRET-DATA } policy ike-dyn-vpn-policy { mode aggressive; proposal-set standard; pre-shared-key ascii-text "$9$KHxWXNs2aikPdbkP5Q9CKM8"; ## SECRET-DATA } gateway naturalize-gateway { ike-policy bmi-policy; dynamic hostname turnhout.bmi.local; dead-peer-detection { interval 10; threshold 5; } external-interface pp0.0; } gateway dyn-vpn-local-gw { ike-policy ike-dyn-vpn-policy; dynamic { hostname dynvpn; connections-limit 10; ike-user-type group-ike-id; } external-interface pp0.0; xauth access-profile dyn-vpn-access-profile; } } ipsec { vpn-monitor-options { interval 20; threshold 3; } proposal bmi-proposal { protocol esp; authentication-algorithm hmac-sha1-96; encryption-algorithm aes-128-cbc; lifetime-seconds 28800; } policy bmi-policy { perfect-forward-secrecy { keys group2; } proposals bmi-proposal; } policy ipsec-dyn-vpn-policy { proposal-set standard; } vpn naturalize-vpn { bind-interface st0.0; vpn-monitor { optimized; source-interface vlan.0; destination-ip 192.168.20.254; } ike { gateway naturalize-gateway; ipsec-policy bmi-policy; } establish-tunnels immediately; } vpn dyn-vpn { ike { gateway dyn-vpn-local-gw; ipsec-policy ipsec-dyn-vpn-policy; } } } dynamic-vpn { access-profile dyn-vpn-access-profile; clients { all { remote-protected-resources { 192.168.1.0/24; } remote-exceptions { 0.0.0.0/0; } ipsec-vpn dyn-vpn; user { PcManager; geelen; } } } } flow { tcp-mss { all-tcp { mss 1350; } ipsec-vpn { mss 1350; } } tcp-session { no-sequence-check; } } screen { ids-option untrust-screen { icmp { ping-death; } ip { source-route-option; tear-drop; } tcp { syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; timeout 20; } land; } } } nat { source { rule-set trust-to-untrust { from zone trust; to zone untrust; rule source-nat-rule { match { source-address 0.0.0.0/0; } then { source-nat { interface; } } } } } destination { pool BMISERVER { address 192.168.1.101/32; } pool BMIPC { address 192.168.1.252/32; } rule-set from-untrust { from zone untrust; rule BMIApp { match { destination-address 0.0.0.0/0; destination-port 8080; } then { destination-nat pool BMIPC; } } rule BMITSC { match { destination-address 0.0.0.0/0; destination-port 4325; } then { destination-nat pool BMIPC; } } rule becosoft { match { destination-address 0.0.0.0/0; destination-port 1433; } then { destination-nat pool BMISERVER; } } rule RDP { match { destination-address 0.0.0.0/0; destination-port 3389; } then { destination-nat pool BMIPC; } } } } } policies { from-zone trust to-zone untrust { policy trust-to-untrust { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone trust to-zone trust { policy permit_all { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone untrust to-zone trust { policy RDP { match { source-address any; destination-address [ BMIPC BMISERVER ]; application RDP; } then { permit; } } policy BMIApp { match { source-address any; destination-address BMIPC; application BMIApp; } then { permit; } } policy becosoft-1433 { match { source-address [ becosoft-1 becosoft-2 ]; destination-address BMISERVER; application junos-ms-sql; } then { permit; } } policy BMITSC { match { source-address any; destination-address BMIPC; application BMITsc; } then { permit; } } policy dyn-vpn-policy { match { source-address any; destination-address any; application any; } then { permit { tunnel { ipsec-vpn dyn-vpn; } } } } } } zones { security-zone trust { address-book { address BMISERVER 192.168.1.101/32; address BMIPC 192.168.1.252/32; } interfaces { vlan.0 { host-inbound-traffic { system-services { ssh; ping; https; } } } st0.0; } } security-zone untrust { address-book { address becosoft-1 213.181.47.234/32; address becosoft-2 194.78.21.232/32; } screen untrust-screen; interfaces { fe-0/0/0.0 { host-inbound-traffic { system-services { dhcp; ftp; ssh; ike; https; ping; } } } pp0.0 { host-inbound-traffic { system-services { ike; ssh; dhcp; https; ping; } } } } } } } access { profile dyn-vpn-access-profile { client PcManager { firewall-user { password "$9$W2cX7-bs4Ui.XxDkmfzF/9AuIc"; ## SECRET-DATA } } client geelen { firewall-user { password "$9$3QV890IyrvX7VRhNbs4Dj/CAp1R"; ## SECRET-DATA } } address-assignment { pool dyn-vpn-address-pool; } } address-assignment { pool dyn-vpn-address-pool { family inet { network 10.10.10.0/24; range dvpn-range { low 10.10.10.10; high 10.10.10.20; } xauth-attributes { primary-dns 192.168.1.101/32; } } } } firewall-authentication { web-authentication { default-profile dyn-vpn-access-profile; } } } applications { application RDP { protocol tcp; destination-port 3389; } application BMIApp { protocol tcp; destination-port 8080; } application BMITsc { protocol tcp; destination-port 4325; } } vlans { vlan-trust { vlan-id 3; l3-interface vlan.0; } }