## Last changed: 2016-05-22 12:25:45 GMT-6 version 12.1X46-D40.2; system { host-name Dallas_SRX; time-zone GMT-6; root-authentication { encrypted-password "zzzzzzzzzzzzzzzzz"; ## SECRET-DATA } name-server { 8.8.8.8; 8.8.4.4; } login { user zzzzzz { uid 2000; class super-user; authentication { encrypted-password "zzzzzzzzzzzzzzzzzzzzzzz"; ## SECRET-DATA } } } services { ssh; web-management { https { system-generated-certificate; interface [ vlan.0 fe-0/0/0.0 ]; } session { idle-timeout 60; } } } syslog { archive size 100k files 3; user * { any emergency; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } } max-configurations-on-flash 5; max-configuration-rollbacks 5; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } ntp { server 172.16.10.12; } } interfaces { fe-0/0/0 { unit 0 { family inet { address 2.2.2.2/29; } } } fe-0/0/1 { unit 0 { family inet { address 130.16.0.1/24; } } } fe-0/0/2 { unit 0 { family ethernet-switching { vlan { members vlan0; } } } } fe-0/0/3 { unit 0 { family ethernet-switching { vlan { members vlan0; } } } } fe-0/0/4 { unit 0 { family ethernet-switching { vlan { members vlan0; } } } } fe-0/0/5 { unit 0 { family ethernet-switching { vlan { members vlan0; } } } } fe-0/0/6 { unit 0 { family ethernet-switching { vlan { members vlan0; } } } } fe-0/0/7 { unit 0 { family ethernet-switching { vlan { members vlan0; } } } } st0 { unit 0 { family inet; } } vlan { unit 0 { family inet { address 172.16.72.1/24; } } } } snmp { description Dallas_SRX; location "Dallas Server Room"; contact "zzzzzzzzzzzzzzzzz"; community Dallas { authorization read-only; } } routing-options { static { route 0.0.0.0/0 next-hop 2.2.2.3; route 172.16.10.0/24 next-hop st0.0; route 172.16.16.0/24 next-hop st0.0; route 172.16.17.0/24 next-hop st0.0; route 172.16.18.0/24 next-hop st0.0; route 172.16.19.0/24 next-hop st0.0; route 172.16.20.0/24 next-hop st0.0; route 172.16.42.0/24 next-hop st0.0; route 172.16.52.0/24 next-hop st0.0; route 172.16.82.0/24 next-hop st0.0; route 172.16.102.0/24 next-hop st0.0; route 172.16.112.0/24 next-hop st0.0; route 172.16.122.0/24 next-hop st0.0; route 172.16.142.0/24 next-hop st0.0; route 172.16.152.0/24 next-hop st0.0; route 172.16.162.0/24 next-hop st0.0; route 172.16.182.0/24 next-hop st0.0; route 172.16.202.0/24 next-hop st0.0; route 172.16.222.0/24 next-hop st0.0; route 172.16.242.0/24 next-hop st0.0; route 148.56.232.0/22 next-hop st0.0; } } protocols { stp; } security { key-protection; ike { respond-bad-spi 1; proposal Colo_IKE_P1 { authentication-method pre-shared-keys; dh-group group2; authentication-algorithm sha1; encryption-algorithm 3des-cbc; lifetime-seconds 28800; } policy ike_pol_Colo_VPN { mode main; proposals Colo_IKE_P1; pre-shared-key ascii-text "zzzzzzzzzzzzzzzzzzzzzz"; ## SECRET-DATA } gateway gw_Colo_VPN { ike-policy ike_pol_Colo_VPN; address 1.1.1.1; no-nat-traversal; external-interface fe-0/0/0.0; version v1-only; } } ipsec { vpn-monitor-options { interval 10; threshold 10; } proposal Colo_IPSEC_P2 { protocol esp; authentication-algorithm hmac-sha1-96; encryption-algorithm 3des-cbc; lifetime-seconds 3600; } policy ipsec_pol_Colo_VPN { perfect-forward-secrecy { keys group2; } proposals Colo_IPSEC_P2; } vpn Colo_VPN { bind-interface st0.0; vpn-monitor; ike { gateway gw_Colo_VPN; proxy-identity { local 172.16.72.0/24; remote 172.16.10.0/24; } ipsec-policy ipsec_pol_Colo_VPN; } establish-tunnels immediately; } } screen { ids-option untrust-screen { icmp { ping-death; } ip { source-route-option; tear-drop; } tcp { syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; timeout 20; } land; } } } nat { source { rule-set nsw_srcnat { from zone [ DMZ Trust ]; to zone Internet; rule nsw-src-interface { match { source-address 0.0.0.0/0; destination-address 0.0.0.0/0; } then { source-nat { interface; } } } } } } policies { from-zone Internet to-zone DMZ { policy All_Internet_DMZ { match { source-address any; destination-address any; application any; } then { deny; } } } from-zone Trust to-zone Internet { policy All_Trust_Internet { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone Trust to-zone DMZ { policy All_Trust_DMZ { match { source-address any; destination-address any; application any; } then { deny; } } } from-zone Trust to-zone Trust { policy policy_out_Colo_VPN { match { source-address addr_172_16_72_0_24; destination-address addr_172_16_10_0_24; application any; } then { permit; } } policy policy_in_Colo_VPN { match { source-address addr_172_16_10_0_24; destination-address addr_172_16_72_0_24; application any; } then { permit; } } } from-zone Trust to-zone VPN { policy Trust-VPN-cfgr { match { source-address net-cfgr_172-16-72-0--24; destination-address net-cfgr_172-16-10-0--24; application any; } then { permit; } } } from-zone VPN to-zone Trust { policy VPN-Trust-cfgr { match { source-address net-cfgr_172-16-10-0--24; destination-address net-cfgr_172-16-72-0--24; application any; } then { permit; } } } } zones { security-zone Trust { address-book { address addr_172_16_72_0_24 172.16.72.0/24; address addr_172_16_10_0_24 172.16.10.0/24; address net-cfgr_172-16-72-0--24 172.16.72.0/24; } host-inbound-traffic { system-services { all; } } interfaces { vlan.0 { host-inbound-traffic { system-services { ping; https; ssh; } } } } } security-zone DMZ { interfaces { fe-0/0/1.0; } } security-zone Internet { host-inbound-traffic { system-services { ike; } } interfaces { fe-0/0/0.0 { host-inbound-traffic { system-services { https; ssh; } } } } } security-zone VPN { address-book { address net-cfgr_172-16-10-0--24 172.16.10.0/24; } interfaces { st0.0; } } } } vlans { vlan0 { vlan-id 2; l3-interface vlan.0; } }