FW SRX 210 **************************************************** BASIC ****************** root%cli root#config set system root-authentication plain-text-password **** set system login user admin class super-user authentication encrypted-password ***** set system services ssh set system services telnet set system services web-management http set system services web-management https set system host-name **** set system name-server 4.2.2.2 set system name-server 8.8.8.8 INTERFACE ****************** set interfaces ge-0/0/0 unit 0 description **CONNECTION_TO_LAN** set interfaces ge-0/0/1 unit 0 description **CONNECTION_TO_VPN** set interfaces fe-0/0/2 unit 0 description **INTERNET_CONNECTION_TO_ISP1** set interfaces fe-0/0/3 unit 0 description **INTERNET_CONNECTION_TO_ISP2** set interfaces ip-0/0/0 unit 20 description **TUNNEL_TO_A** set interfaces ip-0/0/0 unit 21 description **TUNNEL_TO_B** set interfaces ip-0/0/0 unit 22 description **TUNNEL_TO_C** set interfaces ip-0/0/0 unit 24 description **TUNNEL_TO_D** set interfaces ge-0/0/0 unit 0 family inet address 192.168.20.1/24 set interfaces ge-0/0/0 unit 0 family inet filter input FILTER1 set interfaces ge-0/0/1 unit 0 family inet address 172.27.5.242/29 set interfaces fe-0/0/2 unit 0 family inet address x.x.x.x/x set interfaces fe-0/0/3 unit 0 family inet address y.y.y.y/y set interfaces ip-0/0/0 unit 20 family inet address 10.80.80.1/30 set interfaces ip-0/0/0 unit 21 family inet address 10.80.80.5/30 set interfaces ip-0/0/0 unit 22 family inet address 10.80.80.9/30 set interfaces ip-0/0/0 unit 24 family inet address 10.80.80.17/30 set interfaces ip-0/0/0 unit 20 tunnel source 172.27.5.242 set interfaces ip-0/0/0 unit 20 tunnel destination 172.27.162.14 set interfaces ip-0/0/0 unit 21 tunnel source 172.27.5.242 set interfaces ip-0/0/0 unit 21 tunnel destination 172.27.140.11 set interfaces ip-0/0/0 unit 22 tunnel source 172.27.5.242 set interfaces ip-0/0/0 unit 22 tunnel destination 172.27.7.50 set interfaces ip-0/0/0 unit 24 tunnel source 172.27.5.242 set interfaces ip-0/0/0 unit 24 tunnel destination 172.27.133.119 ZONES ****************** set security zones security-zone LAN interfaces ge-0/0/0.0 host-inbound-traffic system-services ping set security zones security-zone LAN interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh set security zones security-zone LAN interfaces ge-0/0/0.0 host-inbound-traffic system-services telnet set security zones security-zone LAN interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp set security zones security-zone LAN interfaces ge-0/0/0.0 host-inbound-traffic system-services http set security zones security-zone LAN interfaces ge-0/0/0.0 host-inbound-traffic system-services https set security zones security-zone VPN interfaces ge-0/0/1.0 host-inbound-traffic system-services all set security zones security-zone VPN interfaces ge-0/0/1.0 host-inbound-traffic protocols all set security zones security-zone VPN interfaces ip-0/0/0.20 host-inbound-traffic system-services all set security zones security-zone VPN interfaces ip-0/0/0.20 host-inbound-traffic protocols all set security zones security-zone VPN interfaces ip-0/0/0.21 host-inbound-traffic system-services all set security zones security-zone VPN interfaces ip-0/0/0.21 host-inbound-traffic protocols all set security zones security-zone VPN interfaces ip-0/0/0.22 host-inbound-traffic system-services all set security zones security-zone VPN interfaces ip-0/0/0.22 host-inbound-traffic protocols all set security zones security-zone VPN interfaces ip-0/0/0.24 host-inbound-traffic system-services all set security zones security-zone VPN interfaces ip-0/0/0.24 host-inbound-traffic protocols all set security zones security-zone LAN interfaces fe-0/0/7.0 host-inbound-traffic system-services all set security zones security-zone LAN interfaces fe-0/0/6.0 host-inbound-traffic system-services all set security zones security-zone ISP_1 interfaces fe-0/0/2.0 host-inbound-traffic system-services all set security zones security-zone ISP_2 interfaces fe-0/0/3.0 host-inbound-traffic system-services all POLICIES ****************** set security policies from-zone LAN to-zone ISP_1 policy allow-internal-clients match source-address any set security policies from-zone LAN to-zone ISP_1 policy allow-internal-clients match destination-address any set security policies from-zone LAN to-zone ISP_1 policy allow-internal-clients match application any set security policies from-zone LAN to-zone ISP_1 policy allow-internal-clients then permit set security policies from-zone ISP_1 to-zone LAN policy allow-internal-clients match source-address any set security policies from-zone ISP_1 to-zone LAN policy allow-internal-clients match destination-address any set security policies from-zone ISP_1 to-zone LAN policy allow-internal-clients match application any set security policies from-zone ISP_1 to-zone LAN policy allow-internal-clients then permit set security policies from-zone LAN to-zone ISP_2 policy allow-internal-clients match source-address any set security policies from-zone LAN to-zone ISP_2 policy allow-internal-clients match destination-address any set security policies from-zone LAN to-zone ISP_2 policy allow-internal-clients match application any set security policies from-zone LAN to-zone ISP_2 policy allow-internal-clients then permit set security policies from-zone LAN to-zone VPN policy allow-internal-clients match source-address any set security policies from-zone LAN to-zone VPN policy allow-internal-clients match destination-address any set security policies from-zone LAN to-zone VPN policy allow-internal-clients match application any set security policies from-zone LAN to-zone VPN policy allow-internal-clients then permit set security policies from-zone VPN to-zone LAN policy allow-internal-clients match source-address any set security policies from-zone VPN to-zone LAN policy allow-internal-clients match destination-address any set security policies from-zone VPN to-zone LAN policy allow-internal-clients match application any set security policies from-zone VPN to-zone LAN policy allow-internal-clients then permit INTERNET NAT ****************** set security nat source rule-set LAN-to-ISP1 from zone LAN set security nat source rule-set LAN-to-ISP1 to zone ISP_1 set security nat source rule-set LAN-to-ISP1 rule internet-access match source-address 0.0.0.0/0 set security nat source rule-set LAN-to-ISP1 rule internet-access match destination-address 0.0.0.0/0 set security nat source rule-set LAN-to-ISP1 rule internet-access then source-nat interface set security nat source rule-set LAN-to-ISP2 from zone LAN set security nat source rule-set LAN-to-ISP2 to zone ISP_2 set security nat source rule-set LAN-to-ISP2 rule internet-access2 match source-address 0.0.0.0/0 set security nat source rule-set LAN-to-ISP2 rule internet-access2 match destination-address 0.0.0.0/0 set security nat source rule-set LAN-to-ISP2 rule internet-access2 then source-nat interface commit Routes ****************** set routing-options static route 0.0.0.0/0 next-hop x.x.x.x set routing-options static route 0.0.0.0/0 next-hop y.y.y.y set routing-options static route 192.168.4.0/24 next-hop 192.168.20.2 set routing-options static route 172.27.162.0/24 next-hop 172.27.5.241 set routing-options static route 192.168.60.0/24 next-hop 10.80.80.2 set routing-options static route 192.168.8.0/24 next-hop 10.80.80.2 set routing-options static route 172.27.140.0/24 next-hop 172.27.5.241 set routing-options static route 192.168.9.0/24 next-hop 10.80.80.6 set routing-options static route 172.27.7.48/29 next-hop 172.27.5.241 set routing-options static route 192.168.6.0/24 next-hop ip-0/0/0.22 set routing-options static route 192.168.33.0/24 next-hop ip-0/0/0.22 set routing-options static route 172.27.133.0/24 next-hop 172.27.5.241 set routing-options static route 192.168.3.0/24 next-hop ip-0/0/0.24 set routing-options static route 192.168.5.0/24 next-hop ip-0/0/0.24 RIB-GROUP ****************** set routing-options interface-routes rib-group inet IMPORT-PHY set routing-options rib-groups IMPORT-PHY import-rib inet.0 set routing-options rib-groups IMPORT-PHY import-rib RT-VPNTUNNELS.inet.0 set routing-options rib-groups IMPORT-PHY import-rib RT-ISP1.inet.0 set routing-options rib-groups IMPORT-PHY import-rib RT-ISP2.inet.0 ROUTING INSTANCE ****************** set routing-instances RT-VPNTUNNELS instance-type forwarding set routing-instances RT-VPNTUNNELS routing-options static route 172.27.162.0/24 next-hop 172.27.5.241 set routing-instances RT-VPNTUNNELS routing-options static route 192.168.60.0/24 next-hop 10.80.80.2 set routing-instances RT-VPNTUNNELS routing-options static route 192.168.8.0/24 next-hop 10.80.80.2 set routing-instances RT-VPNTUNNELS routing-options static route 172.27.140.0/24 next-hop 172.27.5.241 set routing-instances RT-VPNTUNNELS routing-options static route 192.168.9.0/24 next-hop 10.80.80.6 set routing-instances RT-VPNTUNNELS routing-options static route 172.27.7.48/29 next-hop 172.27.5.241 set routing-instances RT-VPNTUNNELS routing-options static route 192.168.6.0/24 next-hop 10.80.80.10 set routing-instances RT-VPNTUNNELS routing-options static route 192.168.33.0/24 next-hop 10.80.80.10 set routing-instances RT-VPNTUNNELS routing-options static route 172.27.133.0/24 next-hop 172.27.5.241 set routing-instances RT-VPNTUNNELS routing-options static route 192.168.3.0/24 next-hop 10.80.80.18 set routing-instances RT-VPNTUNNELS routing-options static route 192.168.5.0/24 next-hop 10.80.80.18 set routing-instances RT-ISP1 instance-type forwarding set routing-instances RT-ISP1 routing-options static route 0.0.0.0/0 next-hop x.x.x.x qualified-next-hop y.y.y.y preference 10 set routing-instances RT-ISP2 instance-type forwarding set routing-instances RT-ISP2 routing-options static route 0.0.0.0/0 next-hop y.y.y.y qualified-next-hop x.x.x.x preference 10 FIREWALL FILTER ****************** set firewall filter DUFIL-FILTER term 1 from destination-address 172.27.162.0/24 set firewall filter DUFIL-FILTER term 1 from destination-address 192.168.60.0/24 set firewall filter DUFIL-FILTER term 1 from destination-address 192.168.8.0/24 set firewall filter DUFIL-FILTER term 1 from destination-address 172.27.140.0/24 set firewall filter DUFIL-FILTER term 1 from destination-address 192.168.9.0/24 set firewall filter DUFIL-FILTER term 1 from destination-address 172.27.7.48/29 set firewall filter DUFIL-FILTER term 1 from destination-address 192.168.6.0/24 set firewall filter DUFIL-FILTER term 1 from destination-address 192.168.33.0/24 set firewall filter DUFIL-FILTER term 1 from destination-address 172.27.133.0/24 set firewall filter DUFIL-FILTER term 1 from destination-address 192.168.3.0/24 set firewall filter DUFIL-FILTER term 1 from destination-address 192.168.5.0/24 set firewall filter DUFIL-FILTER term 1 then routing-instance RT-VPNTUNNELS set firewall filter DUFIL-FILTER term 2 from source-address 192.168.40.10/32 set firewall filter DUFIL-FILTER term 2 then routing-instance RT-ISP2 set firewall filter DUFIL-FILTER term 3 then routing-instance RT-ISP1 RPM CONFIG ****************** set services rpm probe PROBE-ISP1 test TEST-ISP1 target address x.x.x.x set services rpm probe PROBE-ISP1 test TEST-ISP1 probe-count 10 set services rpm probe PROBE-ISP1 test TEST-ISP1 probe-interval 5 set services rpm probe PROBE-ISP1 test TEST-ISP1 test-interval 10 set services rpm probe PROBE-ISP1 test TEST-ISP1 thresholds successive-loss 10 set services rpm probe PROBE-ISP1 test TEST-ISP1 thresholds total-loss 5 set services rpm probe PROBE-ISP1 test TEST-ISP1 destination-interface fe-0/0/2.0 set services rpm probe PROBE-ISP1 test TEST-ISP1 next-hop x.x.x.x set services rpm probe PROBE-ISP2 test TEST-ISP2 target address y.y.y.y set services rpm probe PROBE-ISP2 test TEST-ISP2 probe-count 10 set services rpm probe PROBE-ISP2 test TEST-ISP2 probe-interval 5 set services rpm probe PROBE-ISP2 test TEST-ISP2 test-interval 10 set services rpm probe PROBE-ISP2 test TEST-ISP2 thresholds successive-loss 10 set services rpm probe PROBE-ISP2 test TEST-ISP2 thresholds total-loss 5 set services rpm probe PROBE-ISP2 test TEST-ISP2 destination-interface fe-0/0/3.0 set services rpm probe PROBE-ISP2 test TEST-ISP2 next-hop y.y.y.y IP SLA MONITORING ****************** set services ip-monitoring policy TRACK-ISP1 match rpm-probe PROBE-ISP1 set services ip-monitoring policy TRACK-ISP1 then preferred-route route 0.0.0.0/0 next-hop y.y.y.y set services ip-monitoring policy TRACK-ISP2 match rpm-probe PROBE-ISP2 set services ip-monitoring policy TRACK-ISP2 then preferred-route route 0.0.0.0/0 next-hop x.x.x.x POLICY BASED VPN ****************** set security zones security-zone LAN address-book address HQ-LAN 192.168.4.0/24 set security zones security-zone ISP_1 address-book address G-LAN 192.168.7.0/24 set security zones security-zone ISP_1 address-book address H-LAN 192.168.11.0/24 set security ike proposal ike-phase1-proposal authentication-method pre-shared-keys set security ike proposal ike-phase1-proposal dh-group group2 set security ike proposal ike-phase1-proposal authentication-algorithm md5 set security ike proposal ike-phase1-proposal encryption-algorithm aes-128-cbc set security ike proposal ike-phase1-proposal lifetime-seconds 28800 set security ike policy G-PHASE1-POLICY mode main set security ike policy G-PHASE1-POLICY proposals ike-phase1-proposal set security ike policy G-PHASE1-POLICY pre-shared-key ascii-text ***** set security ike policy G-PHASE1-POLICY mode main set security ike policy G-PHASE1-POLICY proposals ike-phase1-proposal set security ike policy G-PHASE1-POLICY pre-shared-key ascii-text ***** set security ike gateway IKE-GW-G external-interface fe-0/0/2.0 set security ike gateway IKE-GW-G ike-policy IBJ-PHASE1-POLICY set security ike gateway IKE-GW-G address Z.Z.Z.Z set security ike gateway IKE-GW-H external-interface fe-0/0/2.0 set security ike gateway IKE-GW-H ike-policy ABA-PHASE1-POLICY set security ike gateway IKE-GW-H address V.V.V.V set security ipsec proposal ipsec-phase2-proposal authentication-algorithm hmac-md5-96 set security ipsec proposal ipsec-phase2-proposal encryption-algorithm aes-128-cbc set security ipsec proposal ipsec-phase2-proposal lifetime-seconds 3600 set security ipsec policy ipsec-phase2-policy proposals ipsec-phase2-proposal set security ipsec vpn IKE-VPN-G ike gateway IKE-GW-G set security ipsec vpn IKE-VPN-G ike ipsec-policy ipsec-phase2-policy set security ipsec vpn IKE-VPN-H ike gateway IKE-GW-H set security ipsec vpn IKE-VPN-H ike ipsec-policy ipsec-phase2-policy set security policies from-zone LAN to-zone ISP_1 policy VPN-G-H-OUT match source-address DUFIL-HQ-LAN set security policies from-zone LAN to-zone ISP_1 policy VPN-G-H-OUT match destination-address DUFIL-IBJ-LAN set security policies from-zone LAN to-zone ISP_1 policy VPN-G-H-OUT match destination-address DUFIL-ABA-LAN set security policies from-zone LAN to-zone ISP_1 policy VPN-G-H-OUT match application any set security policies from-zone LAN to-zone ISP_1 policy VPN-G-H-OUT then permit set security policies from-zone ISP_1 to-zone LAN policy VPN-G-H-IN match source-address G-LAN set security policies from-zone ISP_1 to-zone LAN policy VPN-G-H-IN match source-address H-LAN set security policies from-zone ISP_1 to-zone LAN policy VPN-G-H-IN match destination-address HQ-LAN set security policies from-zone ISP_1 to-zone LAN policy VPN-G-H-IN match application any set security policies from-zone ISP_1 to-zone LAN policy VPN-G-H-IN then permit set security nat source rule-set LAN-to-ISP1 rule NO-NAT match source-address 192.168.4.0/24 set security nat source rule-set LAN-to-ISP1 rule NO-NAT match destination-address 192.168.7.0/24 set security nat source rule-set LAN-to-ISP1 rule NO-NAT match destination-address 192.168.11.0/24 set security nat source rule-set LAN-to-ISP1 rule NO-NAT then source-nat off insert source rule-set LAN-to-ISP1 rule NO-NAT before rule internet-access