root@ROUTER-SRX240# run show configuration | display set set version 12.1X44-D35.5 set system host-name ROUTER-SRX240 set system root-authentication encrypted-password "$1$sQU0w0YN$TDNjD3b5vYhR2pKYlCGg5." set system name-server 208.67.222.222 set system name-server 208.67.220.220 set system name-server 8.8.8.8 set system name-server 210.245.0.11 set system login user admin uid 2000 set system login user admin class super-user set system login user admin authentication encrypted-password "$1$H8ELo46I$/ucuAg6BQdQwNUMhICJfo1" set system services ssh root-login allow set system services ssh protocol-version v2 set system services telnet set system services xnm-clear-text set system services netconf ssh set system services web-management management-url jweb set system services web-management http interface vlan.0 set system services web-management http interface vlan.3 set system services web-management https system-generated-certificate set system syslog archive size 100k set system syslog archive files 3 set system syslog user * any emergency set system syslog file messages any notice set system syslog file messages authorization info set system syslog file interactive-commands interactive-commands any set system syslog file interface-logs any any set system syslog file interface-logs match ifOperStatus set system syslog file kmd-logs daemon info set system syslog file kmd-logs match KMD set system max-configurations-on-flash 49 set system max-configuration-rollbacks 49 set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval set chassis aggregated-devices ethernet device-count 2 set interfaces ge-0/0/0 gigether-options 802.3ad ae0 set interfaces ge-0/0/1 gigether-options 802.3ad ae0 set interfaces ge-0/0/8 unit 0 family ethernet-switching port-mode access set interfaces ge-0/0/8 unit 0 family ethernet-switching vlan members 3 set interfaces ge-0/0/9 unit 0 family ethernet-switching port-mode access set interfaces ge-0/0/9 unit 0 family ethernet-switching vlan members 3 set interfaces ge-0/0/10 unit 0 family ethernet-switching port-mode access set interfaces ge-0/0/10 unit 0 family ethernet-switching vlan members 3 set interfaces ge-0/0/12 unit 0 family ethernet-switching port-mode access set interfaces ge-0/0/12 unit 0 family ethernet-switching vlan members 2 set interfaces ge-0/0/13 unit 0 family ethernet-switching port-mode access set interfaces ge-0/0/13 unit 0 family ethernet-switching vlan members 2 set interfaces ge-0/0/14 unit 0 family ethernet-switching port-mode access set interfaces ge-0/0/14 unit 0 family ethernet-switching vlan members 2 set interfaces ge-0/0/15 unit 0 family ethernet-switching port-mode access set interfaces ge-0/0/15 unit 0 family ethernet-switching vlan members 2 set interfaces ae0 description "Port-channel ket noi toi FIREWALL-SRX550" set interfaces ae0 aggregated-ether-options lacp active set interfaces ae0 aggregated-ether-options lacp periodic fast set interfaces ae0 unit 0 family inet address 172.18.2.1/29 set interfaces vlan unit 2 description "Vlan ket noi toi TSLCD" set interfaces vlan unit 2 family inet address 10.128.108.2/24 set interfaces vlan unit 3 description "Vlan ket noi toi Modem ADSL" set interfaces vlan unit 3 family inet address 172.18.1.2/24 set snmp client-list list0 10.128.112.78/32 set snmp community "qni@1234" authorization read-only set snmp community "qni@1234" client-list-name list0 set routing-options static route 10.128.0.0/16 next-hop 10.128.108.1 set routing-options static route 10.0.0.0/8 next-hop 10.128.108.1 set routing-options static route 172.18.2.0/24 next-hop 172.18.2.2 set routing-options static route 10.57.192.0/24 next-hop 172.18.2.2 set routing-options static route 10.57.193.0/24 next-hop 172.18.2.2 set routing-options static route 0.0.0.0/0 next-hop 172.18.1.1 set protocols lldp interface all set protocols rstp set security ike traceoptions file ike-test set security ike policy ike_pol_wizard_dyn_vpn mode aggressive set security ike policy ike_pol_wizard_dyn_vpn proposal-set standard set security ike policy ike_pol_wizard_dyn_vpn pre-shared-key ascii-text "$9$Qc8i3CpKv8-bYTz9t0Ohc7-dsoZDiq.5zUDApu0IRdbwgGD5QF" set security ike gateway gw_wizard_dyn_vpn ike-policy ike_pol_wizard_dyn_vpn set security ike gateway gw_wizard_dyn_vpn dynamic hostname ROUTER-SRX240 set security ike gateway gw_wizard_dyn_vpn dynamic connections-limit 50 set security ike gateway gw_wizard_dyn_vpn dynamic ike-user-type group-ike-id set security ike gateway gw_wizard_dyn_vpn local-identity inet 172.18.1.2 set security ike gateway gw_wizard_dyn_vpn external-interface vlan.3 set security ike gateway gw_wizard_dyn_vpn xauth access-profile remote_access_profile set security ipsec policy ipsec_pol_wizard_dyn_vpn proposal-set compatible set security ipsec vpn wizard_dyn_vpn ike gateway gw_wizard_dyn_vpn set security ipsec vpn wizard_dyn_vpn ike ipsec-policy ipsec_pol_wizard_dyn_vpn set security dynamic-vpn access-profile remote_access_profile set security dynamic-vpn clients wizard-dyn-group remote-protected-resources 172.18.0.0/16 set security dynamic-vpn clients wizard-dyn-group remote-protected-resources 10.57.192.0/24 set security dynamic-vpn clients wizard-dyn-group remote-protected-resources 10.57.193.0/24 set security dynamic-vpn clients wizard-dyn-group remote-protected-resources 10.128.0.0/16 set security dynamic-vpn clients wizard-dyn-group remote-exceptions 0.0.0.0/0 set security dynamic-vpn clients wizard-dyn-group ipsec-vpn wizard_dyn_vpn set security dynamic-vpn clients wizard-dyn-group user test set security dynamic-vpn clients wizard-dyn-group user trongnv set security flow tcp-mss all-tcp mss 1400 set security nat source rule-set LAN-WAN from zone LAN set security nat source rule-set LAN-WAN to zone WAN set security nat source rule-set LAN-WAN rule SNAT-LAN-WAN match source-address 0.0.0.0/0 set security nat source rule-set LAN-WAN rule SNAT-LAN-WAN match destination-address 0.0.0.0/0 set security nat source rule-set LAN-WAN rule SNAT-LAN-WAN then source-nat interface set security nat static rule-set WAN-LAN-RS1 from zone WAN set security nat static rule-set WAN-LAN-RS1 rule NAT-FW-SRX550 match destination-address 10.128.108.4/32 set security nat static rule-set WAN-LAN-RS1 rule NAT-FW-SRX550 then static-nat prefix 172.18.3.2/32 set security nat proxy-arp interface vlan.2 address 10.128.108.3/32 set security nat proxy-arp interface vlan.2 address 10.128.108.4/32 set security policies from-zone LAN to-zone WAN policy ALLOW-LAN-2-WAN match source-address any set security policies from-zone LAN to-zone WAN policy ALLOW-LAN-2-WAN match destination-address any set security policies from-zone LAN to-zone WAN policy ALLOW-LAN-2-WAN match application any set security policies from-zone LAN to-zone WAN policy ALLOW-LAN-2-WAN then permit set security policies from-zone WAN to-zone LAN policy ALLOW-WAN-2-LAN match source-address any set security policies from-zone WAN to-zone LAN policy ALLOW-WAN-2-LAN match destination-address any set security policies from-zone WAN to-zone LAN policy ALLOW-WAN-2-LAN match application any set security policies from-zone WAN to-zone LAN policy ALLOW-WAN-2-LAN then permit set security policies from-zone LAN to-zone INTERNET policy ALLOW-LAN-2-WAN match source-address any set security policies from-zone LAN to-zone INTERNET policy ALLOW-LAN-2-WAN match destination-address any set security policies from-zone LAN to-zone INTERNET policy ALLOW-LAN-2-WAN match application any set security policies from-zone LAN to-zone INTERNET policy ALLOW-LAN-2-WAN then permit set security policies from-zone INTERNET to-zone LAN policy policy_in_wizard_dyn_vpn match source-address any set security policies from-zone INTERNET to-zone LAN policy policy_in_wizard_dyn_vpn match destination-address any set security policies from-zone INTERNET to-zone LAN policy policy_in_wizard_dyn_vpn match application any set security policies from-zone INTERNET to-zone LAN policy policy_in_wizard_dyn_vpn then permit tunnel ipsec-vpn wizard_dyn_vpn set security policies from-zone INTERNET to-zone LAN policy policy_in_wizard_dyn_vpn then log session-init set security policies from-zone INTERNET to-zone LAN policy policy_in_wizard_dyn_vpn then log session-close set security zones security-zone WAN host-inbound-traffic system-services all set security zones security-zone WAN host-inbound-traffic protocols all set security zones security-zone WAN interfaces vlan.2 set security zones security-zone LAN host-inbound-traffic system-services all set security zones security-zone LAN host-inbound-traffic protocols all set security zones security-zone LAN interfaces ae0.0 set security zones security-zone INTERNET host-inbound-traffic system-services all set security zones security-zone INTERNET host-inbound-traffic protocols all set security zones security-zone INTERNET interfaces vlan.3 host-inbound-traffic system-services ike set security zones security-zone INTERNET interfaces vlan.3 host-inbound-traffic system-services https set security zones security-zone INTERNET interfaces vlan.3 host-inbound-traffic system-services ping set security zones security-zone INTERNET interfaces vlan.3 host-inbound-traffic system-services http set security zones security-zone INTERNET interfaces vlan.3 host-inbound-traffic system-services ssh set security zones security-zone INTERNET interfaces vlan.3 host-inbound-traffic system-services telnet set security zones security-zone INTERNET interfaces ge-0/0/9.0 host-inbound-traffic system-services https set security zones security-zone INTERNET interfaces ge-0/0/9.0 host-inbound-traffic system-services ike set access profile remote_access_profile client test firewall-user password "$9$aoZi.AtOBIcSrs2oaUDCtp" set access profile remote_access_profile client trongnv firewall-user password "$9$sj2JGjHqfQFiH0BRhrl" set access profile remote_access_profile address-assignment pool dyn-vpn-address-pool set access address-assignment pool dyn-vpn-address-pool family inet network 172.18.254.0/24 set access address-assignment pool dyn-vpn-address-pool family inet xauth-attributes primary-dns 8.8.8.8/32 set access firewall-authentication web-authentication default-profile remote_access_profile set ethernet-switching-options port-error-disable disable-timeout 300 set vlans VL-INTERNET vlan-id 3 set vlans VL-INTERNET l3-interface vlan.3 set vlans VL-WAN vlan-id 2 set vlans VL-WAN l3-interface vlan.2 [edit] root@ROUTER-SRX240# [edit] root@ROUTER-SRX240# [edit] root@ROUTER-SRX240# [edit]