groups { node0 { system { host-name ecdcjuniper0; } interfaces { fxp0 { unit 0 { family inet { address 10.2.2.250/24; } } } } } node1 { system { host-name ecdcjuniper1; } interfaces { fxp0 { unit 0 { family inet { address 10.2.2.251/24; } } } } } } apply-groups "${node}"; system { root-authentication { encrypted-password "Jibberish"; ## SECRET-DATA } name-server { 10.2.2.53; 8.8.8.8; } login { user tquine { uid 2001; class super-user; authentication { encrypted-password "Jibberish"; ## SECRET-DATA } } } services { ssh; web-management { http { interface [ reth0.0 reth1.0 fxp1.0 fxp2.0 st0.0 st0.1 st0.2 st0.3 ]; } https { system-generated-certificate; interface [ reth0.0 reth1.0 fxp1.0 fxp2.0 st0.0 st0.1 st0.2 st0.3 ]; } } } syslog { archive size 100k files 3; user * { any emergency; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } } max-configurations-on-flash 15; max-configuration-rollbacks 15; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } } chassis { cluster { reth-count 2; redundancy-group 0 { node 0 priority 200; node 1 priority 100; } redundancy-group 1 { node 0 priority 200; node 1 priority 100; } } } interfaces { ge-0/0/4 { gigether-options { redundant-parent reth0; } } ge-0/0/5 { gigether-options { redundant-parent reth1; } } ge-5/0/4 { gigether-options { redundant-parent reth0; } } ge-5/0/5 { gigether-options { redundant-parent reth1; } } fab0 { fabric-options { member-interfaces { ge-0/0/2; } } } fab1 { fabric-options { member-interfaces { ge-5/0/2; } } } lo0 { unit 0 { family inet { address 2.2.2.2/32; } } } reth0 { redundant-ether-options { redundancy-group 1; } unit 0 { description WAN; family inet { address X.X.X.18/28; } } } reth1 { redundant-ether-options { redundancy-group 1; } unit 0 { description LAN; family inet { address 10.2.2.254/24; } } } st0 { unit 0 { family inet { address 10.11.12.12/24; } } unit 1 { family inet { address 10.11.3.11/24; } } unit 2 { family inet { address 10.11.2.11/24; } } unit 3 { family inet { address 10.11.1.11/24; } } } } routing-options { static { route 0.0.0.0/0 next-hop X.X.X.17; route 192.168.4.0/24 next-hop st0.0; route 192.168.77.0/24 next-hop st0.1; route 192.168.55.0/24 next-hop st0.2; route 192.168.10.0/24 next-hop st0.3; } } protocols { stp; } security { ike { policy ike-policy-sbc { mode main; proposal-set standard; pre-shared-key ascii-text "Jibberish"; ## SECRET-DATA } policy ike-policy-ECDC-DP { mode main; proposal-set standard; pre-shared-key ascii-text "Jibberish"; ## SECRET-DATA } policy ike-policy-visi { mode main; proposal-set standard; pre-shared-key ascii-text "Jibberish"; ## SECRET-DATA } policy ike-policy-impulse { mode main; proposal-set standard; pre-shared-key ascii-text "Jibberish"; ## SECRET-DATA } gateway ike-gate-sbc { ike-policy ike-policy-sbc; address X.X.X.X; dead-peer-detection { interval 10; threshold 5; } external-interface reth0.0; general-ikeid; version v1-only; } gateway ike-gate-ECDC-DP { ike-policy ike-policy-ECDC-DP; address X.X.X.X; dead-peer-detection { interval 10; threshold 5; } external-interface reth0.0; version v1-only; } gateway ike-gate-visi { ike-policy ike-policy-visi; address X.X.X.X; dead-peer-detection { interval 10; threshold 5; } external-interface reth0.0; general-ikeid; version v1-only; } gateway ike-gate-impulse { ike-policy ike-policy-impulse; address X.X.X.X; dead-peer-detection { interval 10; threshold 5; } external-interface reth0.0; version v1-only; } } ipsec { policy ipsec-policy-sbc { proposal-set standard; } policy ipsec-policy-ECDC-DP { proposal-set standard; } policy ipsec-policy-visi { proposal-set standard; } policy ipsec-policy-impulse { proposal-set standard; } vpn ipsec-vpn-sbc { bind-interface st0.0; ike { gateway ike-gate-sbc; ipsec-policy ipsec-policy-sbc; } establish-tunnels on-traffic; } vpn ipsec-vpn-ECDC-DP { bind-interface st0.1; ike { gateway ike-gate-ECDC-DP; ipsec-policy ipsec-policy-ECDC-DP; } establish-tunnels on-traffic; } vpn ipsec-vpn-visi { bind-interface st0.2; ike { gateway ike-gate-visi; ipsec-policy ipsec-policy-visi; } establish-tunnels on-traffic; } vpn ipsec-vpn-impulse { bind-interface st0.3; ike { gateway ike-gate-impulse; ipsec-policy ipsec-policy-impulse; } establish-tunnels on-traffic; } } nat { source { rule-set LAN_To_WAN { from zone Trusted; to zone Untrusted; rule LAN_To_Internet { match { source-address 0.0.0.0/0; } then { source-nat { interface; } } } } } static { rule-set Statics { from zone Untrusted; rule ECWS-KempPool { match { destination-address X.X.X.19/32; } then { static-nat { prefix { 10.2.2.103/32; } } } } } } proxy-arp { interface reth0.0 { address { X.X.X.19/32; X.X.X.20/32; X.X.X.21/32; X.X.X.22/32; X.X.X.23/32; X.X.X.24/32; X.X.X.25/32; X.X.X.26/32; X.X.X.27/32; X.X.X.28/32; X.X.X.29/32; X.X.X.30/32; } } } } policies { from-zone Trusted to-zone Untrusted { policy LAN-to-WAN { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone Trusted to-zone VPN { policy Trusted-VPN-sbc { match { source-address net-sbc_10-2-2-0--24; destination-address net-sbc_192-168-4-0--24; application any; } then { permit; } } policy Trusted-VPN-ECDC-DP { match { source-address net-ECDC-DP_10-2-2-0--24; destination-address net-ECDC-DP_192-168-77-0--24; application any; } then { permit; } } policy Trusted-VPN-visi { match { source-address net-visi_10-2-2-0--24; destination-address net-visi_192-168-55-0--24; application any; } then { permit; } } policy Trusted-VPN-impulse { match { source-address net-impulse_10-2-2-0--24; destination-address net-impulse_192-168-10-0--24; application any; } then { permit; } } } from-zone VPN to-zone Trusted { policy VPN-Trusted-sbc { match { source-address net-sbc_192-168-4-0--24; destination-address net-sbc_10-2-2-0--24; application any; } then { permit; } } policy VPN-Trusted-ECDC-DP { match { source-address net-ECDC-DP_192-168-77-0--24; destination-address net-ECDC-DP_10-2-2-0--24; application any; } then { permit; } } policy VPN-Trusted-visi { match { source-address net-visi_192-168-55-0--24; destination-address net-visi_10-2-2-0--24; application any; } then { permit; } } policy VPN-Trusted-impulse { match { source-address net-impulse_192-168-10-0--24; destination-address net-impulse_10-2-2-0--24; application any; } then { permit; } } } from-zone Trusted to-zone Trusted { policy Trust-to-Trust { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone Untrusted to-zone Trusted { policy HTTP_WS { match { source-address any; destination-address [ WS-Internal WS_Kemp ]; application [ junos-http junos-https WS-Ports junos-icmp-ping ]; } then { permit; } } } } zones { security-zone Trusted { address-book { address ecdc-net 10.2.2.0/24; address net-sbc_10-2-2-0--24 10.2.2.0/24; address net-ECDC-DP_10-2-2-0--24 10.2.2.0/24; address net-visi_10-2-2-0--24 10.2.2.0/24; address net-impulse_10-2-2-0--24 10.2.2.0/24; address WS-Internal 10.2.2.100/32; address SOWS24 10.2.2.54/32; address WS_Kemp 10.2.2.103/32; } host-inbound-traffic { system-services { all; } } interfaces { reth1.0 { host-inbound-traffic { system-services { all; } } } } } security-zone Untrusted { host-inbound-traffic { system-services { https; ping; ssh; ike; } } interfaces { reth0.0; } } security-zone VPN { address-book { address net-sbc_192-168-4-0--24 192.168.4.0/24; address net-ECDC-DP_192-168-77-0--24 192.168.77.0/24; address net-visi_192-168-55-0--24 192.168.55.0/24; address net-impulse_192-168-10-0--24 192.168.10.0/24; } host-inbound-traffic { system-services { all; } } interfaces { st0.0; st0.1; st0.2; st0.3; } } } } applications { application WS-Ports { protocol tcp; destination-port 8070-8099;