## Last changed: 2016-04-05 20:23:24 MST version 12.1X44.3; system { host-name AM-MS-FW01; domain-name terrapincarestation.local; time-zone MST; authentication-order password; root-authentication { encrypted-password "$1$Z6DOzZ.i$vttpsHzeCRm/noQYUZ3C/1"; } name-server { 75.75.75.75; 75.75.76.76; 10.10.25.10; 10.10.105.100; 208.67.222.222; 208.67.222.220; } name-resolution { no-resolve-on-input; } login { user Mel { full-name "Byte Master"; uid 2001; class super-user; authentication { encrypted-password "$1$ETad7F12$xNFBVJmFpHYpl9LjwqULy0"; } } user JTAC { full-name "Alternate Root"; uid 2002; class super-user; authentication { encrypted-password "$1$dCY08IIl$a.myDnyJinlZYl3on2iBq."; } } } services { ssh { root-login allow; protocol-version v2; } telnet; web-management { http; https { system-generated-certificate; } session { idle-timeout 60; } } } syslog { archive size 100k files 3; user * { any emergency; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } file policy_session { user info; match RT_FLOW; archive size 1000k world-readable; structured-data; } } max-configurations-on-flash 5; max-configuration-rollbacks 5; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } ntp { server 128.138.140.44 prefer; server 132.163.4.101; } } interfaces { ge-0/0/0 { description "Comcast Business Class Internet"; per-unit-scheduler; unit 0 { description "150/20 MB Asymmetrical"; family inet { address 96.90.180.217/29; } } } ge-0/0/7 { description "TCS Mississippi Store Network"; per-unit-scheduler; unit 0 { description "AM-MS-Site Network"; family inet { address 10.10.25.1/24; } } } st0 { unit 0 { description "VPN Tunnel to TCS-CL-Site"; family inet; } unit 5 { description "VPN Tunnel to RS-MH-Site"; family inet; } unit 10 { description "VPN Tunnel to TCS-GB-Site"; family inet; } unit 15 { description "VPN Tunnel to GL-FL-Site"; family inet; } unit 20 { description "VPN Tunnel to TCS-GP-Site"; family inet; } unit 30 { description "VPN Tunnel to RS-WW-Site"; family inet; } unit 35 { description "VPN Tunnel to AM_PI-33-Site"; family inet; } unit 45 { description "VPN Tunnel to HD-PK-Site"; family inet; } unit 105 { description "VPN Tunnel to RS-VW-Site"; family inet; } } } snmp { description "AM-MS-Site Firewall"; location "11091 Mississippi Ave Aurora"; contact "Mel Gordon"; view jweb-view-all { oid .1 include; } community TCS-Read { view-jweb-view-all; authorization read-only; } community TCS-Write { view jweb-view-all; authorization read-write; } health-monitor { interval 300; rising-threshold 90; falling-threshold 80; } } routing-options { static { route 0.0.0.0/0 next-hop 96.90.180.222; route 10.10.0.0/24 next-hop st0.0; route 10.10.5.0/24 next-hop st0.5; route 10.10.10.0/24 next-hop st0.10; route 10.10.15.0/24 next-hop st0.15; route 10.10.20.0/24 next-hop st0.20; route 10.10.30.0/24 next-hop st0.30; route 10.10.35.0/24 next-hop st0.35; route 10.10.40.0/24 next-hop st0.35; route 10.10.45.0/24 next-hop st0.45; route 10.10.55.0/24 next-hop st0.5; route 10.10.105.0/24 next-hop st0.105; } } protocols { stp; } class-of-service { classifiers { dscp BRANCH-QOS { forwarding-class NC { loss-priority high code-points [ nc1 nc2 ]; } forwarding-class VOICE { loss-priority high code-points [ VOICE-SIG2-CP VOICE-CP VOICE-SIG-CP ]; } forwarding-class VIDEO { loss-priority high code-points [ af11 af12 ]; } forwarding-class DATA { loss-priority low code-points be; } } } code-point-aliases { dscp { VOICE-CP 101110; VOICE-SIG-CP 010110; VOICE-SIG2-CP 011000; } } forwarding-classes { queue 0 DATA; queue 1 VOICE; queue 2 VIDEO; queue 3 NC; } interfaces { ge-0/0/0 { unit 0 { scheduler-map BRANCH-SCHEDULER; shaping-rate 20m; classifiers { dscp BRANCH-QOS; } } } ge-0/0/7 { unit 0 { scheduler-map BRANCH-SCHEDULER; classifiers { dscp BRANCH-QOS; } } } } scheduler-maps { BRANCH-SCHEDULER { forwarding-class DATA scheduler DATA-SCHEDULER; forwarding-class VOICE scheduler VOICE-SCHEDULER; forwarding-class VIDEO scheduler VIDEO-SCHEDULER; forwarding-class NC scheduler NC-SCHEDULER; } } schedulers { DATA-SCHEDULER { transmit-rate { remainder; } buffer-size { remainder; } priority low; } VOICE-SCHEDULER { transmit-rate percent 5; buffer-size percent 5; priority strict-high; } VIDEO-SCHEDULER { transmit-rate percent 5; buffer-size percent 5; priority high; } NC-SCHEDULER { transmit-rate percent 5; buffer-size percent 5; priority high; } } } security { alarms { potential-violation { authentication 6; cryptographic-self-test; decryption-failures { threshold 1; } encryption-failures { threshold 10; } ike-phase1-failures { threshold 10; } ike-phase2-failures { threshold 1; } key-generation-self-test; non-cryptographic-self-test; replay-attacks; } } key-protection; ike { respond-bad-spi 5; proposal Phase1_to_VW_Cloud { authentication-method pre-shared-keys; dh-group group2; authentication-algorithm sha1; encryption-algorithm 3des-cbc; lifetime-seconds 28800; } policy ike_pol_VPN-to_TCS-CL-Site { mode main; proposal-set standard; pre-shared-key ascii-text "$9$IvzEhSrlKMWLxNaGUjq.RhcyrevM8XxN"; } policy ike_pol_VPN_to_TCS-MH-Site { mode main; proposal-set standard; pre-shared-key ascii-text "$9$RD2hcylevW8X7-JUDi.mEcSrlKMWLx7-"; } policy ike_pol_VPN_to_TCS-GB-Site { mode main; proposal-set standard; pre-shared-key ascii-text "$9$gnoaZUDikqmfTpOBIcS4aJGUjHk.PfT"; } policy ike_pol_VPN_to_GL-FL-Site { mode main; proposal-set standard; pre-shared-key ascii-text "$9$xHdN-Vws24oJGDQ3n/tp7-dbwYg4aZGD"; } policy ike_pol_VPN_to_TCS-GP-Site { mode main; proposal-set standard; pre-shared-key ascii-text "$9$jHHk.PfTzFn/ChyreW8ikqmP5Qz36/C"; } policy ike_pol_VPN_to_RS-WW-Site { mode main; proposal-set standard; pre-shared-key ascii-text "$9$noYK/9ApuO1IEcy7dVwg469Ctp0B1Rhcy"; } policy ike_pol_VPN_to_AM_PI-33-Site { mode main; proposal-set standard; pre-shared-key ascii-text "$9$wsY24aJGDjHqm9tp0IRs2goaZUDikqm"; } policy ike_pol_VPN_to_HD-PK-Site { mode main; proposal-set standard; pre-shared-key ascii-text "$9$3sUn6/Ctp0B1RhSx-db2gn/9AtuOBIEhS"; } policy ike_pol_VPN_to_RS-VW-Site { mode main; proposals Phase1_to_VW_Cloud; pre-shared-key ascii-text "$9$SSJyvL2gaJDiTztOBIcSYg4Ziq5Q3n9p3nOIhcMWUjik5z69pEclu07dbsZG9At0IcSrvMX-M8xdbs4o.P5Q9ARhSMWx9AWx7dsYP5Qz3/puBcSeCt8xdVY2QF39A0cSe8LNjHz6/A1IEcyKX7dVYGUHX7qmTzAt1RhSM8bwgUi.goPQ360OXxNbgJ"; } gateway gw_VPN-to_TCS-CL-Site { ike-policy ike_pol_VPN-to_TCS-CL-Site; address 23.24.155.226; external-interface ge-0/0/0.0; } gateway gw_VPN_to_RS-MH-Site { ike-policy ike_pol_VPN_to_RS-MH-Site; address 23.31.90.105; external-interface ge-0/0/0.0; } gateway gw_VPN_to_TCS-GB-Site { ike-policy ike_pol_VPN_to_TCS-GB-Site; address 50.198.200.197; external-interface ge-0/0/0.0; } gateway gw_VPN_to_GL-FL-Site { ike-policy ike_pol_VPN_to_GL_FL-Site; address 50.198.213.77; external-interface ge-0/0/0.0; } gateway gw_VPN_to_TCS-GP-Site { ike-policy ike_pol_VPN_to_TCS-GP-Site; address 50.198.215.73; external-interface ge-0/0/0.0; } gateway gw_VPN_to_RS-WW-Site { ike-policy ike_pol_VPN_to_RS-WW-Site; address 75.148.117.253; external-interface ge-0/0/0.0; } gateway gw_VPN_to_AM_PI-33-Site { ike-policy ike_pol_VPN_to_AM_PI-33-Site; address 208.186.249.244; external-interface ge-0/0/0.0; } gateway gw_VPN_to_HD-PK-Site { ike-policy ike_pol_VPN_to_HD-PK-Site; address 96.89.114.161; external-interface ge-0/0/0.0; } gateway gw_VPN_to_RS-VW-Site { ike-policy ike_pol_VPN_to_RS-VW-Site; address 216.46.162.232; external-interface ge-0/0/0.0; } } ipsec { vpn-monitor-options { interval 15; threshold 15; } proposal Phase2_to_VW_Cloud { protocol esp; authentication-algorithm hmac-sha1-96; encryption-algorithm 3des-cbc; lifetime-seconds 3600; } policy ipsec_pol_VPN-to_TCS-CL-Site { perfect-forward-secrecy { keys group2; } proposal-set standard; } policy ipsec_pol_VPN_to_RS-MH-Site { perfect-forward-secrecy { keys group2; } proposal-set standard; } policy ipsec_pol_VPN_to_TCS-GB-Site { perfect-forward-secrecy { keys group2; } proposal-set standard; } policy ipsec_pol_VPN_to_GL-FL-Site { perfect-forward-secrecy { keys group2; } proposal-set standard; } policy ipsec_pol_VPN_to_TCS-GP-Site { perfect-forward-secrecy { keys group2; } proposal-set standard; } policy ipsec_pol_VPN_to_RS-WW-Site { perfect-forward-secrecy { keys group2; } proposal-set standard; } policy ipsec_pol_VPN_to_AM_PI-33-Site { perfect-forward-secrecy { keys group2; } proposal-set standard; } policy ipsec_pol_VPN_to_HD-PK-Site { perfect-forward-secrecy { keys group2; } proposal-set standard; } policy ipsec_pol_VPN_to_RS-VW-Site { perfect-forward-secrecy { keys group2; } proposals Phase2_to_VW_Cloud; } vpn VPN-to_TCS-CL-Site { bind-interface st0.0; vpn-monitor { optimized; source-interface ge-0/0/7; destination-ip 10.10.0.1; } ike { gateway gw_VPN-to_TCS-CL-Site; ipsec-policy ipsec_pol_VPN-to_TCS-CL-Site; } establish-tunnels immediately; } vpn VPN_to_RS-MH-Site { bind-interface st0.5; vpn-monitor { optimized; source-interface ge-0/0/7; destination-ip 10.10.5.1; } ike { gateway gw_VPN_to_RS-MH-Site; ipsec-policy ipsec_pol_VPN_to_RS-MH-Site; } establish-tunnels immediately; } vpn VPN_to_TCS-GB-Site { bind-interface st0.10; vpn-monitor { optimized; source-interface ge-0/0/7; destination-ip 10.10.10.1; } ike { gateway gw_VPN_to_TCS-GB-Site; ipsec-policy ipsec_pol_VPN_to_TCS-GB-Site; } establish-tunnels immediately; } vpn VPN_to_GL-FL-Site { bind-interface st0.15; vpn-monitor { optimized; source-interface ge-0/0/7; destination-ip 10.10.15.1; } ike { gateway gw_VPN_to_GL-FL-Site; ipsec-policy ipsec_pol_VPN_to_GL-FL-Site; } establish-tunnels immediately; } vpn VPN_to_TCS-GP-Site { bind-interface st0.20; vpn-monitor { optimized; source-interface ge-0/0/7; destination-ip 10.10.20.1; } ike { gateway gw_VPN_to_TCS-GP-Site; ipsec-policy ipsec_pol_VPN_to_TCS-GP-Site; } establish-tunnels immediately; } vpn VPN_to_RS-WW-Site { bind-interface st0.30; vpn-monitor { optimized; source-interface ge-0/0/7; destination-ip 10.10.30.1; } ike { gateway gw_VPN_to_RS-WW-Site; ipsec-policy ipsec_pol_VPN_to_RS-WW-Site; } establish-tunnels immediately; } vpn VPN_to_AM_PI-33-Site { bind-interface st0.35; vpn-monitor { optimized; source-interface ge-0/0/15; destination-ip 10.10.35.1; } ike { gateway gw_VPN_to_AM_PI-33-Site; ipsec-policy ipsec_pol_VPN_to_AM_PI-33-Site; } establish-tunnels immediately; } vpn VPN_to_HD-PK-Site { bind-interface st0.45; vpn-monitor { optimized; source-interface ge-0/0/7; destination-ip 10.10.45.1; } ike { gateway gw_VPN_to_HD-PK-Site; ipsec-policy ipsec_pol_VPN_to_HD-PK-Site; } establish-tunnels immediately; } vpn VPN_to_RS-VW-Site { bind-interface st0.105; vpn-monitor { optimized; source-interface ge-0/0/7; destination-ip 10.10.105.1; } ike { gateway gw_VPN_to_RS-VW-Site; ipsec-policy ipsec_pol_VPN_to_RS-VW-Site; } establish-tunnels immediately; } } screen { ids-option untrust-screen { icmp { ping-death; } ip { source-route-option; tear-drop; } tcp { syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; timeout 20; } land; } } } nat { source { rule-set nsw_srcnat { from zone AM-MS-Site; to zone Internet; rule nsw-src-interface { match { source-address 0.0.0.0/0; destination-address 0.0.0.0/0; } then { source-nat { interface; } } } } } } policies { from-zone Internet to-zone AM-MS-Site { policy policy_in_VPN-to_TCS-CL-Site { match { source-address addr_10_10_0_0_24; destination-address addr_10_10_25_0_24; application any; } then { permit; } } policy policy_in_VPN_to_RS-MH-Site { match { source-address [ addr_10_10_5_0_24 addr_10_10_55_0_24 ]; destination-address addr_10_10_25_0_24; application any; } then { permit; } } policy policy_in_VPN_to_TCS-GB-Site { match { source-address addr_10_10_10_0_24; destination-address addr_10_10_25_0_24; application any; } then { permit; } } policy policy_in_AM-MS_to_GL-FL-Site { match { source-address addr_10_10_15_0_24; destination-address addr_10_10_25_0_24; application any; } then { permit; } } policy policy_in_VPN_to_TCS-GP-Site { match { source-address addr_10_10_20_0_24; destination-address addr_10_10_25_0_24; application any; } then { permit; } } policy policy_in_VPN_to_RS-WW-Site { match { source-address addr_10_10_30_0_24; destination-address addr_10_10_25_0_24; application any; } then { permit; } } policy policy_in_VPN_to_AM_PI-33-Site { match { source-address [ addr_10_10_35_0_24 addr_10_10_40_0_24 ]; destination-address addr_10_10_25_0_24; application any; } then { permit; } } policy policy_in_VPN_to_HD-PK-Site { match { source-address addr_10_10_45_0_24; destination-address addr_10_10_25_0_24; application any; } then { permit; } } policy policy_in_VPN_to_RS-VW-Site { match { source-address addr_10_10_105_0_24; destination-address addr_10_10_25_0_24; application any; } then { permit; } } policy All_Internet_to_AM-MS-Site { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone AM-MS-Site to-zone Internet { policy policy_out_VPN-to_TCS-CL-Site { match { source-address addr_10_10_25_0_24; destination-address addr_10_10_0_0_24; application any; } then { permit; } } policy policy_out_VPN_to_RS-MH-Site { match { source-address addr_10_10_25_0_24; destination-address [ addr_10_10_5_0_24 addr_10_10_55_0_24 ]; application any; } then { permit; } } policy policy_out_VPN_to_TCS-GB-Site { match { source-address addr_10_10_25_0_24; destination-address addr_10_10_10_0_24; application any; } then { permit; } } policy policy_out_AM-MS_to_GL-FL-Site { match { source-address addr_10_10_25_0_24; destination-address addr_10_10_15_0_24; application any; } then { permit; } } policy policy_out_VPN_to_TCS-GP-Site { match { source-address addr_10_10_25_0_24; destination-address addr_10_10_20_0_24; application any; } then { permit; } } policy policy_out_VPN_to_RS-WW-Site { match { source-address addr_10_10_25_0_24; destination-address addr_10_10_30_0_24; application any; } then { permit; } } policy policy_out_VPN_to_AM_PI-33-Site { match { source-address addr_10_10_25_0_24; destination-address [ addr_10_10_35_0_24 addr_10_10_40_0_24 ]; application any; } then { permit; } } policy policy_out_VPN_to_HD-PK-Site { match { source-address addr_10_10_25_0_24; destination-address addr_10_10_45_0_24; application any; } then { permit; } } policy policy_out_VPN_to_RS-VW-Site { match { source-address addr_10_10_25_0_24; destination-address addr_10_10_105_0_24; application any; } then { permit; } } policy All_Internet_to_AM-MS-Site { match { source-address any; destination-address any; application any; } then { permit; } } } } zones { security-zone Internet { address-book { address addr_10_10_0_0_24 10.10.0.0/24; address addr_10_10_5_0_24 10.10.5.0/24; address addr_10_10_10_0_24 10.10.10.0/24; address addr_10_10_15_0_24 10.10.15.0/24; address addr_10_10_20_0_24 10.10.20.0/24; address addr_10_10_30_0_24 10.10.30.0/24; address addr_10_10_35_0_24 10.10.35.0/24; address addr_10_10_40_0_24 10.10.40.0/24; address addr_10_10_45_0_24 10.10.45.0/24; address addr_10_10_55_0_24 10.10.55.0/24; address addr_10_10_105_0_24 10.10.105.0/24; } host-inbound-traffic { system-services { ike; http; https; snmp; ssh; telnet; } protocols { all; } } interfaces { ge-0/0/0.0 { host-inbound-traffic { system-services { ping; http; https; ssh; telnet; } } } st0.0; st0.5; st0.10; st0.15; st0.20; st0.30; st0.35; st0.45; st0.105; } } security-zone AM-MS-Site { address-book { address addr_10_10_25_0_24 10.10.25.0/24; } host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { ge-0/0/7.0 { host-inbound-traffic { system-services { ping; http; https; ssh; telnet; } } } } } } }