version 11.2R4.3; system { host-name srxfirewall; domain-name ctgcentral.com; domain-search ctgcentral.com; time-zone America/Chicago; root-authentication { } name-server { 8.8.8.8; 208.67.222.222; 208.67.220.220; } services { ssh; web-management { management-url jweb; http { interface [ vlan.0 vlan.100 ]; } https { system-generated-certificate; interface fe-0/0/0.0; } } } syslog { archive size 100k files 3; user * { any emergency; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } } max-configurations-on-flash 5; max-configuration-rollbacks 5; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } ntp { server 50.22.155.163; server 149.20.68.17; server 50.116.38.157; server 50.31.2.213; } } interfaces { fe-0/0/0 { unit 0 { family inet { filter { input remote_acl; } address 50.58.28.182/28; } } } fe-0/0/1 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } fe-0/0/2 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } fe-0/0/3 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } fe-0/0/4 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } fe-0/0/5 { unit 0 { family ethernet-switching { vlan { members cousins; } } } } fe-0/0/6 { unit 0 { family ethernet-switching { vlan { members trng-room; } } } } fe-0/0/7 { unit 0 { family ethernet-switching { vlan { members pbx; } } } } lo0 { unit 0 { family inet { filter { input deny; } } } } st0 { unit 0 { family inet; } } vlan { description "Layer 3, routed VLAN interface"; /* CTG LAN */ unit 0 { family inet { address 192.168.168.254/24; } } /* Cousins */ unit 100 { family inet { address 192.168.101.254/24; } } /* Training Room */ unit 200 { family inet { address 192.168.102.254/24; } } /* PBX */ unit 300 { family inet { address 192.168.3.1/24; } } } } forwarding-options { helpers { bootp { description "DHCP Relay"; server 192.168.168.247; maximum-hop-count 4; interface { vlan.0; } } } } routing-options { static { route 0.0.0.0/0 next-hop 50.58.28.177; route 10.249.6.0/24 next-hop st0.0; } } protocols { stp; } policy-options { prefix-list manager-ip { 174.73.4.183/32; 192.168.168.0/24; } } security { ike { proposal ike-phase1-proposal { authentication-method pre-shared-keys; dh-group group2; authentication-algorithm sha1; encryption-algorithm 3des-cbc; lifetime-seconds 86400; } policy ike-phase1-policy { mode main; proposals ike-phase1-proposal; } policy ike-dyn-vpn-policy { mode aggressive; proposal-set standard; } gateway gw-dallas-asa { ike-policy ike-phase1-policy; address 64.129.108.82; external-interface fe-0/0/0.0; } gateway gw-dyn-vpn-local { ike-policy ike-dyn-vpn-policy; dynamic { hostname dynvpn; connections-limit 10; ike-user-type group-ike-id; } external-interface fe-0/0/0.0; xauth access-profile dyn-vpn-access-profile; } } ipsec { proposal ipsec-phase2-proposal { protocol esp; authentication-algorithm hmac-md5-96; encryption-algorithm des-cbc; lifetime-seconds 28800; } policy ipsec-phase2-policy { perfect-forward-secrecy { keys group2; } proposals ipsec-phase2-proposal; } policy ipsec-dyn-vpn-policy { proposal-set standard; } vpn ike-vpn-dallas-asa { bind-interface st0.0; ike { gateway gw-dallas-asa; proxy-identity { local 192.168.168.0/24; remote 10.249.6.0/24; service any; } ipsec-policy ipsec-phase2-policy; } establish-tunnels immediately; } vpn dyn-vpn { ike { gateway gw-dyn-vpn-local; ipsec-policy ipsec-dyn-vpn-policy; } } } dynamic-vpn { access-profile dyn-vpn-access-profile; clients { all { remote-protected-resources { 192.168.168.0/24; 10.249.6.0/24; } remote-exceptions { 0.0.0.0/0; } ipsec-vpn dyn-vpn; user { admin; pmdyer; } } } } screen { ids-option untrust-screen { icmp { ping-death; } ip { source-route-option; tear-drop; } tcp { syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; timeout 20; } land; } } } nat { source { rule-set rs1 { from zone trust; to zone untrust; rule r1 { match { source-address 192.168.0.0/16; destination-address 10.249.6.0/24; } then { source-nat { off; } } } rule r2 { match { source-address 192.168.0.0/16; destination-address 0.0.0.0/0; } then { source-nat { interface; } } } } } destination { /* PBX */ pool dst-nat-pool-178 { address 192.168.3.1/32; } /* nonat Netgear gs724t */ pool dst-nat-pool-179 { address 192.168.168.1/32; } /* nonat Cisco RV082 */ pool dst-nat-pool-180 { address 192.168.168.1/32; } /* baronne */ pool dst-nat-pool-181 { address 192.168.168.55/32; } /* nonat Juniper SRX100 */ pool dst-nat-pool-182 { address 192.168.168.1/32; } /* perrier */ pool dst-nat-pool-183 { address 192.168.168.57/32; } /* testdb04 */ pool dst-nat-pool-184 { address 192.168.168.58/32; } /* ohs4 */ pool dst-nat-pool-185 { address 192.168.168.71/32; } /* F20 test */ pool dst-nat-pool-186 { address 192.168.168.4/32; } /* nonat free */ pool dst-nat-pool-187 { address 192.168.168.1/32; } /* jabber */ pool dst-nat-pool-188 { address 192.168.168.67/32; } /* perdido */ pool dst-nat-pool-189 { address 192.168.168.63/32; } /* alien2 */ pool dst-nat-pool-190 { address 192.168.168.64/32; } /* PPTP */ pool dst-nat-pool-pptp { address 192.168.168.248/32; } rule-set rs1 { from zone untrust; inactive: rule r1723 { match { destination-address 50.58.28.182/32; destination-port 1723; } then { destination-nat pool dst-nat-pool-pptp; } } rule r178 { match { destination-address 50.58.28.178/32; } then { destination-nat pool dst-nat-pool-178; } } rule r179 { match { destination-address 50.58.28.179/32; } then { destination-nat off; } } rule r180 { match { destination-address 50.58.28.180/32; } then { destination-nat off; } } rule r181 { match { destination-address 50.58.28.181/32; } then { destination-nat pool dst-nat-pool-181; } } rule r182 { match { destination-address 50.58.28.182/32; } then { destination-nat off; } } rule r183 { match { destination-address 50.58.28.183/32; } then { destination-nat pool dst-nat-pool-183; } } rule r184 { match { destination-address 50.58.28.184/32; } then { destination-nat pool dst-nat-pool-184; } } rule r185 { match { destination-address 50.58.28.185/32; } then { destination-nat pool dst-nat-pool-185; } } rule r186 { match { destination-address 50.58.28.186/32; } /* F20 test */ then { destination-nat pool dst-nat-pool-186; } } rule r187 { match { destination-address 50.58.28.187/32; } then { destination-nat off; } } rule r188 { match { destination-address 50.58.28.188/32; } then { destination-nat pool dst-nat-pool-188; } } rule r189 { match { destination-address 50.58.28.189/32; } then { destination-nat pool dst-nat-pool-189; } } rule r190 { match { destination-address 50.58.28.190/32; } then { destination-nat pool dst-nat-pool-190; } } } } proxy-arp { interface fe-0/0/0.0 { address { 50.58.28.186/32; } } } } policies { from-zone trust to-zone untrust { policy vpn-tr-untr { match { source-address kenner-internal; destination-address dallas-internal; application any; } then { permit; } } policy internet-access { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone untrust to-zone trust { policy vpn-untr-tr { match { source-address dallas-internal; destination-address kenner-internal; application any; } then { permit; } } policy server-access { match { source-address [ Mercury Kenner PoydrasColo ]; destination-address kenner-internal; application any; } then { permit; } } policy dyn-vpn-policy { match { source-address any; destination-address any; application any; } then { permit { tunnel { ipsec-vpn dyn-vpn; } } } } policy deny-all { match { source-address any; destination-address any; application any; } then { deny; } } } } zones { security-zone trust { address-book { address kenner-internal 192.168.0.0/16; } host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { vlan.0; vlan.100; vlan.200; vlan.300; } } security-zone untrust { address-book { address pix-506e 72.249.6.128/28; address asa-5505 64.129.108.80/28; address PoydrasColo 216.110.62.112/28; address Kenner 50.58.28.176/28; address pmdyer 174.73.4.183/32; address jpso-1 169.130.116.42/32; address jpso-2 209.215.70.1/32; address dallas-internal 10.249.6.0/24; address-set Dallas { address pix-506e; address asa-5505; } address-set Mercury { address pmdyer; address jpso-1; address jpso-2; } } screen untrust-screen; host-inbound-traffic { system-services { http; https; ike; } } interfaces { fe-0/0/0.0; st0.0; } } } } firewall { family inet { filter remote_acl { term terminal_access { from { address { /* JPSO */ 169.130.116.42/32; 209.215.70.1/32; /* Dallas */ 72.249.6.128/28; 64.129.108.80/28; /* pmdyer */ 174.73.4.183/32; /* PoydrasColo */ 216.110.62.112/28; /* Kenner */ 50.58.28.176/28; } } then accept; } term terminal_open_ports { from { protocol [ tcp udp ]; port [ http https pptp 3389 ]; } then accept; } term default-term { then { log; reject; } } } } filter deny { term t1 { from { source-address { 0.0.0.0/32; } source-prefix-list { manager-ip except; } protocol tcp; destination-port ssh; } then { discard; } } term t3 { then accept; } } } access { profile dyn-vpn-access-profile { client admin { firewall-user { } } client pmdyer { firewall-user { } } address-assignment { pool dyn-vpn-address-pool; } } address-assignment { pool dyn-vpn-address-pool { family inet { network 172.16.9.0/24; range dvpn-range { low 172.16.9.1; high 172.16.9.32; } xauth-attributes { primary-dns 192.168.168.247/32; secondary-dns 192.168.168.252/32; } } } } firewall-authentication { web-authentication { default-profile dyn-vpn-access-profile; } } } vlans { cousins { description "Cousins router"; vlan-id 100; l3-interface vlan.100; } pbx { description "Panasonic PBX"; vlan-id 300; l3-interface vlan.300; } trng-room { description "Training Room router"; vlan-id 200; l3-interface vlan.200; } vlan-trust { description "CTG LAN"; vlan-id 3; l3-interface vlan.0; } }