## Last changed: 2013-10-14 15:04:27 GMT+10 version 12.1R1.9; system { host-name SRX210-XXXXX; domain-name XXXX; time-zone GMT+10; authentication-order password; root-authentication { encrypted-password XXXXXXXXXXXXX } name-server { 203.XXXX; 139.XXX; } login { user admin { full-name XXXX; uid 101; class super-user; authentication { encrypted-password XXXXXXXXXXXXXXX } } } services { ssh; telnet; xnm-clear-text; xnm-ssl { local-certificate Tekno_cert; } web-management { http { interface vlan.0; } https { system-generated-certificate; interface at-1/0/0.0; } } } syslog { archive size 100k files 3; user * { any emergency; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } } max-configurations-on-flash 5; ## ## Warning: statement ignored: unsupported platform (srx210he) ## max-configuration-rollbacks 5; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } processes { general-authentication-service { traceoptions { flag all; } } } ntp { server 192.168.XXX; } } interfaces { ge-0/0/0 { unit 0 { family ethernet-switching { port-mode trunk; vlan { members all; } } } } ge-0/0/1 { unit 0 { family ethernet-switching { port-mode trunk; vlan { members all; } } } } fe-0/0/2 { unit 0 { encapsulation ppp-over-ether; } } fe-0/0/3 { disable; unit 0 { family ethernet-switching { port-mode access; } } } fe-0/0/4 { disable; unit 0 { family ethernet-switching { port-mode access; } } } fe-0/0/5 { disable; unit 0 { family ethernet-switching { port-mode access; } } } fe-0/0/6 { disable; unit 0 { family ethernet-switching { port-mode access; } } } fe-0/0/7 { disable; unit 0 { family ethernet-switching { port-mode access; vlan { members default; } } } } at-1/0/0 { description "Telstra ADSL"; traceoptions { flag all; } encapsulation atm-pvc; atm-options { vpi 8; } dsl-options { operating-mode auto; } unit 0 { description "1st Telstra WAN link"; encapsulation atm-ppp-vc-mux; vci 8.35; ppp-options { chap { default-chap-secret "XXXXXXXXXXXXXX"; ## SECRET-DATA local-name "XXXXXXXXXXXXXX"; passive; } pap { default-password "XXXXXXXXXXXXXX"; ## SECRET-DATA local-name "XXXXXXXXXXXXXX"; local-password "XXXXXXXXXXXXXX"; ## SECRET-DATA passive; } } family inet { address 120.151.XXXXXXXXXXXXXX/24; } } } lo0 { unit 0 { family inet { address 127.0.0.1/32; } } } pp0 { description "2nd Telstra WAN link"; unit 0 { ppp-options { chap { default-chap-secret "XXXXXXXXXXXXXX"; ## SECRET-DATA local-name "XXXXXXXXXXXXXX"; passive; } pap { local-name "XXXXXXXXXXXXXX"; local-password "XXXXXXXXXXXXXX"; ## SECRET-DATA passive; } } pppoe-options { underlying-interface fe-0/0/2.0; idle-timeout 0; auto-reconnect 10; client; } family inet { address 120.150.XXXXXXXXXXXXXX/24; } } } vlan { unit 0 { family inet { inactive: filter { input SplitTraffic; } address 192.168.XXXXXXXXXXXXXX/24; } } } } forwarding-options { helpers { bootp { relay-agent-option; description "Global DHCP relay service"; server 192.168.XXXXXXXXXXXXXX; maximum-hop-count 16; minimum-wait-time 0; client-response-ttl 255; interface { vlan.0; } } } } snmp { community public { authorization read-only; } } routing-options { static { route 0.0.0.0/0 next-hop [ at-1/0/0.0 pp0.0 ]; } } security { log { disable; } certificates { local { Tekno_cert { "-----BEGIN CERTIFICATE-----\XXXXXXXXXXXXXX\n-----END CERTIFICATE-----\n "; ## SECRET-DATA } } } ike { policy ike-dyn-vpn-policy { mode aggressive; proposal-set standard; pre-shared-key ascii-text "XXXXXXXXXXXXXX"; ## SECRET-DATA } gateway dyn-vpn-local-gw { ike-policy ike-dyn-vpn-policy; dynamic { hostname dynvpn; connections-limit 50; ike-user-type group-ike-id; } external-interface at-1/0/0.0; xauth access-profile dyn-vpn-access-profile; } } ipsec { policy ipsec-dyn-vpn-policy { proposal-set standard; } vpn dyn-vpn { ike { gateway dyn-vpn-local-gw; ipsec-policy ipsec-dyn-vpn-policy; } } } alg { ftp disable; ike-esp-nat { enable; } } application-tracking; dynamic-vpn { access-profile dyn-vpn-access-profile; clients { all { remote-protected-resources { 192.168.0.0/24; } remote-exceptions { 0.0.0.0/0; } ipsec-vpn dyn-vpn; user { XXXXXXXXXXXXXX; XXXXXXXXXXXXXX; } } } } flow { inactive: traceoptions { file flow-debug; flag basic-datapath; packet-filter DYNAMIC_VPN { source-prefix 192.168.0.204/32; destination-prefix 192.168.0.4/32; } packet-filter DYNAMIC_VPN_2 { source-prefix 192.168.0.4/32; destination-prefix 192.168.0.204/32; } } tcp-mss { all-tcp { mss 1350; } } } screen { ids-option untrust-screen { icmp { fragment; ping-death; } ip { source-route-option; tear-drop; } tcp { port-scan threshold 5000; syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; queue-size 2000; ## Warning: 'queue-size' is deprecated timeout 20; } land; winnuke; } } } nat { source { rule-set interface-nat { from zone trust; to zone untrust; rule rule1 { match { source-address 0.0.0.0/0; } then { source-nat { interface; } } } } } destination { pool dnat-pool-2 { description TSM-Remote; address 192.168.0.5/32 port 89; } pool dnat-pool-3 { description TSM-Self-Service; address 192.168.0.5/32 port 8089; } pool dnat-pool-1 { address 192.168.0.4/32; } pool dnat-pool-4 { description Exchange; address 192.168.0.4/32 port 443; } pool dnat-pool-5 { description CeosNet-Server; address 192.168.0.52/32 port 80; } rule-set dst-nat { from zone untrust; rule rule7 { match { destination-address 120.151.XXXXXXXXXXXXXX/32; destination-port 89; } then { destination-nat pool dnat-pool-2; } } rule rule1 { match { destination-address 120.151.XXXXXXXXXXXXXX/32; destination-port 80; } then { destination-nat pool dnat-pool-3; } } rule rule2 { match { destination-address 120.151.XXXXXXXXXXXXXX/32; destination-port 5060; } then { destination-nat pool dnat-pool-1; } } rule rule3 { match { destination-address 120.151.XXXXXXXXXXXXXX/32; destination-port 1723; } then { destination-nat pool dnat-pool-1; } } rule rule4 { match { destination-address 120.151.XXXXXXXXXXXXXX/32; destination-port 25; } then { destination-nat pool dnat-pool-1; } } rule rule5 { match { destination-address 120.151.XXXXXXXXXXXXXX/32; destination-port 444; } then { destination-nat pool dnat-pool-4; } } rule rule9 { match { destination-address 120.151.XXXXXXXXXXXXXX4/32; destination-port 9675; } then { destination-nat pool dnat-pool-5; } } } } proxy-arp { interface vlan.0 { address { 192.168.0.200/32 to 192.168.0.250/32; } } } } policies { from-zone trust to-zone trust { policy default-permit { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone trust to-zone untrust { policy Email_Policy_Allow_Exchange { match { source-address Teknocorp-server; destination-address any; application [ junos-smtp junos-ms-rpc-msexchange-directory-rfr junos-ms-rpc-msexchange-info-store junos-ms-rpc-msexchange-directory-nsp junos-ms-rpc-msexchange ]; } then { permit; log { session-init; session-close; } count; } } policy default-permit { match { source-address any; destination-address any; application any; } then { permit; log { session-init; session-close; } count; } } } from-zone untrust to-zone trust { policy ALLOWALL { match { source-address any; destination-address Teknocorp-server; application [ junos-smtp junos-ms-rpc-msexchange-directory-rfr junos-ms-rpc-msexchange-info-store junos-ms-rpc-msexchange-directory-nsp junos-ms-rpc-msexchange ]; } then { permit; } } policy static-nat { match { source-address any; destination-address [ servergroup Ceosnet-server ]; application [ junos-sip junos-smtp RDPApps cust-TSM-Remote cust-pptp cust-TSM-Self-Service cust-https junos-ftp junos-http junos-https cust-spiceworks ]; } then { permit; log { session-init; session-close; } count; } } policy Spicework { match { source-address any; destination-address Ceosnet-server; application cust-spiceworks; } then { permit; count; } } policy dyn-vpn-policy { match { source-address any; destination-address any; application any; } then { permit { tunnel { ipsec-vpn dyn-vpn; } } log { session-init; session-close; } count; } } policy default-deny { match { source-address any; destination-address any; application any; } then { deny; log { session-init; session-close; } count; } } } } zones { security-zone trust { address-book { address Teknocorp-server 192.168.0.4/32; address TSM-server-1 192.168.0.5/32; address TSM-server-2 192.168.0.6/32; address local-network 192.168.0.0/24; address workstation_range_1 192.168.0.11/32; address workstation_range_2 192.168.0.12/30; address workstation_range_3 192.168.0.16/28; address workstation_range_4 192.168.0.32/27; address workstation_range_5 192.168.0.64/26; address workstation_range_6 192.168.0.128/26; address workstation_range_7 192.168.0.192/27; address workstation_range_8 192.168.0.224/28; address workstation_range_9 192.168.0.240/29; address workstation_range_10 192.168.0.248/30; address workstation_range_11 192.168.0.252/31; address workstation_range_12 192.168.0.254/32; address Ceosnet-server 192.168.0.52/32; address-set servergroup { address Teknocorp-server; address TSM-server-1; address TSM-server-2; } address-set Workstations { address workstation_range_1; address workstation_range_2; address workstation_range_3; address workstation_range_4; address workstation_range_5; address workstation_range_6; address workstation_range_7; address workstation_range_8; address workstation_range_9; address workstation_range_10; address workstation_range_11; address workstation_range_12; } } host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { ge-0/0/0.0; ge-0/0/1.0; fe-0/0/3.0; fe-0/0/4.0; fe-0/0/5.0; fe-0/0/6.0; fe-0/0/7.0; vlan.0; } } security-zone untrust { screen untrust-screen; interfaces { at-1/0/0.0 { host-inbound-traffic { system-services { ike; https; ping; ssh; } } } fe-0/0/2.0 { host-inbound-traffic { system-services { ike; https; ping; ssh; } } } pp0.0 { host-inbound-traffic { system-services { ike; https; ping; ssh; } } } } } } } access { profile dyn-vpn-access-profile { client daniel { firewall-user { password "XXXXXXXXXXXXXX"; ## SECRET-DATA } } client tony { firewall-user { password "XXXXXXXXXXXXXX"; ## SECRET-DATA } } address-assignment { pool dyn-vpn-address-pool; } } profile ppp { authentication-order password; } address-assignment { pool dyn-vpn-address-pool { family inet { network 192.168.0.0/24; range dvpn-range { low 192.168.0.200; high 192.168.0.250; } xauth-attributes { primary-dns 192.168.0.4/32; } } } } firewall-authentication { web-authentication { default-profile dyn-vpn-access-profile; } } } applications { application cust-RDP { protocol tcp; source-port 1-65535; destination-port 3389; } application cust-pptp { protocol tcp; source-port 1-65535; destination-port 1723; } application cust-TSM-Remote { protocol tcp; destination-port 89; } application cust-TSM-Self-Service { protocol tcp; destination-port 8089; } application cust-https { protocol tcp; destination-port 444; } application cust-spiceworks { protocol tcp; source-port 1-65535; destination-port 9675; description Spiceworks; } application-set RDPApps { application cust-RDP; application cust-pptp; } } wlan { access-point AP-1 { mac-address 78:fe:3d:c6:16:80; external { system { ports { ethernet { management-vlan 1; name-server 192.168.0.4; } } console { baud-rate 115200; } } } access-point-options { country { AU; } } radio 2 { radio-options { mode bg; channel { number auto; } } virtual-access-point 0 { ssid Teknocorp_Wifi; vlan 1; security { mac-authentication-type disabled; wpa-personal { wpa-version { both; } cipher-suites { both; } key "$9$acJi.5QF3n95ThSlv7NYg4aJG"; ## SECRET-DATA } } } quality-of-service { no-auto-power-save; } } radio 1 { radio-options { mode 5GHz; channel { number auto; bandwidth 40; } } virtual-access-point 0 { ssid Teknocorp_Wifi; vlan 1; security { mac-authentication-type disabled; wpa-personal { wpa-version { both; } cipher-suites { both; } key "$9$5T6A0BIRES0O7-bYZGqmP5Tz"; ## SECRET-DATA } } } quality-of-service { no-auto-power-save; } } } access-point AP-2 { mac-address 78:fe:3d:c6:09:00; external { system { ports { ethernet { management-vlan 1; name-server 192.168.0.4; } } console { baud-rate 115200; } } } access-point-options { country { AU; } } radio 2 { radio-options { mode bg; channel { number auto; } } virtual-access-point 0 { ssid Teknocorp_Wifi_2; vlan 1; security { mac-authentication-type disabled; wpa-personal { wpa-version { both; } cipher-suites { both; } key "$9$LA6XVYoJGUDHoan/AuEhKMWLX7"; ## SECRET-DATA } } } quality-of-service { no-auto-power-save; } } radio 1 { radio-options { mode 5GHz; channel { number auto; bandwidth 40; } } virtual-access-point 0 { ssid Teknocorp_Wifi_2; vlan 1; security { mac-authentication-type disabled; wpa-personal { wpa-version { both; } cipher-suites { both; } key "$9$MG4WNb24aJZD2gz3/A1IreKMWL"; ## SECRET-DATA } } } quality-of-service { no-auto-power-save; } } } } vlans { default { vlan-id 1; l3-interface vlan.0; } }