version 12.1X44-D35.5; groups { require-syn-checking { security { policies { from-zone <*> to-zone <*> { policy <*> { then { permit { tcp-options { syn-check-required; sequence-check-required; } } } } } } } } } system { host-name dc; root-authentication { encrypted-password "$1$3lwrM6t9$pMqAuwFw5."; ## SECRET-DATA } name-server { 8.8.8.8; } name-resolution { no-resolve-on-input; } services { ssh; web-management { http { interface [ ge-0/0/0.0 ge-0/0/1.0 ]; } https { port 8080; system-generated-certificate; interface [ ge-0/0/1.0 ge-0/0/0.0 ]; } session { idle-timeout 60; } } } syslog { archive size 100k files 3; user * { any emergency; } file messages { any info; authorization info; } file interactive-commands { interactive-commands error; } file kmd-logs { daemon info; match KMD; } } max-configurations-on-flash 5; max-configuration-rollbacks 5; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } ntp { server us.ntp.pool.org; } } interfaces { ge-0/0/0 { unit 0 { family inet { address 5.5.5.5/26; } } } ge-0/0/1 { unit 0 { family inet { address 192.168.200.254/24; } } } st0 { unit 0 { family inet { address 10.11.11.12/24; } } unit 2 { family inet { address 11.11.11.10/24; } } } } snmp { community public; } routing-options { static { route 0.0.0.0/0 next-hop 7.7.7.7; route 192.168.11.0/24 next-hop 192.168.200.185; route 192.168.2.0/24 next-hop st0.2; route 192.168.6.0/24 next-hop st0.2; route 192.168.10.0/24 next-hop st0.2; route 192.160.50.0/24 next-hop st0.0; } } protocols { stp; } security { ike { traceoptions { flag ike; flag policy-manager; flag routing-socket; } proposal P1proposal { authentication-method pre-shared-keys; dh-group group2; encryption-algorithm des-cbc; lifetime-seconds 86400; } policy ike-corp { mode main; proposal-set standard; pre-shared-key ascii-text "$9$E4RyK8w4ZGUkqmf5z/CuO1"; ## SECRET-DATA } policy ike-corp { mode main; proposals P1proposal; pre-shared-key ascii-text "$9$cZ1lMX-dmP5QznApBIE"; ## SECRET-DATA } gateway ike-corp-gw { ike-policy ike-india-corp; address 3.3.3.3; external-interface ge-0/0/0; } gateway ike-corp-gw { ike-policy ike-us-corp; address 9.7.65.9; external-interface ge-0/0/0; } } ipsec { proposal P2proposal { protocol esp; authentication-algorithm hmac-sha1-96; encryption-algorithm des-cbc; lifetime-seconds 86400; } policy ipsec-policy-india-corp { proposal-set standard; } policy ipsec-policy-us-corp { perfect-forward-secrecy { keys group2; } proposals P2proposal; } vpn ike-corp-vpn { bind-interface st0.2; ike { gateway ike-corp-gw; proxy-identity { local 192.168.200.0/24; remote 192.168.2.0/24; } ipsec-policy ipsec-policy-corp; } } vpn ike-vpn { bind-interface st0.0; ike { gateway ike-gw; proxy-identity { local 192.168.200.0/24; remote 192.168.50.0/24; } ipsec-policy ipsec-policy-us-corp; } establish-tunnels immediately; } } screen { ids-option untrust-screen { icmp { ping-death; } ip { source-route-option; tear-drop; } tcp { syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; timeout 20; } land; } } } nat { source { rule-set nsw_srcnat { from zone Internal; to zone Internet; rule nsw-src-interface { match { source-address 0.0.0.0/0; destination-address 0.0.0.0/0; } then { source-nat { interface; } } } } } policies { apply-groups require-syn-checking; traceoptions { flag lookup; flag all; } from-zone Internal to-zone Internet { policy All_Internal_Internet { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone Internet to-zone Internal { policy ov-access { match { source-address any; destination-address ov-server; application any; } then { permit; } } } from-zone Internal to-zone Internal { policy route-11 { apply-groups-except require-syn-checking; match { source-address any; destination-address int-11-net; application any; } then { permit; } } } from-zone vpn to-zone Internal { policy hyd-corp-vpn-Internal-vpn { match { source-address [ net-cfgr_192-168-2-0--24 net-cfgr_192-168-6-0--24 net-hyd.openvpn_192-168-10-0--24 ]; destination-address [ int-200-net int-201-net int-203-net int-11-net ]; application any; } then { permit; } } } from-zone Internal to-zone vpn { policy Internal-hyd-corp-vpn { match { source-address [ int-200-net int-201-net int-203-net int-11-net ]; destination-address [ net-cfgr_192-168-2-0--24 net-cfgr_192-168-6-0--24 net-hyd.openvpn_192-168-10-0--24 ]; application any; } then { permit; } } } from-zone Internal to-zone corp-vpn { policy internal-corp-vpn { match { source-address [ int-200-net int-11-net ]; destination-address us-corp-50-net; application any; } then { permit; } } } from-zone corp-vpn to-zone Internal { policy corp-vpn-Internal-vpn { match { source-address us-corp-50-net; destination-address [ int-200-net int-11-net ]; application any; } then { permit; } } } } zones { security-zone Internal { address-book { address int-200-net 192.168.200.0/24; } interfaces { ge-0/0/1.0 { host-inbound-traffic { system-services { ping; ssh; http; https; } } } } } security-zone Internet { address-book { address ov-server 6.5.4.3/32; } screen untrust-screen; host-inbound-traffic { system-services { ike; } } interfaces { ge-0/0/0.0 { host-inbound-traffic { system-services { ping; ssh; ike; } } } } } security-zone vpn { address-book { address net-cfgr_192-168-2-0--24 192.168.2.0/24; address net-cfgr_192-168-6-0--24 192.168.6.0/24; address net-hyd.openvpn_192-168-10-0--24 192.168.10.0/24; } interfaces { st0.2; } } security-zone corp-vpn { address-book { address corp-50-net 192.168.50.0/24; } interfaces { st0.0; } } } } poe { interface all; }