Juniper Configuration:
I have included almost all the config with blotted ip's:
version 11.2R2.4;
system {
host-name EMS-SRX210;
time-zone Europe/London;
root-authentication {
encrypted-password "$1$g3Ouhssd$uDxjee23kwzdXYmdufZre."; ## SECRET-DATA
}
services {
ssh;
telnet {
connection-limit 3;
rate-limit 3;
}
xnm-clear-text;
web-management {
http {
interface [ vlan.0 ge-0/0/0.0 fe-0/0/2.0 ge-0/0/1.0 ];
}
https {
system-generated-certificate;
interface [ vlan.0 ge-0/0/0.0 ge-0/0/0.1 at-1/0/0.0 ];
}
}
}
syslog {
archive size 100k files 10;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
file policy_session {
user info;
match RT_FLOW;
archive size 1000k files 10 world-readable;
structured-data;
}
}
max-configurations-on-flash 49;
max-configuration-rollbacks 49;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
interfaces {
ge-0/0/0 {
vlan-tagging;
unit 0 {
vlan-id 2002;
family inet {
address 172.30.2.100/25;
}
}
unit 1 {
vlan-id 883;
family inet {
address 31.xx.xx.xx/31;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
filter {
input daisy-internet;
}
address 10.10.0.1/16;
}
}
}
fe-0/0/2 {
unit 0 {
family inet {
address 172.30.2.129/29;
}
}
}
fe-0/0/3 {
unit 0 {
family inet {
address 172.16.1.254/24;
}
}
}
fe-0/0/4 {
unit 0 {
family ethernet-switching;
}
}
fe-0/0/5 {
unit 0 {
family ethernet-switching;
}
}
fe-0/0/6 {
unit 0 {
family ethernet-switching;
}
}
fe-0/0/7 {
unit 0 {
family inet {
address 62.xx.xx.xx/29;
}
}
}
at-1/0/0 {
description Expo-E;
mtu 1492;
encapsulation atm-pvc;
atm-options {
vpi 0;
}
dsl-options {
operating-mode auto;
}
unit 0 {
encapsulation atm-ppp-vc-mux;
vci 0.38;
ppp-options {
chap {
default-chap-secret "$9$un7eOhSWLx7dwMWGDjkPfFn/"; ## SECRET-DATA
local-name "DSL021706@expo-e";
passive;
}
}
family inet {
negotiate-address;
}
}
}
st0 {
unit 1 {
family inet;
family inet6;
}
}
}
routing-options {
interface-routes {
rib-group inet daisy-route;
}
static {
route 192.168.0.0/16 next-hop 172.30.2.130;
route 0.0.0.0/0 {
next-hop at-1/0/0.0;
qualified-next-hop 62.xx.xx.xx {
preference 50;
metric 50;
interface fe-0/0/7.0;
}
qualified-next-hop 31.xx.xx.xx {
preference 170;
metric 170;
interface ge-0/0/0.1;
}
metric 200;
preference 200;
}
route 31.xx.xx.xx/29 next-hop 10.10.99.99;
}
rib-groups {
daisy-route {
import-rib [ inet.0 daisy-route.inet.0 ];
}
}
router-id 31.xx.xx.xx;
autonomous-system 6xxxx;
}
protocols {
bgp {
disable;
group session-to-Expo-E {
type external;
export BGPconnected;
peer-as 2xxxx;
neighbor 31.xx.xx.xx;
}
}
stp;
}
policy-options {
prefix-list BGPSubnets {
31.xx.xx.xx/29;
}
policy-statement BGPconnected {
term public-ip {
from {
prefix-list BGPSubnets;
}
then accept;
}
}
}
security {
ike {
proposal HHCL {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-256-cbc;
lifetime-seconds 28800;
}
proposal ATLAS {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-128-cbc;
lifetime-seconds 28800;
}
policy HHCL {
mode main;
proposals HHCL;
pre-shared-key ascii-text "$9$XKj7bsYgJZUibs3/AtOBxN-w4aDiqz3/QFn9tuIRVwY4aUF3/CuBCAIc"; ## SECRET-DATA
}
policy ike-policy-cfgr {
mode main;
proposals ATLAS;
pre-shared-key ascii-text "$9$iqmT/CtBIh0Ox-dVY2JZUHfz/CtOBR9CIc"; ## SECRET-DATA
}
gateway HHCL {
ike-policy HHCL;
address 46.xx.xx.xx;
local-identity inet 62.xx.xx.xx;
external-interface fe-0/0/7.0;
}
gateway ATLAS {
ike-policy ike-policy-cfgr;
address 212.xx.xx.xx;
local-identity inet 62.xx.xx.xx;
external-interface fe-0/0/7.0;
}
}
ipsec {
proposal HHCL {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-256-cbc;
lifetime-seconds 28800;
}
proposal ATLAS {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-256-cbc;
lifetime-seconds 28800;
lifetime-kilobytes 4608000;
}
policy HHCL {
perfect-forward-secrecy {
keys group2;
}
proposals HHCL;
}
policy ipsec-policy-cfgr {
proposals ATLAS;
}
vpn HHCL {
ike {
gateway HHCL;
proxy-identity {
local 172.16.1.0/24;
remote 172.17.203.0/24;
service any;
}
ipsec-policy HHCL;
}
establish-tunnels immediately;
}
vpn ATLAS {
ike {
gateway ATLAS;
proxy-identity {
local 10.10.0.0/16;
remote 10.128.0.128/26;
service any;
}
ipsec-policy ipsec-policy-cfgr;
}
establish-tunnels immediately;
}
}
flow {
inactive: traceoptions {
file flowbasic;
flag basic-datapath;
packet-filter DellEQ {
source-prefix 172.30.2.5/32;
destination-prefix 172.16.1.2/32;
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
pool src-nat-public-ip {
address {
31.xx.xx.xx/32;
}
}
pool src-nat-daisy-internet {
address {
62.xx.xx.xx/32;
}
}
rule-set trust-to-internet {
from zone trust;
to zone internet;
rule atlasvpn-source-nat-rule {
match {
source-address 10.10.0.0/16;
destination-address 10.128.0.128/26;
}
then {
source-nat {
off;
}
}
}
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
rule-set trust-to-internet2 {
from zone trust;
to zone internet2;
rule source-nat-internet2 {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
pool {
src-nat-daisy-internet;
}
}
}
}
}
rule-set iScsi-to-internet {
from zone [ iScsi internet ];
to zone internet;
rule hhcl-source-nat-rule {
match {
source-address 172.16.1.0/24;
destination-address 172.17.203.0/24;
}
then {
source-nat {
off;
}
}
}
}
}
destination {
pool MAIL {
address 10.10.1.109/32;
}
pool TS {
address 10.10.1.50/32;
}
pool SERVER {
address 10.10.1.30/32;
}
pool SERVER-2 {
address 10.10.6.1/32;
}
pool NIMSOFT {
address 10.10.1.117/32;
}
pool DC {
address 10.10.1.106/32 port 3389;
}
pool CITRIX-1 {
address 10.10.1.110/32;
}
pool CRM01 {
address 10.10.1.126/32 port 443;
}
pool CRM02 {
address 10.10.1.127/32 port 443;
}
pool DCR02 {
address 10.10.1.106/32 port 444;
}
pool CCTV {
address 10.10.0.50/32;
}
rule-set internet_inbound {
from zone internet;
rule internet-mail {
match {
source-address 0.0.0.0/0;
destination-address 62.xx.xx.xx/32;
destination-port 25;
}
then {
destination-nat pool MAIL;
}
}
rule internet-owa {
match {
source-address 0.0.0.0/0;
destination-address 62.xx.xx.xx/32;
destination-port 443;
}
then {
destination-nat pool MAIL;
}
}
rule internet-ts {
match {
source-address 0.0.0.0/0;
destination-address 62.xx.xx.xx/32;
destination-port 3389;
}
then {
destination-nat pool TS;
}
}
rule internet-dc {
match {
source-address 0.0.0.0/0;
destination-address 62.xx.xx.xx/32;
destination-port 3390;
}
then {
destination-nat pool DC;
}
}
rule internet-server {
match {
source-address 0.0.0.0/0;
destination-address 62.xx.xx.xx/32;
destination-port 2001;
}
then {
destination-nat pool SERVER;
}
}
rule internet-server2 {
match {
source-address 0.0.0.0/0;
destination-address 62.xx.xx.xx/32;
destination-port 5000;
}
then {
destination-nat pool SERVER-2;
}
}
rule internet-nimsoft {
match {
source-address 0.0.0.0/0;
destination-address 62.xx.xx.xx/32;
destination-port 48003;
}
then {
destination-nat pool NIMSOFT;
}
}
rule internet-crm01 {
match {
source-address 0.0.0.0/0;
destination-address 62.xx.xx.xx/32;
destination-port 443;
}
then {
destination-nat pool CRM01;
}
}
rule internet-crm02 {
match {
source-address 0.0.0.0/0;
destination-address 62.xx.xx.xx/32;
destination-port 443;
}
then {
destination-nat pool CRM02;
}
}
rule SSLVPN {
match {
source-address 0.0.0.0/0;
destination-address 62.xx.xx.xx/32;
destination-port 444;
}
then {
destination-nat pool DCR02;
}
}
}
}
static {
rule-set trust-juniper-static {
from zone trust;
rule JuniperTrust {
match {
destination-address 10.10.0.2/32;
}
then {
static-nat prefix 172.30.2.130/32;
}
}
}
rule-set internet-static {
from zone internet;
rule JuniperIVE {
match {
destination-address 62.xx.xx.xx/32;
}
then {
static-nat prefix 172.30.2.130/32;
}
}
rule CCTV {
match {
destination-address 62.xx.xx.xx/32;
}
then {
static-nat prefix 10.10.0.50/32;
}
}
}
}
proxy-arp {
interface ge-0/0/1.0 {
address {
10.10.0.2/32;
}
}
interface fe-0/0/7.0 {
address {
62.xx.xx.xx/32;
62.xx.xx.xx/32;
62.xx.xx.xx/32;
62.xx.xx.xx/32;
}
}
}
}
policies {
from-zone iScsi to-zone expo {
policy iScsi-replication {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
log {
session-close;
}
count;
}
}
}
from-zone expo to-zone iScsi {
policy iScsi-inbound {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
log {
session-close;
}
}
}
}
from-zone internet to-zone DMZ {
policy ive-inbound {
match {
source-address any;
destination-address JuniperIVE;
application [ junos-https junos-http ];
}
then {
permit;
log {
session-close;
}
}
}
}
from-zone expo to-zone DMZ {
policy expo-inbound {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
log {
session-close;
}
}
}
}
from-zone DMZ to-zone trust {
policy IVE-to-TS {
match {
source-address JuniperIVE;
destination-address EMS-TS;
application RDP-3389;
}
then {
permit;
log {
session-close;
}
}
}
policy IVE-to-CITRIX {
match {
source-address [ JuniperIVE NC-Client1 NC-NAT-IP ];
destination-address [ CITRIX CITRIX-1 CITRIX-2 ];
application any;
}
then {
permit;
log {
session-init;
session-close;
}
count;
}
}
policy IVE-to-DCs {
match {
source-address JuniperIVE;
destination-address EMS-DCs;
application any;
}
then {
permit;
log {
session-close;
}
}
}
policy OWA {
match {
source-address JuniperIVE;
destination-address EMS-MAIL;
application junos-https;
}
then {
permit;
log {
session-init;
session-close;
}
}
}
}
from-zone trust to-zone DMZ {
policy trust-to-DMZ {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone internet to-zone trust {
policy inbound-mail {
match {
source-address MAIL;
destination-address EMS-MAIL;
application junos-smtp;
}
then {
permit;
log {
session-close;
}
}
}
policy inbound-2001 {
match {
source-address any;
destination-address 10.10.1.30;
application TCP-2001;
}
then {
permit;
log {
session-close;
}
}
}
policy inbound-ts {
match {
source-address any;
destination-address EMS-TS;
application RDP-3389;
}
then {
permit;
log {
session-close;
}
}
}
policy inbound-ts2 {
match {
source-address any;
destination-address EMS-DC2;
application RDP-3389;
}
then {
permit;
log {
session-close;
}
}
}
policy inbound-nimsoft {
match {
source-address ACORA;
destination-address NIMSOFT;
application NIMSOFT;
}
then {
permit;
log {
session-close;
}
}
}
policy inbound-cctv {
match {
source-address CCTV;
destination-address CCTV;
application CCTV-PORTS;
}
then {
permit;
log {
session-close;
}
}
}
policy inbound-5000 {
match {
source-address 88.xx.xx.xx;
destination-address 10.10.6.1;
application TCP-5000;
}
then {
permit;
log {
session-close;
}
}
}
policy inbound-owa {
match {
source-address any;
destination-address EMS-MAIL;
application junos-https;
}
then {
permit;
log {
session-close;
}
}
}
policy inbound-crm {
match {
source-address any;
destination-address EMS-CRM;
application junos-https;
}
then {
permit;
log {
session-close;
}
}
}
policy SSLVPN {
match {
source-address any;
destination-address EMS-DC2;
application TCP-444;
}
then {
permit;
log {
session-init;
}
}
}
policy vpnpolicy-internet-trust-cfgr {
match {
source-address net-cfgr_10-128-0-128--26;
destination-address net-cfgr_10-10-0-0--16;
application any;
}
then {
permit {
tunnel {
ipsec-vpn ATLAS;
pair-policy vpnpolicy-trust-internet-cfgr;
}
}
}
}
policy Deny_Internet_Trust {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
log {
session-init;
}
}
}
}
from-zone internet to-zone expo {
policy Deny_Internet_Expo {
match {
source-address any;
destination-address any;
application any;
}
then {
reject;
}
}
}
from-zone trust to-zone internet {
policy outbound-dns {
match {
source-address INTERNAL;
destination-address any;
application [ junos-dns-udp junos-dns-tcp ];
}
then {
permit;
log {
session-close;
}
}
}
policy outbound-facebook {
match {
source-address INTERNAL;
destination-address FACEBOOK;
application [ junos-http junos-https ];
}
then {
permit;
log {
session-close;
}
}
}
policy outbound-msn-deny {
match {
source-address INTERNAL;
destination-address any;
application MSN-PORTS;
}
then {
deny;
log {
session-init;
}
}
}
policy vpnpolicy-trust-internet-cfgr {
match {
source-address net-cfgr_10-10-0-0--16;
destination-address net-cfgr_10-128-0-128--26;
application any;
}
then {
permit {
tunnel {
ipsec-vpn ATLAS;
pair-policy vpnpolicy-internet-trust-cfgr;
}
}
}
}
policy outbound-internet {
match {
source-address INTERNAL;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone iScsi to-zone internet {
policy HHCL-Replication {
match {
source-address hhcl_local;
destination-address hhcl_remote;
application any;
}
then {
permit {
tunnel {
ipsec-vpn HHCL;
}
}
}
}
}
from-zone internet to-zone iScsi {
policy HHCL-Replication-In {
match {
source-address hhcl_remote;
destination-address hhcl_local;
application any;
}
then {
permit {
tunnel {
ipsec-vpn HHCL;
}
}
}
}
}
from-zone trust to-zone internet2 {
policy outbound-internet2 {
match {
source-address INTERNAL;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone internet2 to-zone trust {
policy inbound-exchange {
match {
source-address any;
destination-address EMS-MAIL;
application junos-https;
}
then {
permit;
log {
session-close;
}
}
}
policy inbound-sslvpn {
match {
source-address any;
destination-address EMS-DC2;
application junos-https;
}
then {
permit;
log {
session-init;
}
}
}
}
}
zones {
security-zone trust {
address-book {
address EMS-TS 10.10.1.50/32;
address CITRIX-1 10.10.1.110/32;
address CITRIX-2 10.10.1.111/32;
address EMS-DC1 10.10.1.105/32;
address EMS-DC2 10.10.1.106/32;
address EMS-MAIL 10.10.1.109/32;
address 10.10.1.30 10.10.1.30/32;
address NIMSOFT 10.10.1.117/32;
address 10.10.6.1 10.10.6.1/32;
address CCTV 10.10.0.50/32;
address INTERNAL 10.10.0.0/16;
address EMS-CRM01 10.10.1.126/32;
address EMS-CRM02 10.10.1.127/32;
address net-cfgr_10-10-0-0--16 10.10.0.0/16;
address-set CITRIX {
address CITRIX-1;
address CITRIX-2;
}
address-set EMS-DCs {
address EMS-DC1;
address EMS-DC2;
}
address-set EMS-CRM {
address EMS-CRM01;
address EMS-CRM02;
}
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone untrust {
screen untrust-screen;
}
security-zone expo {
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone internet {
address-book {
address Juniper-ive 62.xx.xx.xx/32;
address MAIL-1 217.xx.xx.xx/32;
address MAIL-2 86.xx.xx.xx/21;
address MAIL-3 116.xx.xx.xx/21;
address MAIL-4 208.xx.xx.xx/21;
address FACEBOOK-1 204.xx.xx.xx/22;
address FACEBOOK-2 69.xx.xx.xx/20;
address FACEBOOK-3 66.xx.xx.xx/20;
address ACORA 211.xx.xx.xx/32;
address 88.xx.xx.xx 88.xx.xx.xx/32;
address CCTV-1 81.xx.xx.xx/32;
address CCTV-2 81.xx.xx.xx/32;
address CCTV-3 81.xx.xx.xx/29;
address MAIL-5 85.xx.xx.xx/19;
address MAIL-6 103.xx.xx.xx/22;
address MAIL-7 177.xx.xx.xx/22;
address CCTV-MONITORSTATION-1 194.xx.xx.xx/32;
address CCTV-MONITORSTATION-2 82.xx.xx.xx/32;
address CCTV-4 81.xx.xx.xx/32;
address HHCL 195.xx.xx.xx/27;
address net-cfgr_10-129-2-0--25 10.129.2.0/25;
address net-cfgr_10-128-0-128--26 10.128.0.128/26;
address hhcl_remote 172.17.203.0/24;
address-set MAIL {
address MAIL-1;
address MAIL-2;
address MAIL-3;
address MAIL-4;
address MAIL-5;
address MAIL-6;
address MAIL-7;
}
address-set FACEBOOK {
address FACEBOOK-1;
address FACEBOOK-2;
address FACEBOOK-3;
}
address-set CCTV {
address CCTV-1;
address CCTV-2;
address CCTV-3;
address CCTV-MONITORSTATION-1;
address CCTV-MONITORSTATION-2;
address CCTV-4;
address HHCL;
}
}
host-inbound-traffic {
system-services {
ike;
ping;
}
}
interfaces {
ge-0/0/0.1 {
host-inbound-traffic {
system-services {
ping;
ike;
}
}
}
at-1/0/0.0 {
host-inbound-traffic {
system-services {
https;
ping;
}
}
}
st0.1 {
host-inbound-traffic {
protocols {
all;
}
}
}
fe-0/0/7.0 {
host-inbound-traffic {
system-services {
ping;
ike;
ssh;
}
}
}
}
}
security-zone iScsi {
address-book {
address hhcl_local 172.16.1.0/24;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
fe-0/0/3.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone DMZ {
address-book {
address JuniperIVE 172.30.2.130/32;
address NC-Client1 192.168.200.0/24;
address NC-NAT-IP 10.200.200.200/32;
address-set Juniper-NC {
address JuniperIVE;
address NC-Client1;
address NC-NAT-IP;
}
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
fe-0/0/2.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone internet2 {
host-inbound-traffic {
system-services {
ike;
ping;
}
}
}
}
}
firewall {
family inet {
filter daisy-internet {
term 0 {
from {
source-address {
10.10.1.107/32;
10.10.1.106/32;
10.10.10.44/32;
10.10.10.59/32;
10.10.10.0/24;
10.10.0.50/32;
}
}
then {
routing-instance daisy-route;
}
}
term 1 {
then accept;
}
}
}
}
routing-instances {
daisy-route {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop 62.xx.xx.xx;
}
}
}
}
applications {
application RDP-3389 {
protocol tcp;
destination-port 3389;
}
application XML-8080 {
protocol tcp;
destination-port 8080;
}
application XML-1494 {
protocol tcp;
destination-port 1494;
}
application XML-2598 {
protocol tcp;
destination-port 2598;
}
application UDP-1863 {
protocol udp;
destination-port 1863;
}
application UDP-5190 {
protocol udp;
destination-port 5190;
}
application TCP-6891-6900 {
protocol tcp;
destination-port 6800-6900;
}
application UDP-6901 {
protocol udp;
destination-port 6901;
}
application TCP-1863 {
protocol tcp;
destination-port 1863;
}
application TCP-2001 {
protocol tcp;
destination-port 2001;
}
application TCP-444 {
protocol tcp;
destination-port 444;
}
application RDP-3390 {
protocol tcp;
destination-port 3390;
}
application NIMSOFT {
protocol tcp;
destination-port 48003;
}
application TCP-5000 {
protocol tcp;
destination-port 5000;
}
application TCP-15000-15007 {
protocol tcp;
destination-port 15000-15007;
}
application UDP-15000-15200 {
protocol udp;
destination-port 15000-15200;
}
application NEWSMTP {
protocol tcp;
destination-port 587;
}
application-set CITRIX-PORTS {
application XML-8080;
application XML-1494;
application XML-2598;
}
application-set MSN-PORTS {
application UDP-1863;
application UDP-5190;
application TCP-6891-6900;
application UDP-6901;
application TCP-1863;
}
application-set CCTV-PORTS {
application TCP-15000-15007;
application UDP-15000-15200;
}
}