Juniper Configuration:
I have included almost all the config with blotted ip's:
version 11.2R2.4;
system {
host-name EMS-SRX210;
time-zone Europe/London;
root-authentication {
encrypted-password "$1$g3Ouhssd$uDxjee23kwzdXYmdufZre."; ## SECRET-DATA
}
services {
ssh;
telnet {
connection-limit 3;
rate-limit 3;
}
xnm-clear-text;
web-management {
http {
interface [ vlan.0 ge-0/0/0.0 fe-0/0/2.0 ge-0/0/1.0 ];
}
https {
system-generated-certificate;
interface [ vlan.0 ge-0/0/0.0 ge-0/0/0.1 at-1/0/0.0 ];
}
}
}
syslog {
archive size 100k files 10;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
file policy_session {
user info;
match RT_FLOW;
archive size 1000k files 10 world-readable;
structured-data;
}
}
max-configurations-on-flash 49;
max-configuration-rollbacks 49;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
interfaces {
ge-0/0/0 {
vlan-tagging;
unit 0 {
vlan-id 2002;
family inet {
address 172.30.2.100/25;
}
}
unit 1 {
vlan-id 883;
family inet {
address 31.xx.xx.xx/31;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
filter {
input daisy-internet;
}
address 10.10.0.1/16;
}
}
}
fe-0/0/2 {
unit 0 {
family inet {
address 172.30.2.129/29;
}
}
}
fe-0/0/3 {
unit 0 {
family inet {
address 172.16.1.254/24;
}
}
}
fe-0/0/4 {
unit 0 {
family ethernet-switching;
}
}
fe-0/0/5 {
unit 0 {
family ethernet-switching;
}
}
fe-0/0/6 {
unit 0 {
family ethernet-switching;
}
}
fe-0/0/7 {
unit 0 {
family inet {
address 62.xx.xx.xx/29;
}
}
}
at-1/0/0 {
description Expo-E;
mtu 1492;
encapsulation atm-pvc;
atm-options {
vpi 0;
}
dsl-options {
operating-mode auto;
}
unit 0 {
encapsulation atm-ppp-vc-mux;
vci 0.38;
ppp-options {
chap {
default-chap-secret "$9$un7eOhSWLx7dwMWGDjkPfFn/"; ## SECRET-DATA
local-name "DSL021706@expo-e";
passive;
}
}
family inet {
negotiate-address;
}
}
}
st0 {
unit 1 {
family inet;
family inet6;
}
}
}
routing-options {
interface-routes {
rib-group inet daisy-route;
}
static {
route 192.168.0.0/16 next-hop 172.30.2.130;
route 0.0.0.0/0 {
next-hop at-1/0/0.0;
qualified-next-hop 62.xx.xx.xx {
preference 50;
metric 50;
interface fe-0/0/7.0;
}
qualified-next-hop 31.xx.xx.xx {
preference 170;
metric 170;
interface ge-0/0/0.1;
}
metric 200;
preference 200;
}
route 31.xx.xx.xx/29 next-hop 10.10.99.99;
}
rib-groups {
daisy-route {
import-rib [ inet.0 daisy-route.inet.0 ];
}
}
router-id 31.xx.xx.xx;
autonomous-system 6xxxx;
}
protocols {
bgp {
disable;
group session-to-Expo-E {
type external;
export BGPconnected;
peer-as 2xxxx;
neighbor 31.xx.xx.xx;
}
}
stp;
}
policy-options {
prefix-list BGPSubnets {
31.xx.xx.xx/29;
}
policy-statement BGPconnected {
term public-ip {
from {
prefix-list BGPSubnets;
}
then accept;
}
}
}
security {
ike {
proposal HHCL {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-256-cbc;
lifetime-seconds 28800;
}
proposal ATLAS {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-128-cbc;
lifetime-seconds 28800;
}
policy HHCL {
mode main;
proposals HHCL;
pre-shared-key ascii-text "$9$XKj7bsYgJZUibs3/AtOBxN-w4aDiqz3/QFn9tuIRVwY4aUF3/CuBCAIc"; ## SECRET-DATA
}
policy ike-policy-cfgr {
mode main;
proposals ATLAS;
pre-shared-key ascii-text "$9$iqmT/CtBIh0Ox-dVY2JZUHfz/CtOBR9CIc"; ## SECRET-DATA
}
gateway HHCL {
ike-policy HHCL;
address 46.xx.xx.xx;
local-identity inet 62.xx.xx.xx;
external-interface fe-0/0/7.0;
}
gateway ATLAS {
ike-policy ike-policy-cfgr;
address 212.xx.xx.xx;
local-identity inet 62.xx.xx.xx;
external-interface fe-0/0/7.0;
}
}
ipsec {
proposal HHCL {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-256-cbc;
lifetime-seconds 28800;
}
proposal ATLAS {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-256-cbc;
lifetime-seconds 28800;
lifetime-kilobytes 4608000;
}
policy HHCL {
perfect-forward-secrecy {
keys group2;
}
proposals HHCL;
}
policy ipsec-policy-cfgr {
proposals ATLAS;
}
vpn HHCL {
ike {
gateway HHCL;
proxy-identity {
local 172.16.1.0/24;
remote 172.17.203.0/24;
service any;
}
ipsec-policy HHCL;
}
establish-tunnels immediately;
}
vpn ATLAS {
ike {
gateway ATLAS;
proxy-identity {
local 10.10.0.0/16;
remote 10.128.0.128/26;
service any;
}
ipsec-policy ipsec-policy-cfgr;
}
establish-tunnels immediately;
}
}
flow {
inactive: traceoptions {
file flowbasic;
flag basic-datapath;
packet-filter DellEQ {
source-prefix 172.30.2.5/32;
destination-prefix 172.16.1.2/32;
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
pool src-nat-public-ip {
address {
31.xx.xx.xx/32;
}
}
pool src-nat-daisy-internet {
address {
62.xx.xx.xx/32;
}
}
rule-set trust-to-internet {
from zone trust;
to zone internet;
rule atlasvpn-source-nat-rule {
match {
source-address 10.10.0.0/16;
destination-address 10.128.0.128/26;
}
then {
source-nat {
off;
}
}
}
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
rule-set trust-to-internet2 {
from zone trust;
to zone internet2;
rule source-nat-internet2 {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
pool {
src-nat-daisy-internet;
}
}
}
}
}
rule-set iScsi-to-internet {
from zone [ iScsi internet ];
to zone internet;
rule hhcl-source-nat-rule {
match {
source-address 172.16.1.0/24;
destination-address 172.17.203.0/24;
}
then {
source-nat {
off;
}
}
}
}
}
destination {
pool MAIL {
address 10.10.1.109/32;
}
pool TS {
address 10.10.1.50/32;
}
pool SERVER {
address 10.10.1.30/32;
}
pool SERVER-2 {
address 10.10.6.1/32;
}
pool NIMSOFT {
address 10.10.1.117/32;
}
pool DC {
address 10.10.1.106/32 port 3389;
}
pool CITRIX-1 {
address 10.10.1.110/32;
}
pool CRM01 {
address 10.10.1.126/32 port 443;
}
pool CRM02 {
address 10.10.1.127/32 port 443;
}
pool DCR02 {
address 10.10.1.106/32 port 444;
}
pool CCTV {
address 10.10.0.50/32;
}
rule-set internet_inbound {
from zone internet;
rule internet-mail {
match {
source-address 0.0.0.0/0;
destination-address 62.xx.xx.xx/32;
destination-port 25;
}
then {
destination-nat pool MAIL;
}
}
rule internet-owa {
match {
source-address 0.0.0.0/0;
destination-address 62.xx.xx.xx/32;
destination-port 443;
}
then {
destination-nat pool MAIL;
}
}
rule internet-ts {
match {
source-address 0.0.0.0/0;
destination-address 62.xx.xx.xx/32;
destination-port 3389;
}
then {
destination-nat pool TS;
}
}
rule internet-dc {
match {
source-address 0.0.0.0/0;
destination-address 62.xx.xx.xx/32;
destination-port 3390;
}
then {
destination-nat pool DC;
}
}
rule internet-server {
match {
source-address 0.0.0.0/0;
destination-address 62.xx.xx.xx/32;
destination-port 2001;
}
then {
destination-nat pool SERVER;
}
}
rule internet-server2 {
match {
source-address 0.0.0.0/0;
destination-address 62.xx.xx.xx/32;
destination-port 5000;
}
then {
destination-nat pool SERVER-2;
}
}
rule internet-nimsoft {
match {
source-address 0.0.0.0/0;
destination-address 62.xx.xx.xx/32;
destination-port 48003;
}
then {
destination-nat pool NIMSOFT;
}
}
rule internet-crm01 {
match {
source-address 0.0.0.0/0;
destination-address 62.xx.xx.xx/32;
destination-port 443;
}
then {
destination-nat pool CRM01;
}
}
rule internet-crm02 {
match {
source-address 0.0.0.0/0;
destination-address 62.xx.xx.xx/32;
destination-port 443;
}
then {
destination-nat pool CRM02;
}
}
rule SSLVPN {
match {
source-address 0.0.0.0/0;
destination-address 62.xx.xx.xx/32;
destination-port 444;
}
then {
destination-nat pool DCR02;
}
}
}
}
static {
rule-set trust-juniper-static {
from zone trust;
rule JuniperTrust {
match {
destination-address 10.10.0.2/32;
}
then {
static-nat prefix 172.30.2.130/32;
}
}
}
rule-set internet-static {
from zone internet;
rule JuniperIVE {
match {
destination-address 62.xx.xx.xx/32;
}
then {
static-nat prefix 172.30.2.130/32;
}
}
rule CCTV {
match {
destination-address 62.xx.xx.xx/32;
}
then {
static-nat prefix 10.10.0.50/32;
}
}
}
}
proxy-arp {
interface ge-0/0/1.0 {
address {
10.10.0.2/32;
}
}
interface fe-0/0/7.0 {
address {
62.xx.xx.xx/32;
62.xx.xx.xx/32;
62.xx.xx.xx/32;
62.xx.xx.xx/32;
}
}
}
}