=====Device Details===== * Juniper SRX100H2 * Purchased on 3/17/2014 via Amazon from Beccela's Etc. 15330 Barranca Pkway, Irvine CA 92618 - 1-260-232-2352. PO:1229957-9171445 =====Mgmt Details===== * Serial - VM Machine in SC. COM1, baud 9600. Stop bits default. * Web - https://192.168.1.253/manage * SSH - 192.168.1.253 \\ |User|Password| |root|OLDDEVICEPASSWD| |devops|OLDSDEVICEPASSWD| =====Client VPN Details===== * Login and download client from https://scvpn.exphosted.com \\ |User|Password| |chennai1|KeePass| |chennai2|KeePass| =====Client Tunnel Details===== - Download [[https://www.shrew.net/download|Shrew]]. Skip if v. 2.2.2 is already installed. \\ - Download this [[https://drive.google.com/a/expertus.com/file/d/0B9v0MG6V7MbDYmVJRXE1NUstZFk/edit?usp=sharing|file]] as well. Copy should be available on repo. \\ - Install Shrew (skip if #1), open "VPN Access Manager". Click File -> Import and point to the file download in step 2. - Double click on the new icon in the VPN Access Manager window; it should prompt for username password. - chennai1/KeePass - You should be connected ( the last line should read "tunnel enabled" ). ===== Port Assignment ===== * PORT0 - WAN * PORT1 - VLAN1 * PORT2 - VLAN1 * PORT3 - VLAN1 * PORT4 - NOT IN USE * PORT5 - NOT IN USE * PORT6 - NOT IN USE. RESERVED FOR WIRELESS CLIENT. 192.168.111.253/24 * PORT7 - DMZ. 192.168.225.253/24 * VLAN1 - 192.168.1.253/24 ===== Current Config ===== ## Last changed: 2014-04-22 08:12:53 GMT-8 version 12.1X44.5; groups { jweb-security-logging { system { syslog { file systemlog { any any; archive files 1; structured-data; } } } } } system { host-name expscfw01; time-zone GMT-8; root-authentication { encrypted-password "$1$qeJTehGo$C1K8tRsDrEw3JsDBaNZwp."; } name-server { 66.7.224.17; 66.7.224.18; 208.67.222.222; 208.67.220.220; } login { user devops { uid 2000; class super-user; authentication { encrypted-password "$1$1cWjhet3$vT4oTQ6PY24RynM4JqQng."; } } user paarth { uid 2001; class super-user; authentication { encrypted-password "$1$Ep1eTSrT$XwB78mHUctpR3ms6FLcEA1"; } } } services { ssh; telnet; web-management { management-url /manage; http { port 80; } session { idle-timeout 60; } } dhcp { pool 192.168.1.0/24 { address-range low 192.168.1.1 high 192.168.1.254; name-server { 66.7.224.17; 66.7.224.18; } router { 192.168.1.253; } } pool 192.168.111.0/24 { address-range low 192.168.111.1 high 192.168.111.254; name-server { 66.7.224.17; 66.7.224.18; } router { 192.168.111.253; } } pool 192.168.225.0/24 { address-range low 192.168.225.130 high 192.168.225.135; name-server { 66.7.224.17; 66.7.224.18; } router { 192.168.225.253; } } } } syslog { inactive: file systemlog { any any; archive files 1; structured-data; } } max-configurations-on-flash 15; max-configuration-rollbacks 15; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } ntp { server 64.99.80.30; } } interfaces { fe-0/0/0 { unit 0 { family inet { address 72.18.249.61/28; } } } fe-0/0/1 { unit 0 { family ethernet-switching { port-mode access; vlan { members internal; } } } } fe-0/0/2 { unit 0 { family ethernet-switching { port-mode access; vlan { members internal; } } } } fe-0/0/3 { unit 0 { family ethernet-switching { port-mode access; vlan { members internal; } } } } fe-0/0/6 { unit 0 { family inet { address 192.168.111.253/24; } } } fe-0/0/7 { unit 0 { family inet { address 192.168.225.253/24; } } } vlan { unit 1 { family inet { address 192.168.1.253/24; } } } } routing-options { static { route 0.0.0.0/0 next-hop 72.18.249.49; } } security { log { mode stream; source-address 192.168.1.253; stream logstash { format syslog; host { 192.168.1.4; } } } ike { # traceoptions { # file iketracer size 1m; # flag policy-manager; # flag ike; # flag routing-socket; # } proposal vpnpolicy1 { authentication-method pre-shared-keys; dh-group group2; authentication-algorithm md5; encryption-algorithm 3des-cbc; lifetime-seconds 86400; } proposal ca_ike_proposal { authentication-method pre-shared-keys; dh-group group2; authentication-algorithm sha1; encryption-algorithm aes-128-cbc; lifetime-seconds 28800; } policy vpnpolicy1 { mode aggressive; proposals vpnpolicy1; pre-shared-key ascii-text "$9$ZvDkPu0IlvLAp0IEyW8wYgaUH"; } policy ca_ike_policy { mode main; proposals ca_ike_proposal; pre-shared-key ascii-text "$9$Mj/LNbHkPn9pDikP5FAthSrK87VwgoJDlKX-"; } gateway ike-gw-in { ike-policy vpnpolicy1; dynamic { hostname scvpn.expertus.com; ike-user-type shared-ike-id; } external-interface fe-0/0/0; xauth access-profile remote_access_profile; } gateway ca_ike_gw { ike-policy ca_ike_policy; address 115.111.235.230; dead-peer-detection; local-identity inet 72.18.249.61; external-interface fe-0/0/0; } } ipsec { vpn-monitor-options; proposal vpnpolicy1_ipsec { protocol esp; authentication-algorithm hmac-md5-96; encryption-algorithm 3des-cbc; } proposal ca_vpn_prop { protocol esp; authentication-algorithm hmac-sha1-96; encryption-algorithm aes-128-cbc; lifetime-seconds 28800; } policy vpnpolicy1_ipsec { proposals vpnpolicy1_ipsec; } policy ca_vpn_policy { perfect-forward-secrecy { keys group2; } proposals ca_vpn_prop; } vpn remotevpn1_in { ike { gateway ike-gw-in; ipsec-policy vpnpolicy1_ipsec; } establish-tunnels on-traffic; } vpn ca_vpn { vpn-monitor { optimized; destination-ip 192.168.2.2; } ike { gateway ca_ike_gw; ipsec-policy ca_vpn_policy; } establish-tunnels immediately; } } application-tracking { first-update; } flow { #traceoptions { # file NAT-TRACE world-readable; # flag packet-drops; # flag basic-datapath; #packet-filter pf1-outgoing { # protocol icmp; # source-prefix 12.19.148.66/32; # destination-prefix 72.18.249.59/32; # } # packet-filter pf2-incoming { # protocol icmp; # source-prefix 192.168.225.135/32; # destination-prefix 12.19.148.66/32; # } # } tcp-mss { ipsec-vpn { mss 1350; } } } screen { ids-option untrust-screen { icmp { ping-death; } ip { source-route-option; tear-drop; } tcp { syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; timeout 20; } land; } } } nat { # NAT-SRC source { rule-set src-nat-interface-1 { from zone trust; to zone untrust; rule ca_vpn_natexempt { match { source-address 192.168.1.0/24; destination-address 192.168.2.0/24; } then { source-nat { off; } } } rule defaultSrcNAT { match { source-address 0.0.0.0/0; destination-address 0.0.0.0/0; } then { source-nat { interface; } } } } rule-set Server { from zone untrust; to zone trust; rule test-rule { match { destination-address [ 192.168.1.25/32 192.168.1.26/32 ]; } then { source-nat { interface; } } } } } destination { pool OrangeHttp { address 192.168.1.26/32 port 80; } pool backupssh { address 192.168.1.25/32 port 22; } rule-set Internet_interface_context { from zone untrust; rule orancetcp { match { source-address 0.0.0.0/0; destination-address 0.0.0.0/0; destination-port 8888; } then { destination-nat pool OrangeHttp; } } rule backupssh { match { source-address 0.0.0.0/0; destination-address 72.18.249.61/32; destination-port 8889; } then { destination-nat pool backupssh; } } } } static { rule-set DMZ_WAN { from zone untrust; rule nat_61_52 { match { destination-address 72.18.249.52/32; } then { static-nat { prefix { 192.168.225.61/32; } } } } rule nat_62_53 { match { destination-address 72.18.249.53/32; } then { static-nat { prefix { 192.168.225.62/32; } } } } rule nat_214_54 { match { destination-address 72.18.249.54/32; } then { static-nat { prefix { 192.168.225.214/32; } } } } rule nat_215_56 { match { destination-address 72.18.249.56/32; } then { static-nat { prefix { 192.168.225.215/32; } } } } rule nat_216_55 { match { destination-address 72.18.249.55/32; } then { static-nat { prefix { 192.168.225.216/32; } } } } rule nat_218_57 { match { destination-address 72.18.249.57/32; } then { static-nat { prefix { 192.168.225.218/32; } } } } rule nat_131_58 { match { destination-address 72.18.249.58/32; } then { static-nat { prefix { 192.168.225.131/32; } } } } rule nat_135_59 { match { destination-address 72.18.249.59/32; } then { static-nat { prefix { 192.168.225.135/32; } } } } } } proxy-arp { interface fe-0/0/0.0 { address { 72.18.249.50/32; 72.18.249.51/32; 72.18.249.52/32; 72.18.249.53/32; 72.18.249.54/32; 72.18.249.55/32; 72.18.249.56/32; 72.18.249.57/32; 72.18.249.58/32; 72.18.249.59/32; 72.18.249.60/32; 72.18.249.62/32; } } } } # 0001 # FROM "Any" # TO "Any" # SERVICE "any" # permit policies { from-zone trust to-zone untrust { policy ca_vpn_out { match { source-address 192.168.1.0/24; destination-address 192.168.2.0/24; application any; } then { permit { tunnel { ipsec-vpn ca_vpn; } } } } policy defaultPermitPolicy { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone dmz to-zone untrust { policy defaultPermitPolicy { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone untrust to-zone dmz { policy defaultPermitPolicy { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone trust to-zone dmz { policy defaultPermitPolicy { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone dmz to-zone trust { policy defaultPermitPolicy { match { source-address any; destination-address any; application [ junos-http junos-https junos-ssh ]; } then { permit; } } } #0003 # from-zone untrust to-zone untrust { #} # 0002 # FROM "Any" # TO "Any" # SERVICE "any" # deny from-zone untrust to-zone trust { policy orangeinboundtrust { match { source-address any; destination-address 192.168.1.26/32; application junos-http; } then { permit; log { session-init; session-close; } count; } } policy backupsshinbound { match { source-address any; destination-address 192.168.1.25/32; application any; } then { permit; log { session-init; session-close; } count; } } policy ca_vpn_in { match { source-address 192.168.2.0/24; destination-address 192.168.1.0/24; application any; } then { permit { tunnel { ipsec-vpn ca_vpn; } } } } policy remotevpn1 { match { source-address any; destination-address 192.168.1.0/24; application any; } then { permit { tunnel { ipsec-vpn remotevpn1_in; } } log { session-init; session-close; } } } policy defaultPolicy { match { source-address any; destination-address any; application any; } then { deny; } } } } zones { security-zone trust { address-book { address 192.168.1.0/24 192.168.1.0/24; address 192.168.2.0/24 192.168.2.0/24; address 192.168.1.26/32 192.168.1.26/32; address 192.168.1.25/32 192.168.1.25/32; } interfaces { fe-0/0/1.0 { host-inbound-traffic { system-services { all; } protocols { all; } } } fe-0/0/2.0 { host-inbound-traffic { system-services { all; } } } fe-0/0/3.0 { host-inbound-traffic { system-services { all; } } } vlan.1 { host-inbound-traffic { system-services { all; } } } } application-tracking; } security-zone untrust { address-book { address 192.168.1.0/24 192.168.1.0/24; address 192.168.2.0/24 192.168.2.0/24; address 192.168.1.26/32 192.168.1.26/32; address 192.168.1.25/32 192.168.1.25/32; } interfaces { fe-0/0/0.0 { host-inbound-traffic { system-services { any-service; } protocols { all; } } } } application-tracking; } security-zone junos-host { application-tracking; } security-zone dmz { host-inbound-traffic { system-services { all; } } interfaces { fe-0/0/7.0; } } } } firewall { family inet { filter internet_inbound { term allow_ssh { from { destination-port [ ssh 443 500 4500 ]; } then accept; } } } } access { profile remote_access_profile { authentication-order password; client chennai1 { firewall-user { password "$9$mfTFp0IRcl5QEyrex7k.PQ6ApuO"; } } client chennai2 { firewall-user { password "$9$LMaxNVaZjiqf7-HmP5/9M8X-s4aZUjik"; } } client paarth { firewall-user { password "$9$6yjY9AucyKv87CtMXxN2gFn/tBESreKWLle24"; } } address-assignment { pool startup_rvpn_add_pool; } } address-assignment { pool startup_rvpn_add_pool { family inet { network 10.10.10.0/24; range startup-rvpn-range { low 10.10.10.1; high 10.10.10.254; } } } pool dyn-vpn-address-pool { family inet { network 10.10.11.0/24; } } } firewall-authentication { web-authentication { default-profile remote_access_profile; } } } applications { application isakmp { protocol udp; destination-port 4500; } } vlans { internal { vlan-id 2; l3-interface vlan.1; } }