Hotfix release available: 2025-05-14b "Librarian".
upgrade now! [56.2] (what's this?)
Hotfix release available: 2025-05-14a "Librarian".
upgrade now! [56.1] (what's this?)
New release available: 2025-05-14 "Librarian".
upgrade now! [56] (what's this?)
Hotfix release available: 2024-02-06b "Kaos".
upgrade now! [55.2] (what's this?)
Hotfix release available: 2024-02-06a "Kaos".
upgrade now! [55.1] (what's this?)
New release available: 2024-02-06 "Kaos".
upgrade now! [55] (what's this?)
Hotfix release available: 2023-04-04b "Jack Jackrum".
upgrade now! [54.2] (what's this?)
Hotfix release available: 2023-04-04a "Jack Jackrum".
upgrade now! [54.1] (what's this?)
New release available: 2023-04-04 "Jack Jackrum".
upgrade now! [54] (what's this?)
Hotfix release available: 2022-07-31b "Igor".
upgrade now! [53.1] (what's this?)
Hotfix release available: 2022-07-31a "Igor".
upgrade now! [53] (what's this?)
New release available: 2022-07-31 "Igor".
upgrade now! [52.2] (what's this?)
New release candidate 2 available: rc2022-06-26 "Igor".
upgrade now! [52.1] (what's this?)
New release candidate available: 2022-06-26 "Igor".
upgrade now! [52] (what's this?)
Hotfix release available: 2020-07-29a "Hogfather".
upgrade now! [51.4] (what's this?)
New release available: 2020-07-29 "Hogfather".
upgrade now! [51.3] (what's this?)
New release candidate 3 available: 2020-06-09 "Hogfather".
upgrade now! [51.2] (what's this?)
New release candidate 2 available: 2020-06-01 "Hogfather".
upgrade now! [51.1] (what's this?)
New release candidate available: 2020-06-01 "Hogfather".
upgrade now! [51] (what's this?)
Hotfix release available: 2018-04-22c "Greebo".
upgrade now! [50.3] (what's this?)
Hotfix release available: 2018-04-22b "Greebo".
upgrade now! [50.2] (what's this?)
scfirewall
Table of Contents
Device Details
- Juniper SRX100H2
- Purchased on 3/17/2014 via Amazon from Beccela's Etc. 15330 Barranca Pkway, Irvine CA 92618 - 1-260-232-2352. PO:1229957-9171445
Mgmt Details
- Serial - VM Machine in SC. COM1, baud 9600. Stop bits default.
- SSH - 192.168.1.253
| User | Password |
| root | OLDDEVICEPASSWD |
| devops | OLDSDEVICEPASSWD |
Client VPN Details
- Login and download client from https://scvpn.exphosted.com
| User | Password |
| chennai1 | KeePass |
| chennai2 | KeePass |
Client Tunnel Details
- Download Shrew. Skip if v. 2.2.2 is already installed.
- Download this file as well. Copy should be available on repo.
- Install Shrew (skip if #1), open “VPN Access Manager”. Click File → Import and point to the file download in step 2.
- Double click on the new icon in the VPN Access Manager window; it should prompt for username password.
- chennai1/KeePass
- You should be connected ( the last line should read “tunnel enabled” ).
Port Assignment
- PORT0 - WAN
- PORT1 - VLAN1
- PORT2 - VLAN1
- PORT3 - VLAN1
- PORT4 - NOT IN USE
- PORT5 - NOT IN USE
- PORT6 - NOT IN USE. RESERVED FOR WIRELESS CLIENT. 192.168.111.253/24
- PORT7 - DMZ. 192.168.225.253/24
- VLAN1 - 192.168.1.253/24
Current Config
## Last changed: 2014-04-22 08:12:53 GMT-8
version 12.1X44.5;
groups {
jweb-security-logging {
system {
syslog {
file systemlog {
any any;
archive files 1;
structured-data;
}
}
}
}
}
system {
host-name expscfw01;
time-zone GMT-8;
root-authentication {
encrypted-password "$1$qeJTehGo$C1K8tRsDrEw3JsDBaNZwp.";
}
name-server {
66.7.224.17;
66.7.224.18;
208.67.222.222;
208.67.220.220;
}
login {
user devops {
uid 2000;
class super-user;
authentication {
encrypted-password "$1$1cWjhet3$vT4oTQ6PY24RynM4JqQng.";
}
}
user paarth {
uid 2001;
class super-user;
authentication {
encrypted-password "$1$Ep1eTSrT$XwB78mHUctpR3ms6FLcEA1";
}
}
}
services {
ssh;
telnet;
web-management {
management-url /manage;
http {
port 80;
}
session {
idle-timeout 60;
}
}
dhcp {
pool 192.168.1.0/24 {
address-range low 192.168.1.1 high 192.168.1.254;
name-server {
66.7.224.17;
66.7.224.18;
}
router {
192.168.1.253;
}
}
pool 192.168.111.0/24 {
address-range low 192.168.111.1 high 192.168.111.254;
name-server {
66.7.224.17;
66.7.224.18;
}
router {
192.168.111.253;
}
}
pool 192.168.225.0/24 {
address-range low 192.168.225.130 high 192.168.225.135;
name-server {
66.7.224.17;
66.7.224.18;
}
router {
192.168.225.253;
}
}
}
}
syslog {
inactive: file systemlog {
any any;
archive files 1;
structured-data;
}
}
max-configurations-on-flash 15;
max-configuration-rollbacks 15;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp {
server 64.99.80.30;
}
}
interfaces {
fe-0/0/0 {
unit 0 {
family inet {
address 72.18.249.61/28;
}
}
}
fe-0/0/1 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members internal;
}
}
}
}
fe-0/0/2 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members internal;
}
}
}
}
fe-0/0/3 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members internal;
}
}
}
}
fe-0/0/6 {
unit 0 {
family inet {
address 192.168.111.253/24;
}
}
}
fe-0/0/7 {
unit 0 {
family inet {
address 192.168.225.253/24;
}
}
}
vlan {
unit 1 {
family inet {
address 192.168.1.253/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 72.18.249.49;
}
}
security {
log {
mode stream;
source-address 192.168.1.253;
stream logstash {
format syslog;
host {
192.168.1.4;
}
}
}
ike {
# traceoptions {
# file iketracer size 1m;
# flag policy-manager;
# flag ike;
# flag routing-socket;
# }
proposal vpnpolicy1 {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm md5;
encryption-algorithm 3des-cbc;
lifetime-seconds 86400;
}
proposal ca_ike_proposal {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-128-cbc;
lifetime-seconds 28800;
}
policy vpnpolicy1 {
mode aggressive;
proposals vpnpolicy1;
pre-shared-key ascii-text "$9$ZvDkPu0IlvLAp0IEyW8wYgaUH";
}
policy ca_ike_policy {
mode main;
proposals ca_ike_proposal;
pre-shared-key ascii-text "$9$Mj/LNbHkPn9pDikP5FAthSrK87VwgoJDlKX-";
}
gateway ike-gw-in {
ike-policy vpnpolicy1;
dynamic {
hostname scvpn.expertus.com;
ike-user-type shared-ike-id;
}
external-interface fe-0/0/0;
xauth access-profile remote_access_profile;
}
gateway ca_ike_gw {
ike-policy ca_ike_policy;
address 115.111.235.230;
dead-peer-detection;
local-identity inet 72.18.249.61;
external-interface fe-0/0/0;
}
}
ipsec {
vpn-monitor-options;
proposal vpnpolicy1_ipsec {
protocol esp;
authentication-algorithm hmac-md5-96;
encryption-algorithm 3des-cbc;
}
proposal ca_vpn_prop {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-128-cbc;
lifetime-seconds 28800;
}
policy vpnpolicy1_ipsec {
proposals vpnpolicy1_ipsec;
}
policy ca_vpn_policy {
perfect-forward-secrecy {
keys group2;
}
proposals ca_vpn_prop;
}
vpn remotevpn1_in {
ike {
gateway ike-gw-in;
ipsec-policy vpnpolicy1_ipsec;
}
establish-tunnels on-traffic;
}
vpn ca_vpn {
vpn-monitor {
optimized;
destination-ip 192.168.2.2;
}
ike {
gateway ca_ike_gw;
ipsec-policy ca_vpn_policy;
}
establish-tunnels immediately;
}
}
application-tracking {
first-update;
}
flow {
#traceoptions {
# file NAT-TRACE world-readable;
# flag packet-drops;
# flag basic-datapath;
#packet-filter pf1-outgoing {
# protocol icmp;
# source-prefix 12.19.148.66/32;
# destination-prefix 72.18.249.59/32;
# }
# packet-filter pf2-incoming {
# protocol icmp;
# source-prefix 192.168.225.135/32;
# destination-prefix 12.19.148.66/32;
# }
# }
tcp-mss {
ipsec-vpn {
mss 1350;
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
# NAT-SRC
source {
rule-set src-nat-interface-1 {
from zone trust;
to zone untrust;
rule ca_vpn_natexempt {
match {
source-address 192.168.1.0/24;
destination-address 192.168.2.0/24;
}
then {
source-nat {
off;
}
}
}
rule defaultSrcNAT {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
rule-set Server {
from zone untrust;
to zone trust;
rule test-rule {
match {
destination-address [ 192.168.1.25/32 192.168.1.26/32 ];
}
then {
source-nat {
interface;
}
}
}
}
}
destination {
pool OrangeHttp {
address 192.168.1.26/32 port 80;
}
pool backupssh {
address 192.168.1.25/32 port 22;
}
rule-set Internet_interface_context {
from zone untrust;
rule orancetcp {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
destination-port 8888;
}
then {
destination-nat pool OrangeHttp;
}
}
rule backupssh {
match {
source-address 0.0.0.0/0;
destination-address 72.18.249.61/32;
destination-port 8889;
}
then {
destination-nat pool backupssh;
}
}
}
}
static {
rule-set DMZ_WAN {
from zone untrust;
rule nat_61_52 {
match {
destination-address 72.18.249.52/32;
}
then {
static-nat {
prefix {
192.168.225.61/32;
}
}
}
}
rule nat_62_53 {
match {
destination-address 72.18.249.53/32;
}
then {
static-nat {
prefix {
192.168.225.62/32;
}
}
}
}
rule nat_214_54 {
match {
destination-address 72.18.249.54/32;
}
then {
static-nat {
prefix {
192.168.225.214/32;
}
}
}
}
rule nat_215_56 {
match {
destination-address 72.18.249.56/32;
}
then {
static-nat {
prefix {
192.168.225.215/32;
}
}
}
}
rule nat_216_55 {
match {
destination-address 72.18.249.55/32;
}
then {
static-nat {
prefix {
192.168.225.216/32;
}
}
}
}
rule nat_218_57 {
match {
destination-address 72.18.249.57/32;
}
then {
static-nat {
prefix {
192.168.225.218/32;
}
}
}
}
rule nat_131_58 {
match {
destination-address 72.18.249.58/32;
}
then {
static-nat {
prefix {
192.168.225.131/32;
}
}
}
}
rule nat_135_59 {
match {
destination-address 72.18.249.59/32;
}
then {
static-nat {
prefix {
192.168.225.135/32;
}
}
}
}
}
}
proxy-arp {
interface fe-0/0/0.0 {
address {
72.18.249.50/32;
72.18.249.51/32;
72.18.249.52/32;
72.18.249.53/32;
72.18.249.54/32;
72.18.249.55/32;
72.18.249.56/32;
72.18.249.57/32;
72.18.249.58/32;
72.18.249.59/32;
72.18.249.60/32;
72.18.249.62/32;
}
}
}
}
# 0001
# FROM "Any"
# TO "Any"
# SERVICE "any"
# permit
policies {
from-zone trust to-zone untrust {
policy ca_vpn_out {
match {
source-address 192.168.1.0/24;
destination-address 192.168.2.0/24;
application any;
}
then {
permit {
tunnel {
ipsec-vpn ca_vpn;
}
}
}
}
policy defaultPermitPolicy {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone dmz to-zone untrust {
policy defaultPermitPolicy {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone dmz {
policy defaultPermitPolicy {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone dmz {
policy defaultPermitPolicy {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone dmz to-zone trust {
policy defaultPermitPolicy {
match {
source-address any;
destination-address any;
application [ junos-http junos-https junos-ssh ];
}
then {
permit;
}
}
}
#0003
# from-zone untrust to-zone untrust {
#}
# 0002
# FROM "Any"
# TO "Any"
# SERVICE "any"
# deny
from-zone untrust to-zone trust {
policy orangeinboundtrust {
match {
source-address any;
destination-address 192.168.1.26/32;
application junos-http;
}
then {
permit;
log {
session-init;
session-close;
}
count;
}
}
policy backupsshinbound {
match {
source-address any;
destination-address 192.168.1.25/32;
application any;
}
then {
permit;
log {
session-init;
session-close;
}
count;
}
}
policy ca_vpn_in {
match {
source-address 192.168.2.0/24;
destination-address 192.168.1.0/24;
application any;
}
then {
permit {
tunnel {
ipsec-vpn ca_vpn;
}
}
}
}
policy remotevpn1 {
match {
source-address any;
destination-address 192.168.1.0/24;
application any;
}
then {
permit {
tunnel {
ipsec-vpn remotevpn1_in;
}
}
log {
session-init;
session-close;
}
}
}
policy defaultPolicy {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
}
}
}
}
zones {
security-zone trust {
address-book {
address 192.168.1.0/24 192.168.1.0/24;
address 192.168.2.0/24 192.168.2.0/24;
address 192.168.1.26/32 192.168.1.26/32;
address 192.168.1.25/32 192.168.1.25/32;
}
interfaces {
fe-0/0/1.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
fe-0/0/2.0 {
host-inbound-traffic {
system-services {
all;
}
}
}
fe-0/0/3.0 {
host-inbound-traffic {
system-services {
all;
}
}
}
vlan.1 {
host-inbound-traffic {
system-services {
all;
}
}
}
}
application-tracking;
}
security-zone untrust {
address-book {
address 192.168.1.0/24 192.168.1.0/24;
address 192.168.2.0/24 192.168.2.0/24;
address 192.168.1.26/32 192.168.1.26/32;
address 192.168.1.25/32 192.168.1.25/32;
}
interfaces {
fe-0/0/0.0 {
host-inbound-traffic {
system-services {
any-service;
}
protocols {
all;
}
}
}
}
application-tracking;
}
security-zone junos-host {
application-tracking;
}
security-zone dmz {
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
fe-0/0/7.0;
}
}
}
}
firewall {
family inet {
filter internet_inbound {
term allow_ssh {
from {
destination-port [ ssh 443 500 4500 ];
}
then accept;
}
}
}
}
access {
profile remote_access_profile {
authentication-order password;
client chennai1 {
firewall-user {
password "$9$mfTFp0IRcl5QEyrex7k.PQ6ApuO";
}
}
client chennai2 {
firewall-user {
password "$9$LMaxNVaZjiqf7-HmP5/9M8X-s4aZUjik";
}
}
client paarth {
firewall-user {
password "$9$6yjY9AucyKv87CtMXxN2gFn/tBESreKWLle24";
}
}
address-assignment {
pool startup_rvpn_add_pool;
}
}
address-assignment {
pool startup_rvpn_add_pool {
family inet {
network 10.10.10.0/24;
range startup-rvpn-range {
low 10.10.10.1;
high 10.10.10.254;
}
}
}
pool dyn-vpn-address-pool {
family inet {
network 10.10.11.0/24;
}
}
}
firewall-authentication {
web-authentication {
default-profile remote_access_profile;
}
}
}
applications {
application isakmp {
protocol udp;
destination-port 4500;
}
}
vlans {
internal {
vlan-id 2;
l3-interface vlan.1;
}
}
scfirewall.txt · Last modified: 2018/08/31 16:16 (external edit)
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 4.0 International
