Read here {http://www.rsivanandan.com/2010/01/24/documentation-for-juniper-devices/}

There is a much better way if you use Firefox. There is a search plug-in that you could use to integrate it with Firefox and have the term/configuration you want directly from the browser.

Can’t wait to get it? Head straight to http://kb.juniper.net and below right hand corner, you can see ‘Install Search Plug-in’.

Install it and there you have it;

An example page that I searched was looking as below;

Have fun…

First create a custom service to address the PPTP requirement (This is Microsoft windows specific);

set service CustomPPTP group "other" 47 src 2048-2048 dst 2048-2048

set service CustomPPTP + tcp src 0-65535 dst 1723-1723

The first line above creates a custom service named “CustomPPTP” with protocol number 47 (GRE) with source/destination port as 2048.

The second line adds to the same service for PPTP (port 1723 TCP).

Then the next step would be to NAT the internal PPTP server to publically accessible server using a public ip address. Here we’d use the same address assigned on the untrust interface (single public ip available scenario);

set vip multi-port

set interface ethernet0/0 vip 2048 CustomPPTP 10.1.1.10

The first line above states that it is a multi-port VIP. Normally a VIP listens only on a single port, if a single ip address is used and you want to have multiple ports forwarded, multi-port VIP is needed.

The second line above sets a VIP for port 2048 for the internal server (PPTP Server) 10.1.1.10 (assuming the ip of the internal PPTP server to be this).

almost done; the only thing pending is a policy to allow traffic to pass through this condition;

set policy from untrust to trust "any" "VIP::1" "CustomPPTP" permit

The above policy allows any machine from untrust zone (internet) to connect to VIP address (trust zone) for the service “CustomPPTP”.

Just save the configuration and you should have it working just fine…

Juniper KB Link

UTM feature (Unified Threat Management) is integrated into SRX devices. So in order to block a site(s);

1. First create a custom block lists to contain the websites that you want to block.

custom-objects {
    url-pattern {
            badsite {
                    value www.facebook.com;
            }
            addictivesite {
                            value www.twitter.com;
            }
}
    custom-url-category {
        bad-sites {
            value [ addictivesite badsite ];
        }
    }
}

As you can see, the custom URL category block list above contains the site ‘www.facebook.com’ and ‘www.twitter.com’ and based on the preferences time-eating sites like facebook/twitter/myspace etc can be used in here. Again, the advantage is that it doesn’t deal with ip addresses and hence very effective how many ever servers are hosted around the world.

2. Then create a web filtering policy to allow the traffic after screening the type/site to which the traffic is going to, as below;

policies {
    from-zone trust to-zone untrust {
        policy utm {
                match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
        then {
                permit {
                    application-services {
                                            utm-policy wf-block-specfic-categories;
                                        }
                        }
                    }
                }
            }
        }
utm {
    feature-profile {
        web-filtering {
            url-blacklist bad-sites; #This causes sites in the bad-sites category to be blocked

utm-policy wf-block-specfic-categories {
    web-filtering {
        http-profile block-selected-sites;
                }
        }
}

Along with this, SRX also supports usage of ‘Custom Block Messages’ and also make this time bound. Say if you don’t want to block it completely but just block it during business hours that is possible too by scheduling policies.

Assuming that your wireless network is your trusted network and you want to have this network use untrust ip address to be used (natted) while going to internet or other networks.

   1: set interface "wireless0/0" zone "Trust"

   2: set interface wireless0/0 ip 192.168.2.1/24

   3: set interface wireless0/0 nat

   4: set interface wireless0/0 ip manageable

   5: set interface wireless0/0 dhcp server service

   6: set interface wireless0/0 dhcp server auto

   7: set interface wireless0/0 dhcp server option gateway 192.168.2.1

   8: set interface wireless0/0 dhcp server option netmask 255.255.255.0

   9: set interface wireless0/0 dhcp server option domainname mycompany.com

  10: set interface wireless0/0 dhcp server option dns1 192.168.20.20

  11: set interface wireless0/0 dhcp server option dns2 192.168.128.50

  12: set interface wireless0/0 dhcp server ip 192.168.2.33 to 192.168.2.126

  13: unset interface wireless0/0 dhcp server config next-server-ip

  14: set ssid WLAN interface wireless0

1 –> sets the interface wireless0/0 in Trust Zone.

2 –> sets the IP address on the wireless interface.

3 –> sets the wireless interface mode to nat.

4 –> sets the wireless interface manageable (ping/ssh/web etc).

5 –> tells the dhcp server service to be ON on wireless interface.

6 to 13 –> sets the different network IP parameters to be used by DHCP Server service.

14 –> defines the SSID to which the users should connect.

Note that this hasn’t specified any wireless encryption part here. This is intended to be a simple post.

1. The first one is the rack it up, connecting the cables and power it up.

2. Then login to the router using the console port of the router (usually in the front).

3. Juniper Router does provide you the Management interface to be either a specific management port or a general port on it. Wouldn’t go into the details of it

4. Setup the IP address for the Management port.

5. Enable the needed access from network to the box itself.

After these steps, you essentially have the router up and running on the router, on which you can do your necessary configuration. I intend to cover them later across multiple posts.

So now to action; 1 & 2 is fairly straight forward and lets look at 3;

The Management Port is usually “fxp0” on the router – Specific Management Port (Out-Of-Band Management)

Or you can use one of your normal ports like “ge0/0/0” for the Management (In-Band Management).

First part is to assign an IP address to the management port:-

   1: root@PE3-MX480% cli

   2:  

   3: root@PE3-MX480> configure 

   4: [edit]

   5: root@PE3-MX480# set interfaces fxp0 unit 0 family inet address 192.168.1.1/24

   6:  

Enabling Remote Access:- There are different protocols available, mainly SSH/Telnet/HTTP

So to enable these protocols on the management interface; follow this;

   1: set system services ssh

   2:  

   3: set system services ssh root-login allow

   4: set system services ssh protocol-version v1

   5: set system services ssh protocol-version v2

   6:  

   7: set system services telnet

   9:  

  10: set system services web-management http

As you can see, all SSH/Telnet and HTTP access is enabled and also you can see how to enable root login via SSH (By default not allowed).

After you configure all these, you have the access to this box via these protocols from the local network. You can verify it by issuing the command;

root@PE3-MX480> show configuration | display set

OR

root@PE3-MX480> show configuration (this should show the configuration in a C like syntax styled fashion)

   One of the best part about Microsoft and Cisco are not just the

products but supporting documentation as well, it is vast and a lot of configuration examples with actual configuration samples.

If you want to load something on to a brand new Cisco device, just Google and just Copy&Paste would take care of minimal configuration and just modification would bring it up in minutes.

Unfortunately the problem with Juniper Documentation is that they can’t match that much of the results from other vendors. For example if I have to learn about NSRP knowledge base and if you just type ‘nsrp’ onto Google, you’ll get a max of 3 or 4 search results that are relevant and even if you get it, it’ll be the basic ‘how to configure kind of stuff’. On the other hand, if you use Google’s advanced searching mechanism, you’ll get much better results on the subject you’re searching. For example;

nsrp site:kb.juniper.net

The above search would yield only the results from Juniper KB site and would have a wide variety of information lined up for you to dig on.

While this is the true for all vendor’s documentation, I just wanted to emphasize the usage of ‘kb.juniper.net’ instead of ‘www.juniper.net’, because there is a difference

  Based off the Glassdoor.com surveys from the employee’s themselves of each company, Juniper Networks’ ranks the first!

Got this snippet from { Here }

  One difference about glassdoor compared to all other predictions is that these are derived by anonymous input’s from the respective organizations itself.

{ Click Here to get it }

Though it is a comparison with FG – 224B, you can pretty much see the plus points that comes with Juniper SSG series of Firewalls.

      2009 Information Security/SearchSecurity.com Readers’ Choice awards are announced and guess what; Juniper Won the best security solution awards in the following categories;

• Intrusion Prevention:   Gold Award   : Juniper IDP Series
• NAC                            :   Gold Award   : Juniper Networks Unified Access Control
• Remote Access       :    Silver Award : Juniper Networks SA Series SSL VPN Appliances

Last year Juniper was named a finalist in five categories and won an award in each category, including Authentication, NAC, Network Firewalls, Remote Access and UTM. Juniper SSG, ISG and SA SSL VPN won Gold awards.  UAC won a Silver award. Juniper Steel-Belted Radius, NetScreen and SSG won Bronze awards.

Way to go Juniper! If you look at Juniper’s Security Market/Products, the solutions have been there in the market only for a few years now, but still they made through and take on the long-timers now!

The latest information on Juniper’s success in diversified segments of market is the ‘Ethernet Platforms’.  Despite the recession;

Quarter over Quarter, pretty steady growth and as per Mike Banic, VP at Juniper Networks for Product Marketing “Based on the companies covered in the Dell’Oro report, over the past five quarters of revenue shipments, Juniper has grown its EX Series switch revenue faster than any enterprise Layer 2/Layer 3 switch vendor entering the market in the previous decade,”

Full News at Yahoo

Some interesting facts if we look back, Juniper had a wide variety of products and what was lacking in the portfolio was a ‘complete solution’, the switches. I used to wonder why haven’t they started a BU around this and based on the reputation and more importantly people like choices – it would only seem imperative that they need to have done this couple of years back and of course it would be a huge investment, can’t discount for that.

Instead of a vendor setting standards and price tags, a customer always would prefer a choice of vendors where he get to make the calls!

Great going Juniper…

At this point, something of strange nature is that the EVP of Ethernet Platforms Group at Juniper, Hitesh Sheth – moved over to Aruba to take a position of COO. This would be the first position at Aruba, a COO!

Full News at bizjournals

I think it is not of much attention that there are many e-Learning courses available from Juniper FREE of cost. Mostly it is either advised by SE’s or some product road shows. Otherwise, Juniper lacks the publicity that Cisco and MSFT has been carrying over for a long period on eLearning.

So to let people know, Juniper does offer some eLearning programs on Enterprise Routing, Enterprise Switching, Security etc.

Also one of the interesting training would be the Intrusion Prevention training which can be accessed here. [Click]

Click on the picture above to check out all the available courses.

The latest report on performance from Miercom on Enterprise segment Firewalls goes as this; for real world HTTP (web 2.0) simulated traffic;

While this is a performance evaluation of the box by itself, some time back NetworkWorld tested SSG 500 series firewalls from Juniper and it topped the converged security solutions. Which means UTM (Unified Threat Management) next generation firewalls.

Also note that the firewall involved in Miercom’s testing is ‘NS-5200’, which is based on Netscreen architecture, the latest firewalls are much more efficient (hardware wise) and runs on Juniper architecture! I guess, when a test is performed and some one picks ASA-5580 which is pretty latest, the Juniper gear also should’ve been the latest (from SSG/ISG series)

So what does it mean for a customer looking at the market?

Real-World HTTP throughput tops in Cisco’s ASA 5580, instead if you’re looking for a box which can do Integrated stuff (IPS, AV, AntiSpam, Network Access Control) then the answer seems to be Juniper Firewalls. It is a tough choice again based on your switch ports you want to protect vs additional security that you want in one box.

Personally, I’m a fan of both of the boxes and both has its flexibility. After being configuring for almost 6-7 years the Cisco Gear, now I’ve been working on Juniper gear for last 2 years. But this 2 years made me like the Juniper security solutions as well. The reason, policy driven traffic management and support for WAN drops directly onto the firewall (remember, I worked mostly on PIX firewalls which only has 1 outside interface with Ethernet support).

Links to read :

Miercom Full Report :

http://6200networks.com/wp-content/uploads/docs/miercom_cisco_asa_5580.pdf

NetworkWorld Full Report : http://www.networkworld.com/reviews/2006/020606-juniper-ssg-test.html

One of the feature that you can achieve using rules in policies on a Juniper Firewall is conditional pass through of traffic. What I mean by that is, to first authenticate the user and if you want that user to access what he is trying then, allow/disallow the traffic; More as an example;

set policy id 1 from Trust to Untrust any any HTTP permit log

The above command would allow any user from the Trust zone to access HTTP resources on the Untrust side of the firewall. Now say I want to allow only one user ; In that case I can setup an authentication prior to allowing that connection in the same *ONE* line policy as below; For the example I’m going to use a ‘user’ created locally on the firewall, however integration to external authentication server is very well supported in Juniper Firewalls.

set user <username> password <password>

set user <username> enable

set policy id 1 from Trust to Untrust any any HTTP permit auth user <username> log

The above 3 lines does the job for you. So as you know, multiple services/multiple users can go in there on a single rule. Only after the authentication, the user is allowed to access the resource. One of the very simplified approach!

The following is a working example screen-shot of a telnet session by double authentication (one on the firewall and the other on the actual telnet server).

A Telnet Session using Policy Based Authentication (Red box displays the first level of auth done at firewall, Blue box displays the actual telnet authentication)

The relevant firewall configuration used for this is as below;

   1: set user rsivanandan password password

   2: set user rsivanandan enable

   3:  

   4: set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "TELNET" permit auth server "Local" user "rsivanandan" log

Advantage of having this? I’ve seen environment where in a same username is used by different persons in the organization to login and access data. Here, we have only one authentication method and there is no way of finding out who actually logged in. If Policy Based Authentication is implemented, then controlled access can be done, as well if the username/password is integrated in the firewall policy (think of External User Database).

Then we know who accessed the data last – ACCOUNTABILITY

An evaluation of Junipers newly launched EX Series switch underwent tests for industry conformance and you can find it at Network World;

The verdict: This is one fast box. The EX 4200 delivered line-rate throughput in every case, the only switch we’ve tested this year to do so. What’s more, 10G Ethernet latency is the lowest we’ve ever measured. We also were impressed by the EX 4200′s feature set and powerful JUNOS command-line interface (CLI).

Further Read – Full set of tests run against the switch…

Juniper Firewalls can be configured in Nat/Route mode or Transparent mode, in simple terms L3 or L2 mode.

L3 :: Pure route mode where all the interfaces bear ip addresses and routing is run.

L2 :: Pure layer2 mode where all the interfaces are pass along and no ip addresses.

There is a 3rd mode which can be configured and is Mixed Mode. Say the situation demands, one of the network to be in transparent mode and others in nat/route mode.

A typical example is if you have the Firewall connected to different networks and at the same time you want to have 2 ports receive dhcp assigned ip addresses (I have this config at desk since I maintain a VPN network for testing. On the other hand on my desk I have my laptop and desktop both of which gets corporate dhcp leased ip addresses. So I have configured the SSG-20 in this mode).

   1: set interface "bgroup0" zone "Trust"

   2: set interface bgroup0 port ethernet0/2

   3:  

   4: The above is connected to a network which is routed

   5:  

   6: set interface "bgroup1" zone "V1-Trust"

   7: set interface bgroup1 port ethernet0/0

   8: set interface bgroup1 port ethernet0/3

   9: set interface bgroup1 port ethernet0/4

  10:  

  11: The above is connected to a network which is transparent;

  12:  

  13: ethernet0/0 is connected to corporate network

  14: ethernet0/3 is connected to Desktop

  15: ethernet0/4 is connected to Laptop

  16:  

So both laptop and desktop gets ip addresses leased from corporate DHCP server (Bgroup1 acts as transparent)

  It is advisable to use the Netscreen-Remote that comes as the vpn client, however if one has to use XP client for connecting to a Juniper Firewall, here is how to do;

This example talks about L2TP over IPSEC { GO }

Found out today that Cisco has a configuration guide for VPN between PIX firewall to a Juniper Netscreen Firewall

{Click to Go}

There are different market players when it comes to Threat Management / Log Management /Compliance Management;

It ranges from netForensics, Cisco’s CS-MARS, LogLogic, netIQ, ArcSight and so on…

STRM is Juniper’s entry to the log management market offering solutions which along with log management provides some Network Behavior Analysis as well with the event correlation. Its been beaten to death as to which solutions is better but I still feel every log management solution has a relation to the type of network we’re looking at (I’m sure I won’t be alone in this one)! Simple – How would be HIPAA looked at in a R&D center – What use is there for CPU cycles invested?

Put aside the vendor competition, STRM basically would support any device which can send Syslog events to it and correlate it – ranging from Juniper’s SSL VPN / Firewalls to Windows Machines. It has also got the flow going (Netflow / JFlow etc…)

{Would be the link to product page @ Juniper}

Juniper’s NSM Attack update is something which will go over to Juniper’s security server and download the latest available IDP signature sets. There are situations where the NSM server do not have Internet connection, thus having to use a proxy solution.

You can use Squid Proxy for handling this; Setup Information would be as below;

1. Install Squid (I used Windows binary of Squid) on a machine with Internet Access.

2. Edit the conf file for Squid and add as below

Squid Config Information:

With no password proxying, all you need is this;

http_port 3128 (or any port)

http_access allow all

3. If you want to have basic authentication (NCSA), change the conf file to this;

With username/password proxying, you need this; => For NCSA type of authentication

http_port 3128 (again any port)

auth_param basic program C:\\squid\\libexec\\ncsa_auth.exe c:\\squidpassword.txt  (2 slashes since it is on Windows)

acl NSMQA proxy_auth REQUIRED

http_access allow NSMQA

4. Configure proxy server ip and port in NSM preferences

5. Start Squid and that is it. Have fun

  While using Juniper Firewall devices, there are 2 ways of creating an IPSEC VPN, route based and policy based. There has been a lot of discussions around this area as to what is the difference. However there is one important way of differentiating these 2 types of VPN.

  Think about the other networking Giant, Cisco. Cisco’s PIX/ASA firewalls do VPN and they do only Policy Based VPN (Access-lists for interesting traffic). So the differentiating factor while we create VPN between these 2 devices would be;

Route Based VPN:

1. If everything behind both Juniper Firewall and PIX/ASA needs to be connected via VPN, then route based VPN would work.

2. If only one subnet needs to be allowed to connect via VPN, then again route based VPN would work.

However, say if you want to only use 2 subnet behind Juniper Firewall then it would not be easy with a single tunnel interface. So it is basically suggested to go for Policy Based VPN where you can define the source networks that needs to be secured.

Juniper has a tool that’d convert the IOS configuration to JunOS, released some time this year and looks nice. This is especially in the light of vast configuration examples of Cisco and can be converted into JunOS based devices as well.

http://www.juniper.net/customers/support/

Checkout at the above URL. Of course only available for customers with active support contract.

NSM by default installation has a list of whois servers however it do not list all the whois servers. This post should help you to change the whois server list in NSM client if you need a personalized one.

By default NSM has the following whois servers in installation;

“whois.arin.net”
“whois.apnic.net”
“whois.aunic.net”
“whois.compuserve.com”
“whois.domainpeople.com”
“whois.hq.nasa.gov”
“whois.internic.net”
“whois.netnames.net”
“whois.nic.gov”
“whois.nic.it”
“whois.virginia.edu”

The file which stores this information is ‘prefs.orig’ in the NSM Client installation directory. So as you can see, you can edit the list to add/remove your required whois servers!

A list of all available whois servers can be found here [here]

Left aside the improvements, considering Juniper’s growth onto Enterprise Market, now the only key piece missing is an aggregator. On that account, a switch being rolled out in the market would boost the ‘Complete Solution’ as far as I can see. Think about a mix of SSG Firewalls & UAC solutions from Juniper and at the back-end you have a switch that speaks a totally different language? Well, so to speak technology is innovative and one has to lay the foundation to improve something around it. I guess that is what Juniper has done now.

Features provided in the EX Series switches are [Here]

URL to access Juniper Firewall Session Analyzer [Here]

For those who do not have a Juniper login, there is another tool available (not by Juniper) which is a standalone program (NSSA) and can be downloaded from [Here]

Screenshot of NSSA :

To give a background, SSG is at the main office, PIX being at remote office. The VPN is built between 10.10.12.0 network to 10.10.7.0 network in the following configuration;

SSG 140 Configuration:-

   1: JUNIPER (MAIN OFFICE)--->

   2: set clock timezone -5

   3: set vrouter trust-vr sharable

   4: set vrouter "untrust-vr"

   5: exit

   6: set vrouter "trust-vr"

   7: unset auto-route-export

   8: exit

   9: set auth-server "Local" id 0

  10: set auth-server "Local" server-name "Local"

  11: set auth default auth server "Local"

  12: set auth radius accounting port 1646

  13: set admin name "admin"

  14: set admin password "XYZ123"

  15: set admin http redirect

  16: set admin auth timeout 10

  17: set admin auth server "Local"

  18: set admin format dos

  19: set vip multi-port

  20: set zone "Trust" vrouter "trust-vr"

  21: set zone "Untrust" vrouter "trust-vr"

  22: set zone "DMZ" vrouter "trust-vr"

  23: set zone "VLAN" vrouter "trust-vr"

  24: set zone id 100 "DMZ-WAN"

  25: set zone "Untrust-Tun" vrouter "trust-vr"

  26: set zone "Trust" tcp-rst 

  27: set zone "Untrust" block 

  28: unset zone "Untrust" tcp-rst 

  29: set zone "MGT" block 

  30: set zone "DMZ" tcp-rst 

  31: set zone "VLAN" block 

  32: unset zone "VLAN" tcp-rst 

  33: set zone "DMZ-WAN" block 

  34: unset zone "DMZ-WAN" tcp-rst 

  35: set zone "Trust" screen icmp-flood

  36: set zone "Trust" screen udp-flood

  37: set zone "Trust" screen winnuke

  38: set zone "Trust" screen port-scan

  39: set zone "Trust" screen ip-sweep

  40: set zone "Trust" screen tear-drop

  41: set zone "Trust" screen ping-death

  42: set zone "Trust" screen ip-filter-src

  43: set zone "Trust" screen land

  44: set zone "Trust" screen syn-frag

  45: set zone "Trust" screen tcp-no-flag

  46: set zone "Trust" screen unknown-protocol

  47: set zone "Trust" screen ip-bad-option

  48: set zone "Trust" screen ip-record-route

  49: set zone "Trust" screen ip-timestamp-opt

  50: set zone "Trust" screen ip-security-opt

  51: set zone "Trust" screen ip-loose-src-route

  52: set zone "Trust" screen ip-strict-src-route

  53: set zone "Trust" screen ip-stream-opt

  54: set zone "Trust" screen icmp-fragment

  55: set zone "Trust" screen icmp-large

  56: set zone "Trust" screen syn-fin

  57: set zone "Trust" screen fin-no-ack

  58: set zone "Trust" screen limit-session source-ip-based

  59: set zone "Trust" screen syn-ack-ack-proxy

  60: set zone "Trust" screen block-frag

  61: set zone "Trust" screen limit-session destination-ip-based

  62: set zone "Trust" screen component-block exe

  63: set zone "Trust" screen icmp-id

  64: set zone "Trust" screen ip-spoofing drop-no-rpf-route

  65: set zone "Untrust" screen tear-drop

  66: set zone "Untrust" screen syn-flood

  67: set zone "Untrust" screen ping-death

  68: set zone "Untrust" screen ip-filter-src

  69: set zone "Untrust" screen land

  70: set zone "V1-Untrust" screen tear-drop

  71: set zone "V1-Untrust" screen syn-flood

  72: set zone "V1-Untrust" screen ping-death

  73: set zone "V1-Untrust" screen ip-filter-src

  74: set zone "V1-Untrust" screen land

  75: set interface "ethernet0/0" zone "Trust"

  76: set interface "ethernet0/1" zone "DMZ"

  77: set interface "ethernet0/2" zone "Untrust"

  78: set interface "ethernet0/3" zone "DMZ-WAN"

  79: set interface "tunnel.1" zone "Untrust"

  80: set interface ethernet0/0 ip 10.10.7.2/24

  81: set interface ethernet0/0 route

  82: unset interface vlan1 ip

  83: set interface ethernet0/1 ip 10.10.9.1/24

  84: set interface ethernet0/1 route

  85: set interface ethernet0/2 ip X.Y.Z.98/27

  86: set interface ethernet0/2 route

  87: set interface ethernet0/3 ip 10.10.99.0/24

  88: set interface ethernet0/3 route

  89: set interface tunnel.1 ip unnumbered interface ethernet0/2

  90: unset interface vlan1 bypass-others-ipsec

  91: unset interface vlan1 bypass-non-ip

  92: set interface ethernet0/0 ip manageable

  93: unset interface ethernet0/1 ip manageable

  94: set interface ethernet0/2 ip manageable

  95: unset interface ethernet0/3 ip manageable

  96: unset interface ethernet0/0 manage snmp

  97: set interface ethernet0/0 manage mtrace

  98: unset interface ethernet0/1 manage ping

  99: set interface ethernet0/2 manage ping

 100: set interface ethernet0/2 manage ssh

 101: set interface ethernet0/2 manage telnet

 102: set interface ethernet0/2 manage ssl

 103: set interface ethernet0/2 manage web

 104: set interface ethernet0/2 manage mtrace

 105: set interface vlan1 manage mtrace

 106: set interface "ethernet0/2" mip X.Y.Z.106 host 10.10.7.106 netmask 255.255.255.255 vr "trust-vr"

 107: set interface "ethernet0/2" mip X.Y.Z.109 host 10.10.7.200 netmask 255.255.255.255 vr "trust-vr"

 108: set interface "ethernet0/2" mip X.Y.Z.100 host 10.10.7.100 netmask 255.255.255.255 vr "trust-vr"

 109: set interface "ethernet0/2" mip X.Y.Z.101 host 10.10.7.206 netmask 255.255.255.255 vr "trust-vr"

 110: set interface "ethernet0/2" mip X.Y.Z.103 host 10.10.7.103 netmask 255.255.255.255 vr "trust-vr"

 111: set interface "ethernet0/2" mip X.Y.Z.108 host 10.10.7.208 netmask 255.255.255.255 vr "trust-vr"

 112: set interface "ethernet0/2" mip X.Y.Z.121 host 10.10.7.121 netmask 255.255.255.255 vr "trust-vr"

 113: set interface "ethernet0/2" mip X.Y.Z.115 host 10.10.7.115 netmask 255.255.255.255 vr "trust-vr"

 114: set interface "ethernet0/2" mip X.Y.Z.125 host 10.10.7.122 netmask 255.255.255.255 vr "trust-vr"

 115: set interface "ethernet0/0" webauth 

 116: unset flow no-tcp-seq-check

 117: set flow tcp-syn-check

 118: set domain econium

 119: set pki authority default scep mode "auto"

 120: set pki x509 default cert-path partial

 121: set dns host dns1 66.153.50.66 src-interface ethernet0/2

 122: set dns host dns2 64.80.0.162 src-interface ethernet0/2

 123: set dns host dns3 64.80.32.128 src-interface ethernet0/2

 124: set dns host schedule 06:28

 125: set address "Trust" "10.10.7.0/24" 10.10.7.0 255.255.255.0

 126: set address "Trust" "10.10.7.106/24" 10.10.7.106 255.255.255.0

 127: set address "Trust" "10.10.7.117/24" 10.10.7.117 255.255.255.0

 128: set address "Trust" "Office LAN" 10.10.0.0 255.255.0.0

 129: set address "Trust" "Trust_LAN" 10.10.7.0 255.255.255.0

 130: set address "Untrust" "10.10.12.0/24" 10.10.12.0 255.255.255.0

 131: set address "Untrust" "X.Y.Z.117/30" X.Y.Z.117 255.255.255.252

 132: set address "Untrust" "W-Remote" 10.10.12.0 255.255.255.0

 133: set address "DMZ-WAN" "Wireless" 10.10.99.0 255.255.255.0 "Wireless"

 134: set ike gateway "W-Remote GW" address A.B.C.42 Main outgoing-interface "ethernet0/2" preshare "myxlplyt" proposal "pre-g2-3des-sha"

 135: set ike respond-bad-spi 1

 136: unset ike ikeid-enumeration

 137: unset ike dos-protection

 138: unset ipsec access-session enable

 139: set ipsec access-session maximum 5000

 140: set ipsec access-session upper-threshold 0

 141: set ipsec access-session lower-threshold 0

 142: set ipsec access-session dead-p2-sa-timeout 0

 143: unset ipsec access-session log-error

 144: unset ipsec access-session info-exch-connected

 145: unset ipsec access-session use-error-log

 146: set vpn "W-Remote VPN" gateway "W-Remote GW" no-replay tunnel idletime 0 proposal "g2-esp-3des-sha" 

 147: set vpn "W-Remote VPN" id 1 bind interface tunnel.1

 148: set url protocol websense

 149: exit

 150: set anti-spam profile ns-profile

 151:  set sbl default-server enable

 152:  set default action tag subject "*** [SPAM] ***"

 153: exit

 154: set vpn "W-Remote VPN" proxy-id local-ip 10.10.7.0/24 remote-ip 10.10.12.0/24 "ANY" 

 155: set policy id 34 from "Trust" to "Untrust"  "10.10.7.0/24" "10.10.12.0/24" "ANY" permit log 

 156: set policy id 34

 157: set log session-init

 158: exit

 159: set policy id 33 from "Untrust" to "Trust"  "10.10.12.0/24" "10.10.7.0/24" "ANY" permit log 

 160: set policy id 33

 161: set log session-init

 162: exit

 163: set policy id 21 from "Untrust" to "Trust"  "Any" "MIP(X.Y.Z.106)" "ANY" permit log 

 164: set policy id 21

 165: exit

 166: set policy id 1 name "Internet Access" from "Trust" to "Untrust"  "Office LAN" "Any" "HTTP" nat src permit log url-filter 

 167: set policy id 1

 168: set log session-init

 169: exit

 170: set policy id 2 from "Trust" to "Untrust"  "Office LAN" "Any" "HTTPS" nat src permit log 

 171: set policy id 2

 172: exit

 173: set policy id 5 from "Trust" to "DMZ"  "Office LAN" "Any" "ANY" nat src permit log 

 174: set policy id 5

 175: exit

 176: set policy id 6 name "Deny All - DMZ" from "Untrust" to "DMZ"  "Any" "Any" "ANY" deny log 

 177: set policy id 6

 178: exit

 179: set policy id 7 from "Trust" to "Untrust"  "Office LAN" "Any" "DNS" nat src permit 

 180: set policy id 7

 181: exit

 182: set policy id 8 from "Trust" to "Untrust"  "Office LAN" "Any" "FTP" nat src permit 

 183: set policy id 8

 184: exit

 185: set policy id 9 from "Trust" to "Untrust"  "Office LAN" "Any" "POP3" nat src permit 

 186: set policy id 9

 187: exit

 188: set policy id 10 from "Trust" to "Untrust"  "Office LAN" "Any" "SMTP" nat src permit log 

 189: set policy id 10

 190: exit

 191: set policy id 11 name "Wireless Access" from "DMZ-WAN" to "Untrust"  "Wireless" "Any" "DNS" nat src permit log 

 192: set policy id 11

 193: set service "FTP"

 194: set service "HTTP"

 195: set service "HTTPS"

 196: set service "PING"

 197: set service "POP3"

 198: set service "SMTP"

 199: set service "VNC"

 200: exit

 201: set policy id 13 name "VNC" from "Trust" to "Untrust"  "Office LAN" "Any" "VNC" nat src permit log 

 202: set policy id 13

 203: exit

 204: set policy id 14 name "Ping" from "Trust" to "Untrust"  "Office LAN" "Any" "PING" nat src permit log 

 205: set policy id 14

 206: exit

 207: set policy id 31 from "Trust" to "Untrust"  "Any" "Any" "ANY" nat src permit log 

 208: set policy id 31

 209: exit

 210: set policy id 32 from "Trust" to "Untrust"  "Office LAN" "Any" "ANY" nat src permit log 

 211: set policy id 32

 212: exit

 213: set nsmgmt bulkcli reboot-timeout 60

 214: set ssh version v2

 215: set ssh enable

 216: set config lock timeout 5

 217: set ntp server "0.0.0.0"

 218: set ntp server backup1 "0.0.0.0"

 219: set ntp server backup2 "0.0.0.0"

 220: set snmp port listen 161

 221: set snmp port trap 162

 222: set vrouter "untrust-vr"

 223: exit

 224: set vrouter "trust-vr"

 225: unset add-default-route

 226: set route 10.10.12.0/24 interface tunnel.1 preference 20

 227: set route 0.0.0.0/0 interface ethernet0/2 gateway X.Y.Z.97 preference 20 metric 10

 228: exit

 229: set vrouter "untrust-vr"

 230: exit

 231: set vrouter "trust-vr"

 232: exit

PIX Configuration:-

   1: CISCO PIX (REMOTE OFFICE) -->

   2: PIX Version 6.3(5)

   3: interface ethernet0 auto

   4: interface ethernet1 auto

   5: nameif ethernet0 outside security0

   6: nameif ethernet1 inside security100

   7: enable password ABCDE encrypted

   8: passwd abcde encrypted

   9: hostname W-Remote

  10: domain-name pix

  11: clock timezone EST -5

  12: clock summer-time EDT recurring

  13: fixup protocol dns maximum-length 512

  14: fixup protocol ftp 21

  15: fixup protocol h323 h225 1720

  16: fixup protocol h323 ras 1718-1719

  17: fixup protocol http 80

  18: fixup protocol http 8080

  19: fixup protocol pptp 1723

  20: fixup protocol rsh 514

  21: fixup protocol rtsp 554

  22: fixup protocol sip 5060

  23: fixup protocol sip udp 5060

  24: fixup protocol skinny 2000

  25: fixup protocol smtp 25

  26: fixup protocol sqlnet 1521

  27: fixup protocol tftp 69

  28: names

  29: access-list acl_out permit icmp any any

  30: access-list 101 permit ip 10.10.12.0 255.255.255.0 10.10.7.0 255.255.255.0

  31: access-list nonat permit ip 10.10.12.0 255.255.255.0 10.10.7.0 255.255.255.0

  32: access-list cap permit ip host 10.10.12.112 host 10.10.7.117

  33: access-list cap permit ip host 10.10.7.117 host 10.10.12.112

  34: pager lines 24

  35: logging on

  36: logging monitor debugging

  37: logging buffered debugging

  38: logging history errors

  39: mtu outside 1500

  40: mtu inside 1500

  41: ip address outside A.B.C.42 255.255.255.248

  42: ip address inside 10.10.12.2 255.255.255.0

  43: ip audit info action alarm

  44: ip audit attack action alarm

  45: pdm location 10.10.12.0 255.255.255.255 inside

  46: pdm location 10.10.7.0 255.255.255.0 outside

  47: pdm location 10.10.12.0 255.255.255.0 outside

  48: pdm logging informational 100

  49: pdm history enable

  50: arp timeout 14400

  51: global (outside) 1 interface

  52: nat (inside) 0 access-list nonat

  53: nat (inside) 1 10.10.12.0 255.255.255.0 0 0

  54: access-group acl_out in interface outside

  55: route outside 0.0.0.0 0.0.0.0 A.B.C.42 1

  56: timeout xlate 0:05:00

  57: timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

  58: timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

  59: timeout sip-disconnect 0:02:00 sip-invite 0:03:00

  60: timeout uauth 0:05:00 absolute

  61: aaa-server TACACS+ protocol tacacs+

  62: aaa-server TACACS+ max-failed-attempts 3

  63: aaa-server TACACS+ deadtime 10

  64: aaa-server RADIUS protocol radius

  65: aaa-server RADIUS max-failed-attempts 3

  66: aaa-server RADIUS deadtime 10

  67: aaa-server LOCAL protocol local

  68: http server enable

  69: http 10.10.12.0 255.255.255.0 inside

  70: no snmp-server location

  71: no snmp-server contact

  72: snmp-server community public

  73: no snmp-server enable traps

  74: no floodguard enable

  75: sysopt connection permit-ipsec

  76: sysopt connection permit-pptp

  77: sysopt connection permit-l2tp

  78: sysopt ipsec pl-compatible

  79: crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

  80: crypto map pie 1 ipsec-isakmp

  81: crypto map pie 1 match address 101

  82: crypto map pie 1 set peer X.Y.Z.98

  83: crypto map pie 1 set transform-set ESP-3DES-SHA

  84: crypto map pie interface outside

  85: isakmp enable outside

  86: isakmp key ******** address X.Y.Z.98 netmask 255.255.255.0

  87: isakmp policy 1 authentication pre-share

  88: isakmp policy 1 encryption 3des

  89: isakmp policy 1 hash sha

  90: isakmp policy 1 group 2

  91: isakmp policy 1 lifetime 3600

  92: telnet 10.10.12.0 255.255.255.0 inside

  93: telnet 10.10.7.0 255.255.255.0 inside

  94: telnet timeout 30

  95: ssh 0.0.0.0 0.0.0.0 outside

  96: ssh timeout 60

  97: management-access inside

  98: console timeout 0

  99: terminal width 80

 100: : end