[j-nsp] SSG140 traffic dies - JTAC as no idea
ChrisSerafin
chris at chrisserafin.com
Wed Mar 11 20:27:55 EDT 2009
Tim Eberhard wrote:
> Is the firewall itself freezing or is it just not passing traffic?
>
> I understand step 1 when working with a remote device like that is
> typically have the customer reboot it to see if that restores service
> but is it really frozen?
>
> You could be having interface issues (I see most are auto neg) or
> circuit issues.
>
> -Tim Eberhard
>
> On Wed, Mar 11, 2009 at 3:53 PM, ChrisSerafin <chris at chrisserafin.com
> <mailto:chris at chrisserafin.com>> wrote:
>
> UUGGGHH,
>
> major problem for myself over here. I have installed a brand new
> SSG140 firewall at a client and for some reason it keeps freezing
> and will not pass traffic. We are never onsite and can't get
> console messages or troubleshoot while it's down. (i'm putting a
> laptop attached to the console tomorrow for this) We have tried
> multiple firmware changes, swapped UPS's, and actually RMA'ed the
> device for a new one. Same thing persists. Pulling my hair out and
> JTAC says they need console access while it is down...hard to do
> for a HQ VPN hub site.
>
> Any ideas are more than appreciated.....THANKS! Info below
>
> --chris
>
> Product Name SSG-140
> Host Name QST-CHI-HQ
> Serial Number 0185062007000016
> Control Number ffffffff
> Hardware Version 1010(0)-( 0), FPGA checksum: 0, VLAN1 IP
> (0.0.0.0)
> Software Version 6.0.0r7.0, Type: Firewall+VPN
> Feature AV-K
> Base Mac 0019.e241.4880
> File Name screenos_image, Checksum: e5cb9ed
> Total Memory 512MB
> Date 03/11/2009 15:51:44, Daylight Saving Time enabled.
> The Network Time Protocol is enabled.
> Up 0 hours 6 minutes 27 seconds since 11Mar2009:15:45:17
> Total Device Resets: 0.
> System in NAT/route mode.
> Use interface IP, Config Port: 80
> User Name: netscreen
>
>
>
>
>
>
> set clock ntp
> set clock timezone -6
> set clock dst recurring start-weekday 2 0 3 02:00 end-weekday 1 0
> 11 02:00
> set vrouter trust-vr sharable
> set vrouter "untrust-vr"
> exit
> set vrouter "trust-vr"
> unset auto-route-export
> exit
> set service "DNB" protocol tcp src-port 1024-65535 dst-port
> 23202-23202
> set service "IM_Custom" protocol tcp src-port 0-65535 dst-port
> 5200-5200
> set service "SOCKS" protocol tcp src-port 1024-65535 dst-port
> 1080-1080
> set service "TCP-1024-5000" protocol tcp src-port 1024-65535
> dst-port 1024-5000
> set service "TCP-18190" protocol tcp src-port 1024-65535 dst-port
> 18190-18190
> set service "TCP-264" protocol tcp src-port 1024-65535 dst-port
> 264-264
> set service "TCP-8100" protocol tcp src-port 1024-65535 dst-port
> 8100-8100
> set service "TCP-82" protocol tcp src-port 1024-65535 dst-port 82-82
> set service "Terminal_Srvc" protocol tcp src-port 0-65535 dst-port
> 3389-3389
> set service "UDP-2746" protocol udp src-port 0-65535 dst-port
> 2746-2746
> set service "UDP-500" protocol udp src-port 0-65535 dst-port 500-500
> set service "IPSEC" protocol 50 src-port 0-65535 dst-port 0-65535
> set service "IPSEC" + 51 src-port 0-65535 dst-port 0-65535
> set service "IPSEC" + udp src-port 0-65535 dst-port 500-500
> set service "Juniper-IDP-Comms" protocol udp src-port 0-65535
> dst-port 7101-7102
> set service "Juniper-IDP-Comms" + udp src-port 0-65535 dst-port
> 7201-7202
> set service "RSA Services" protocol udp src-port 0-65535 dst-port
> 5500-5500
> set service "RSA Services" + tcp src-port 0-65535 dst-port 5500-5500
> set service "MexicanGov" protocol tcp src-port 0-65535 dst-port
> 8081-8081
> set service "MexicanGov" + tcp src-port 0-65535 dst-port 8089-8089
> set service "Mexico_software" protocol tcp src-port 0-65535
> dst-port 7824-7824
> set service "Mexico_software" + tcp src-port 0-65535 dst-port
> 8080-8080
> set service "Mexico_MS_VPN" protocol tcp src-port 0-65535 dst-port
> 1723-1723
> set service "Mexico_MS_VPN" + tcp src-port 0-65535 dst-port 47-47
> set auth-server "Local" id 0
> set auth-server "Local" server-name "Local"
> set auth default auth server "Local"
> set auth radius accounting port 1646
> set admin name "netscreen"
> set admin password "nO6/LZrBMXXXXXXXXXXXXXXCHtN6KXVn"
> set admin auth timeout 10
> set admin auth server "Local"
> set admin format dos
> set zone "Trust" vrouter "trust-vr"
> set zone "Untrust" vrouter "trust-vr"
> set zone "DMZ" vrouter "trust-vr"
> set zone "VLAN" vrouter "trust-vr"
> set zone "Untrust-Tun" vrouter "trust-vr"
> set zone "Trust" tcp-rst
> set zone "Untrust" block
> unset zone "Untrust" tcp-rst
> set zone "MGT" block
> set zone "DMZ" tcp-rst
> set zone "VLAN" block
> set zone "VLAN" tcp-rst
> unset zone "Untrust" screen tear-drop
> unset zone "Untrust" screen syn-flood
> unset zone "Untrust" screen ping-death
> unset zone "Untrust" screen ip-filter-src
> unset zone "Untrust" screen land
> set zone "V1-Untrust" screen tear-drop
> set zone "V1-Untrust" screen syn-flood
> set zone "V1-Untrust" screen ping-death
> set zone "V1-Untrust" screen ip-filter-src
> set zone "V1-Untrust" screen land
> set interface ethernet0/0 phy full 100mb
> set interface "ethernet0/0" zone "Trust"
> set interface "ethernet0/1" zone "DMZ"
> set interface "ethernet0/2" zone "Untrust"
> set interface "ethernet0/3" zone "DMZ"
> set interface "ethernet0/4" zone "DMZ"
> set interface "tunnel.1" zone "Untrust"
> set interface "tunnel.2" zone "Untrust"
> set interface "tunnel.3" zone "Trust"
> set interface ethernet0/0 ip 192.168.180.26/24
> <http://192.168.180.26/24>
> set interface ethernet0/0 route
> unset interface vlan1 ip
> set interface ethernet0/1 ip 12.106.237.89/29
> <http://12.106.237.89/29>
> set interface ethernet0/1 nat
> set interface ethernet0/2 ip 12.63.231.146/28
> <http://12.63.231.146/28>
> set interface ethernet0/2 route
> set interface ethernet0/3 ip 192.168.3.1/24 <http://192.168.3.1/24>
> set interface ethernet0/3 route
> set interface ethernet0/4 ip 192.168.4.1/24 <http://192.168.4.1/24>
> set interface ethernet0/4 route
> set interface tunnel.1 ip unnumbered interface ethernet0/2
> set interface tunnel.2 ip unnumbered interface ethernet0/2
> set interface tunnel.3 ip unnumbered interface ethernet0/2
> set interface ethernet0/4 mtu 1460
> unset interface vlan1 bypass-others-ipsec
> unset interface vlan1 bypass-non-ip
> set interface ethernet0/0 ip manageable
> set interface ethernet0/1 ip manageable
> set interface ethernet0/2 ip manageable
> set interface ethernet0/3 ip manageable
> set interface ethernet0/4 ip manageable
> set interface ethernet0/1 manage ssh
> set interface ethernet0/1 manage telnet
> set interface ethernet0/1 manage snmp
> set interface ethernet0/1 manage web
> set interface ethernet0/2 manage ping
> set interface ethernet0/2 manage ssh
> set interface ethernet0/2 manage telnet
> set interface ethernet0/2 manage snmp
> set interface ethernet0/2 manage ssl
> set interface ethernet0/2 manage web
> set interface ethernet0/0 monitor track-ip weight 1
> unset interface ethernet0/0 monitor track-ip dynamic
> set interface ethernet0/2 dip 4 12.63.231.150 12.63.231.150
> set interface "ethernet0/2" mip 12.106.250.6 host 192.168.180.20
> netmask 255.255.255.255 vr "trust-vr"
> set interface "ethernet0/2" mip 12.106.250.7 host 192.168.180.1
> netmask 255.255.255.255 vr "trust-vr"
> set interface "ethernet0/2" mip 12.106.250.5 host 192.168.180.3
> netmask 255.255.255.255 vr "trust-vr"
> set interface "ethernet0/2" mip 12.106.250.8 host 192.168.184.115
> netmask 255.255.255.255 vr "trust-vr"
> set interface "ethernet0/2" mip 12.106.250.9 host 192.168.184.124
> netmask 255.255.255.255 vr "trust-vr"
> set interface "ethernet0/2" mip 12.63.231.147 host 192.168.180.6
> netmask 255.255.255.255 vr "trust-vr"
> set interface "ethernet0/2" mip 12.63.231.148 host 192.168.4.10
> netmask 255.255.255.255 vr "trust-vr"
> set interface "ethernet0/2" mip 12.63.231.149 host 192.168.4.11
> netmask 255.255.255.255 vr "trust-vr"
> set interface ethernet0/0 ntp-server
> set flow tcp-mss
> unset flow no-tcp-seq-check
> unset flow tcp-syn-check
> unset flow tcp-syn-bit-check
> set flow reverse-route clear-text prefer
> set flow reverse-route tunnel always
> set console page 0
> set hostname QST-CHI-HQ
> set pki authority default scep mode "auto"
> set pki x509 default cert-path partial
> set dns host dns1 192.168.180.10 src-interface ethernet0/0
> set dns host dns2 0.0.0.0
> set dns host dns3 0.0.0.0
> set dns host schedule 06:28 interval 8
> set address "Trust" "12.63.231.147/32 <http://12.63.231.147/32>"
> 12.63.231.147 255.255.255.255
> set address "Trust" "12.63.231.150/32 <http://12.63.231.150/32>"
> 12.63.231.150 255.255.255.255
> set address "Trust" "192.168.0.0/16 <http://192.168.0.0/16>"
> 192.168.0.0 255.255.0.0
> set address "Trust" "192.168.180.0/24 <http://192.168.180.0/24>"
> 192.168.180.0 255.255.255.0
> set address "Trust" "192.168.180.10" 192.168.180.10 255.255.255.255
> set address "Trust" "192.168.180.150/32
> <http://192.168.180.150/32>" 192.168.180.150 255.255.255.255
> set address "Trust" "192.168.180.163/32
> <http://192.168.180.163/32>" 192.168.180.163 255.255.255.255
> set address "Trust" "192.168.180.208/32
> <http://192.168.180.208/32>" 192.168.180.208 255.255.255.255
> set address "Trust" "192.168.180.6" 192.168.180.6 255.255.255.255
> "PDC"
> set address "Trust" "192.168.180.98/32 <http://192.168.180.98/32>"
> 192.168.180.98 255.255.255.255
> set address "Trust" "192.168.180.99/32 <http://192.168.180.99/32>"
> 192.168.180.99 255.255.255.255
> set address "Trust" "192.168.184.0" 192.168.184.0 255.255.255.0
> set address "Trust" "192.168.186.0/24 <http://192.168.186.0/24>"
> 192.168.186.0 255.255.255.0
> set address "Trust" "192.168.188.0/24 <http://192.168.188.0/24>"
> 192.168.188.0 255.255.255.0
> set address "Trust" "Chicago" 192.168.180.0 255.255.255.0
> set address "Trust" "Dallas" 192.168.182.0 255.255.255.0
> set address "Trust" "Dominican Republic" 192.168.183.0 255.255.255.0
> set address "Trust" "InternalDMZ" 12.106.237.89 255.255.255.248
> set address "Trust" "Los_Angeles" 192.168.185.0 255.255.255.0
> set address "Trust" "MailServer2" 192.168.181.8 255.255.255.255
> set address "Trust" "MailServer3" 192.168.184.11 255.255.255.255
> set address "Trust" "Mexico Vendor 2" 192.168.184.124 255.255.255.255
> set address "Trust" "Mexico Vendor1" 192.168.184.115 255.255.255.255
> set address "Trust" "Mexico_internal" 192.168.186.0 255.255.255.0
> set address "Trust" "New_York" 192.168.187.0 255.255.255.0
> set address "Trust" "newmail-192.168.180.206" 192.168.180.206
> 255.255.255.255
> set address "Trust" "newmail-192.168.180.207" 192.168.180.207
> 255.255.255.255
> set address "Trust" "newmail-192.168.180.208" 192.168.180.208
> 255.255.255.255
> set address "Trust" "North_Carolina" 192.168.181.0 255.255.255.0
> set address "Trust" "Server05" 192.168.180.8 255.255.255.255
> set address "Trust" "Server07" 192.168.180.5 255.255.255.255 "PDC"
> set address "Trust" "Server09" 192.168.180.3 255.255.255.255
> set address "Trust" "Server10" 192.168.180.1 255.255.255.255
> set address "Trust" "TolucaMX" 192.168.184.0 255.255.255.0
> set address "Trust" "Torreno_Mx" 192.168.186.0 255.255.255.0
> set address "Untrust" "10.0.0.0/24 <http://10.0.0.0/24>" 10.0.0.0
> 255.255.255.0
> set address "Untrust" "10.0.0.0/8 <http://10.0.0.0/8>" 10.0.0.0
> 255.0.0.0
> set address "Untrust" "12.106.237.89/29 <http://12.106.237.89/29>"
> 12.106.237.89 255.255.255.248
> set address "Untrust" "12.208.94.0/24 <http://12.208.94.0/24>"
> 12.208.94.0 255.255.255.0
> set address "Untrust" "192.168.0.0/16 <http://192.168.0.0/16>"
> 192.168.0.0 255.255.0.0
> set address "Untrust" "192.168.0.0/24 <http://192.168.0.0/24>"
> 192.168.0.0 255.255.255.0
> set address "Untrust" "192.168.121.0/24 <http://192.168.121.0/24>"
> 192.168.121.0 255.255.255.0
> set address "Untrust" "192.168.180.0/24 <http://192.168.180.0/24>"
> 192.168.180.0 255.255.255.0
> set address "Untrust" "192.168.183.0/24 <http://192.168.183.0/24>"
> 192.168.183.0 255.255.255.0
> set address "Untrust" "192.168.186.0/24 <http://192.168.186.0/24>"
> 192.168.186.0 255.255.255.0
> set address "Untrust" "192.168.188.0/24 <http://192.168.188.0/24>"
> 192.168.188.0 255.255.255.0
> set address "Untrust" "192.168.190.0/24 <http://192.168.190.0/24>"
> 192.168.190.0 255.255.255.0
> set address "Untrust" "192.168.191.0/24 <http://192.168.191.0/24>"
> 192.168.191.0 255.255.255.0
> set address "Untrust" "192.168.20.0/24 <http://192.168.20.0/24>"
> 192.168.20.0 255.255.255.0
> set address "Untrust" "200.12.52.113/32 <http://200.12.52.113/32>"
> 200.12.52.113 255.255.255.255
> set address "Untrust" "216.184.126.113" 216.184.126.113
> 255.255.255.255
> set address "Untrust" "64.74.172.210/32 <http://64.74.172.210/32>"
> 64.74.172.210 255.255.255.255
> set address "Untrust" "66.29.23.0/24 <http://66.29.23.0/24>"
> 66.29.23.0 255.255.255.0
> set address "Untrust" "69.27.238.0/24 <http://69.27.238.0/24>"
> 69.27.238.0 255.255.255.0
> set address "Untrust" "Cali" 192.168.121.0 255.255.255.0
> set address "Untrust" "Defkon_NSM" 205.234.155.199 255.255.255.255
> set address "Untrust" "Defkon_RKON" 205.234.155.0 255.255.255.0
> set address "Untrust" "Guatemala" 192.168.188.0 255.255.255.0
> set address "Untrust" "HongKong" 192.168.1.0 255.255.255.0
> "Interior office range"
> set address "Untrust" "ISA-1-12.63.231.148" 12.63.231.148
> 255.255.255.255
> set address "Untrust" "ISA-2-12.63.231.149" 12.63.231.149
> 255.255.255.255
> set address "Untrust" "Katharion_SPAM_1" 64.74.172.0 255.255.255.0
> set address "Untrust" "Katharion_SPAM_2" 64.74.173.0 255.255.255.0
> set address "Untrust" "Katharion_SPAM_3" 207.154.50.9 255.255.255.0
> set address "Untrust" "Katharion_SPAM_4" 208.70.88.0 255.255.255.0
> set address "Untrust" "Katharion_SPAM_5" 208.70.89.0 255.255.255.0
> set address "Untrust" "Katharion_SPAM_6" 208.70.90.0 255.255.255.0
> set address "Untrust" "Katharion_SPAM_7" 208.70.91.0 255.255.255.0
> set address "Untrust" "Katharion_SPAM_NEW1" 174.36.154.0 255.255.255.0
> set address "Untrust" "Katharion_SPAM_NEW2" 208.43.37.0 255.255.255.0
> set address "Untrust" "Mexico_internal" 192.168.186.0 255.255.255.0
> set address "Untrust" "Mexico_Vendor_VPN" 12.26.200.0 255.255.255.0
> set address "Untrust" "Singapore" 192.168.190.0 255.255.255.0
> "Interior office range"
> set address "Untrust" "Texas" 192.168.182.0 255.255.255.0
> set address "Untrust" "TriActive" 66.45.78.1 255.255.255.0
> set address "Global" "200.57.157.65/32 <http://200.57.157.65/32>"
> 200.57.157.65 255.255.255.255
> set address "DMZ" "10.1.1.0/24 <http://10.1.1.0/24>" 10.1.1.0
> 255.255.255.0
> set address "DMZ" "12.63.231.148/32 <http://12.63.231.148/32>"
> 12.63.231.148 255.255.255.255
> set address "DMZ" "12.63.231.149/32 <http://12.63.231.149/32>"
> 12.63.231.149 255.255.255.255
> set address "DMZ" "192.168.3.10/32 <http://192.168.3.10/32>"
> 192.168.3.10 255.255.255.255
> set address "DMZ" "AT&TConcentrator" 12.106.237.94 255.255.255.255
> set address "DMZ" "Cisco VPN" 12.106.237.90 255.255.255.255
> set address "DMZ" "DMZ" 12.106.237.89 255.255.255.248
> set address "DMZ" "Guatemala VPN" 12.106.237.92 255.255.255.255
> set address "DMZ" "ISA-private" 192.168.3.10 255.255.255.255
> set address "DMZ" "Juniper-IDP" 12.106.237.91 255.255.255.255
> set address "DMZ" "Juniper-SSL" 12.106.237.92 255.255.255.255
> set address "DMZ" "OWA" 12.106.237.93 255.255.255.255
> set group address "Trust" "Internal Servers"
> set group address "Trust" "Internal Servers" add "192.168.180.6"
> set group address "Trust" "Internal Servers" add "Server05"
> set group address "Trust" "Internal Servers" add "Server07"
> set group address "Trust" "Internal Servers" add "Server09"
> set group address "Trust" "Internal Servers" add "Server10"
> set group address "Trust" "Mexico Vendor"
> set group address "Trust" "Mexico Vendor" add "Mexico Vendor 2"
> set group address "Trust" "Mexico Vendor" add "Mexico Vendor1"
> set group address "Trust" "QST_Global"
> set group address "Trust" "QST_Global" add "Chicago"
> set group address "Trust" "QST_Global" add "Dallas"
> set group address "Trust" "QST_Global" add "Dominican Republic"
> set group address "Trust" "QST_Global" add "Los_Angeles"
> set group address "Trust" "QST_Global" add "New_York"
> set group address "Trust" "QST_Global" add "North_Carolina"
> set group address "Trust" "QST_Global" add "TolucaMX"
> set group address "Trust" "QST_Global" add "Torreno_Mx"
> set group service "rbza_Requirements"
> set group service "rbza_Requirements" add "FTP"
> set group service "rbza_Requirements" add "HTTP"
> set group service "rbza_Requirements" add "HTTPS"
> set group service "rbza_Requirements" add "ICMP-ANY"
> set group service "rbza_Requirements" add "SSH"
> set group service "rbza_Requirements" add "TELNET"
> set group service "rbza_Requirements" add "Terminal_Srvc"
> set ike gateway "To_Guatemala" address 209.161.118.113 Main
> outgoing-interface "ethernet0/2" preshare
> "YFpv1oMqXfKeCnyCxbe3neNbtT4g==" proposal "pre-g2-3des-sha"
> set ike gateway "To_Singapore" address 203.125.41.238 Main
> outgoing-interface "ethernet0/2" preshare
> "Byr0lsK2NFIXCDHUZMnAn0YnpSvQ==" proposal "pre-g2-3des-sha"
> set ike gateway "To_Hong_Kong" address 210.177.75.29 Main
> outgoing-interface "ethernet0/2" preshare
> "sP2QFLPyNXMMCGhYVAHRn19dnfQg==" proposal "pre-g2-3des-sha"
> set ike gateway "To_Cali" address 205.159.31.253 Main
> outgoing-interface "ethernet0/2" preshare
> "HaC5RtnENOXE6CX/qUNiHnvuelgzA==" proposal "pre-g2-3des-sha"
> set ike gateway "To_Texas" address 68.165.74.138 Main
> outgoing-interface "ethernet0/2" preshare
> "UnCKD/bWNFXCL1rKADGnWi2f+sg==" proposal "pre-g2-3des-sha"
> set ike gateway "To_Mexico" address 201.101.8.250 Main
> outgoing-interface "ethernet0/2" preshare
> "UNij3gU+NeU+XYnheYJSnWOANkRQ==" sec-level compatible
> set ike gateway "Gateway for 10.0.0.0/24 <http://10.0.0.0/24>"
> address 196.3.88.102 Main outgoing-interface "ethernet0/2"
> preshare "Vxy5XbssXV1CC5mQdwBnQJyLJVg==" proposal "pre-g2-3des-md5"
> set ike gateway "Gateway for LA" address 67.110.248.194 Main
> outgoing-interface "ethernet0/2" preshare
> "0smtBN/UNpXIQtKdntAYGiAA==" proposal "pre-g2-3des-md5"
> set ike gateway "To_Torreon" address 201.117.236.9 Main local-id
> "192.168.0.0" outgoing-interface "ethernet0/2" preshare
> "acqpXbXC9ymdI9sn4g4MNbg==" proposal "pre-g2-3des-md5"
> set ike gateway "To_Morracco" address 81.192.101.145 Main local-id
> "192.168.0.0" outgoing-interface "ethernet0/2" preshare
> "JtS3S9Xk8svPkCP9ZgWTUnb9IxPOw==" proposal "pre-g2-3des-md5"
> set ike gateway "To_UK" address 81.137.215.196 Main
> outgoing-interface "ethernet0/2" preshare
> "F+YIj2vANCrJWUsbSXCZuXnm1ZFwew==" sec-level compatible
> set ike respond-bad-spi 1
> set ike soft-lifetime-buffer 30
> unset ike ikeid-enumeration
> unset ike dos-protection
> unset ipsec access-session enable
> set ipsec access-session maximum 5000
> set ipsec access-session upper-threshold 0
> set ipsec access-session lower-threshold 0
> set ipsec access-session dead-p2-sa-timeout 0
> unset ipsec access-session log-error
> unset ipsec access-session info-exch-connected
> unset ipsec access-session use-error-log
> set vpn "To_Guatemala" gateway "To_Guatemala" no-replay tunnel
> idletime 0 sec-level compatible
> set vpn "To_Guatemala" monitor
> set vpn "To_Singapore" gateway "To_Singapore" no-replay tunnel
> idletime 0 sec-level compatible
> set vpn "To_Hong_Kong" gateway "To_Hong_Kong" no-replay tunnel
> idletime 0 sec-level compatible
> set vpn "To_Hong_Kong" id 45 bind interface tunnel.1
> set vpn "To_Cali" gateway "To_Cali" no-replay tunnel idletime 0
> sec-level compatible
> set vpn "To_Texas" gateway "To_Texas" no-replay tunnel idletime 0
> sec-level compatible
> set vpn "To_Mexico" gateway "To_Mexico" replay tunnel idletime 0
> sec-level standard
> set vpn "To_Mexico" monitor
> set vpn "Gateway for LA" gateway "Gateway for LA" no-replay tunnel
> idletime 0 proposal "nopfs-esp-3des-md5"
> set vpn "To_Torreon" gateway "To_Torreon" replay tunnel idletime 0
> proposal "nopfs-esp-3des-md5"
> set vpn "To_Morracco" gateway "To_Morracco" replay tunnel idletime
> 0 proposal "nopfs-esp-3des-md5"
> set vpn "To_UK" gateway "To_UK" no-replay tunnel idletime 0
> sec-level compatible
> set vpn "To_UK" monitor rekey
> set vpn "To_UK" id 61 bind interface tunnel.3
> set vpn "VPN for 10.0.0.0/24 <http://10.0.0.0/24>" gateway
> "Gateway for 10.0.0.0/24 <http://10.0.0.0/24>" no-replay tunnel
> idletime 0 proposal "nopfs-esp-3des-md5"
> set vrouter "untrust-vr"
> exit
> set vrouter "trust-vr"
> exit
> set di service HTTP content_type_length 8192
> set di service HTTP user_agent_length 8192
> set di service HTTP host_length 8192
> set di service HTTP failed_logins 50
> set di service HTTP brute_search 100
> set url protocol type scfp
> set url protocol scfp
> set config enable
> set server 192.168.180.20 62252 60
> set fail-mode permit
> set server src-interface ethernet0/0
> exit
> set vpn "To_Hong_Kong" proxy-id local-ip 0.0.0.0/0
> <http://0.0.0.0/0> remote-ip 0.0.0.0/0 <http://0.0.0.0/0> "ANY"
> set vpn "Gateway for LA" proxy-id local-ip 192.168.0.0/16
> <http://192.168.0.0/16> remote-ip 192.168.0.0/24
> <http://192.168.0.0/24> "ANY"
> set vpn "To_Torreon" proxy-id local-ip 192.168.0.0/16
> <http://192.168.0.0/16> remote-ip 192.168.186.0/24
> <http://192.168.186.0/24> "ANY"
> set vpn "To_Morracco" proxy-id local-ip 192.168.0.0/16
> <http://192.168.0.0/16> remote-ip 192.168.191.0/24
> <http://192.168.191.0/24> "ANY"
> set vpn "VPN for 10.0.0.0/24 <http://10.0.0.0/24>" proxy-id
> local-ip 192.168.0.0/16 <http://192.168.0.0/16> remote-ip
> 192.168.183.0/24 <http://192.168.183.0/24> "ANY"
> set policy id 106 from "Trust" to "Untrust"
> "newmail-192.168.180.206" "10.0.0.0/8 <http://10.0.0.0/8>" "ANY"
> permit log
> set policy id 106
> set src-address "newmail-192.168.180.207"
> set src-address "newmail-192.168.180.208"
> set dst-address "192.168.0.0/16 <http://192.168.0.0/16>"
> exit
> set policy id 105 from "Trust" to "Untrust"
> "newmail-192.168.180.206" "Any" "ANY" nat src dip-id 4 permit log
> set policy id 105
> set src-address "newmail-192.168.180.207"
> set src-address "newmail-192.168.180.208"
> exit
> set policy id 104 from "Untrust" to "DMZ" "Any"
> "MIP(12.63.231.149)" "HTTP" permit log
> set policy id 104
> set service "PING"
> exit
> set policy id 103 from "Untrust" to "DMZ" "Any"
> "MIP(12.63.231.148)" "HTTP" permit log
> set policy id 103
> set service "HTTPS"
> set service "PING"
> exit
> set policy id 102 from "DMZ" to "Trust" "192.168.3.10/32
> <http://192.168.3.10/32>" "192.168.180.208/32
> <http://192.168.180.208/32>" "HTTPS" permit log
> set policy id 102
> exit
> set policy id 101 from "DMZ" to "Trust" "192.168.3.10/32
> <http://192.168.3.10/32>" "192.168.180.10" "DNS" permit log
> set policy id 101
> set dst-address "192.168.180.6"
> set service "LDAP"
> exit
> set policy id 99 from "Untrust" to "Trust" "192.168.183.0/24
> <http://192.168.183.0/24>" "192.168.0.0/16
> <http://192.168.0.0/16>" "ANY" tunnel vpn "VPN for 10.0.0.0/24
> <http://10.0.0.0/24>" id 62 pair-policy 98 log
> set policy id 99
> exit
> set policy id 107 from "Untrust" to "Trust" "Katharion_SPAM_1"
> "12.63.231.150/32 <http://12.63.231.150/32>" "ICMP-ANY" nat dst ip
> 192.168.180.208 permit log
> set policy id 107
> set src-address "Katharion_SPAM_2"
> set src-address "Katharion_SPAM_3"
> set src-address "Katharion_SPAM_4"
> set src-address "Katharion_SPAM_5"
> set src-address "Katharion_SPAM_6"
> set src-address "Katharion_SPAM_7"
> set src-address "Katharion_SPAM_NEW1"
> set src-address "Katharion_SPAM_NEW2"
> set service "SMTP"
> exit
> set policy id 98 from "Trust" to "Untrust" "192.168.0.0/16
> <http://192.168.0.0/16>" "192.168.183.0/24
> <http://192.168.183.0/24>" "ANY" tunnel vpn "VPN for 10.0.0.0/24
> <http://10.0.0.0/24>" id 62 pair-policy 99 log
> set policy id 98
> exit
> set policy id 97 from "Untrust" to "Trust" "Any" "Any" "NTP"
> permit log
> set policy id 97
> exit
> set policy id 96 from "Trust" to "Untrust" "Any" "Any" "NTP"
> permit log
> set policy id 96
> exit
> set policy id 95 from "Untrust" to "Trust" "192.168.20.0/24
> <http://192.168.20.0/24>" "192.168.0.0/16 <http://192.168.0.0/16>"
> "ANY" permit log
> set policy id 95
> exit
> set policy id 94 from "Trust" to "Untrust" "192.168.0.0/16
> <http://192.168.0.0/16>" "192.168.20.0/24
> <http://192.168.20.0/24>" "ANY" permit log
> set policy id 94
> exit
> set policy id 93 from "Untrust" to "Trust" "192.168.191.0/24
> <http://192.168.191.0/24>" "192.168.0.0/16
> <http://192.168.0.0/16>" "ANY" tunnel vpn "To_Morracco" id 60
> pair-policy 92 log
> set policy id 93
> exit
> set policy id 92 from "Trust" to "Untrust" "192.168.0.0/16
> <http://192.168.0.0/16>" "192.168.191.0/24
> <http://192.168.191.0/24>" "ANY" tunnel vpn "To_Morracco" id 60
> pair-policy 93 log
> set policy id 92
> exit
> set policy id 90 from "Trust" to "Untrust" "192.168.0.0/16
> <http://192.168.0.0/16>" "192.168.186.0/24
> <http://192.168.186.0/24>" "ANY" tunnel vpn "To_Torreon" id 59
> pair-policy 91 log
> set policy id 90
> exit
> set policy id 88 from "Trust" to "Untrust" "192.168.0.0/16
> <http://192.168.0.0/16>" "192.168.0.0/24 <http://192.168.0.0/24>"
> "ANY" tunnel vpn "Gateway for LA" id 57 pair-policy 89 log
> set policy id 88
> exit
> set policy id 84 name "Filter SPAM In - LDAP Requests" from
> "Untrust" to "Trust" "Defkon_RKON" "MIP(12.63.231.147)"
> "ICMP-ANY" permit log
> set policy id 84
> set src-address "Katharion_SPAM_1"
> set src-address "Katharion_SPAM_2"
> set src-address "Katharion_SPAM_3"
> set src-address "Katharion_SPAM_4"
> set src-address "Katharion_SPAM_5"
> set src-address "Katharion_SPAM_6"
> set src-address "Katharion_SPAM_7"
> set src-address "Katharion_SPAM_NEW1"
> set src-address "Katharion_SPAM_NEW2"
> set service "LDAP"
> exit
> set policy id 83 from "Trust" to "Untrust" "192.168.180.0/24
> <http://192.168.180.0/24>" "Mexico_internal" "rbza_Requirements"
> tunnel vpn "To_Mexico" id 50 pair-policy 81 log
> set policy id 83
> exit
> set policy id 80 from "Trust" to "Untrust" "Any"
> "192.168.180.0/24 <http://192.168.180.0/24>" "rbza_Requirements"
> permit log
> set policy id 80
> exit
> set policy id 79 from "Untrust" to "Trust" "Texas" "Chicago"
> "ANY" tunnel vpn "To_Texas" id 49 pair-policy 78 log
> set policy id 79
> exit
> set policy id 78 from "Trust" to "Untrust" "Chicago" "Texas"
> "ANY" tunnel vpn "To_Texas" id 49 pair-policy 79 log
> set policy id 78
> exit
> set policy id 77 from "Untrust" to "DMZ" "HongKong" "OWA" "ANY"
> permit log
> set policy id 77
> exit
> set policy id 76 from "DMZ" to "Untrust" "OWA" "HongKong" "ANY"
> permit log
> set policy id 76
> exit
> set policy id 75 from "Untrust" to "Trust" "HongKong"
> "QST_Global" "ANY" permit log
> set policy id 75
> exit
> set policy id 74 from "Trust" to "Untrust" "QST_Global"
> "HongKong" "ANY" permit log
> set policy id 74
> exit
> set policy id 73 from "Untrust" to "Trust" "Cali" "Chicago"
> "rbza_Requirements" tunnel vpn "To_Cali" id 43 pair-policy 72 log
> set policy id 73
> exit
> set policy id 72 from "Trust" to "Untrust" "Chicago" "Cali"
> "rbza_Requirements" tunnel vpn "To_Cali" id 43 pair-policy 73 log
> set policy id 72
> exit
> set policy id 71 from "DMZ" to "Untrust" "AT&TConcentrator" "Any"
> "ANY" permit log
> set policy id 71
> exit
> set policy id 66 name "To_Singapore" from "Trust" to "Untrust"
> "Chicago" "Singapore" "ANY" tunnel vpn "To_Singapore" id 27
> pair-policy 65
> set policy id 66
> exit
> set policy id 65 name "To_Singapore" from "Untrust" to "Trust"
> "Singapore" "Chicago" "ANY" tunnel vpn "To_Singapore" id 27
> pair-policy 66
> set policy id 65
> exit
> set policy id 48 name "Guatemala" from "Untrust" to "Trust"
> "Guatemala" "Chicago" "ANY" tunnel vpn "To_Guatemala" id 12
> pair-policy 49 log no-session-backup
> set policy id 48
> exit
> set policy id 49 name "Guatemala" from "Trust" to "Untrust"
> "Chicago" "Guatemala" "ANY" tunnel vpn "To_Guatemala" id 12
> pair-policy 48 log no-session-backup
> set policy id 49
> exit
> set policy id 61 name "Test Message" from "Trust" to "Global"
> "Any" "200.57.157.65/32 <http://200.57.157.65/32>" "ANY" permit log
> set policy id 61
> exit
> set policy id 51 from "Untrust" to "DMZ" "Any" "AT&TConcentrator"
> "ANY" permit log
> set policy id 51
> exit
> set policy id 50 from "Untrust" to "Trust" "69.27.238.0/24
> <http://69.27.238.0/24>" "MIP(12.106.250.5)" "MAIL" permit log
> set policy id 50
> set src-address "Katharion_SPAM_1"
> set src-address "Katharion_SPAM_2"
> set src-address "Katharion_SPAM_3"
> set src-address "Katharion_SPAM_4"
> set src-address "Katharion_SPAM_5"
> set src-address "Katharion_SPAM_6"
> set src-address "Katharion_SPAM_7"
> set src-address "Katharion_SPAM_NEW1"
> set src-address "Katharion_SPAM_NEW2"
> exit
> set policy id 40 name "CiscoVPN" from "Trust" to "DMZ" "Any"
> "Cisco VPN" "ANY" permit
> set policy id 40
> exit
> set policy id 39 name "Surf Control" from "Untrust" to "Trust"
> "Any" "MIP(12.106.250.6)" "ICMP-ANY" permit
> set policy id 39 disable
> set policy id 39
> set service "Terminal_Srvc"
> exit
> set policy id 29 from "Trust" to "Untrust" "Any"
> "192.168.121.0/24 <http://192.168.121.0/24>" "ANY" permit
> set policy id 29
> set dst-address "192.168.188.0/24 <http://192.168.188.0/24>"
> set dst-address "192.168.190.0/24 <http://192.168.190.0/24>"
> set dst-address "Mexico_internal"
> exit
> set policy id 2 from "Trust" to "Untrust" "Internal Servers"
> "Any" "FTP" nat src permit
> set policy id 2
> set service "HTTP"
> set service "HTTPS"
> exit
> set policy id 27 from "Trust" to "Untrust" "Any" "Any" "FTP" nat
> src permit log url-filter
> set policy id 27
> set service "HTTP"
> set service "HTTPS"
> set service "ICMP-ANY"
> set service "Mexico_software"
> set service "TELNET"
> exit
> set policy id 38 name "MexicanGov" from "Trust" to "Global" "Any"
> "Any" "MexicanGov" permit log
> set policy id 38
> set service "Mexico_software"
> exit
> set policy id 37 name "SNMP Allowed Out" from "DMZ" to "Untrust"
> "Juniper-SSL" "Any" "ANY" permit
> set policy id 37
> exit
> set policy id 36 name "Allow Juniper SSL Gateway" from "Untrust"
> to "DMZ" "Any" "Juniper-SSL" "HTTP" permit
> set policy id 36
> set service "HTTPS"
> set service "ICMP-ANY"
> set service "RSA Services"
> set service "SNMP"
> exit
> set policy id 34 from "DMZ" to "Untrust" "Any" "Any" "ANY" permit
> set policy id 34
> exit
> set policy id 70 from "DMZ" to "Trust" "AT&TConcentrator" "Any"
> "ANY" permit log
> set policy id 70
> exit
> set policy id 33 name "IDPTest" from "DMZ" to "Trust"
> "Juniper-IDP" "Any" "ANY" permit
> set policy id 33
> exit
> set policy id 32 name "IDP Comms Out" from "DMZ" to "Untrust"
> "Juniper-IDP" "Any" "ANY" permit
> set policy id 32
> exit
> set policy id 31 name "Juniper Comm" from "Untrust" to "DMZ"
> "Defkon_NSM" "Juniper-IDP" "ANY" permit log
> set policy id 31
> exit
> set policy id 26 name "Acces to Checkpoint Server" from "Trust" to
> "Untrust" "192.168.180.98/32 <http://192.168.180.98/32>" "Any"
> "TCP-18190" nat src permit
> set policy id 26
> exit
> set policy id 28 from "Untrust" to "Trust" "192.168.121.0/24
> <http://192.168.121.0/24>" "Any" "ANY" permit
> set policy id 28
> set src-address "192.168.188.0/24 <http://192.168.188.0/24>"
> set src-address "192.168.190.0/24 <http://192.168.190.0/24>"
> set src-address "Mexico_internal"
> exit
> set policy id 18 name "OLD RULE 26" from "Trust" to "Untrust"
> "Any" "Any" "DNB" nat src permit log
> set policy id 18
> set service "DNS"
> set service "IM_Custom"
> set service "MAIL"
> set service "POP3"
> set service "SOCKS"
> set service "SSH"
> set service "TCP-1024-5000"
> set service "TCP-8100"
> exit
> set policy id 14 from "DMZ" to "Trust" "10.1.1.0/24
> <http://10.1.1.0/24>" "Any" "ANY" permit
> set policy id 14
> set src-address "Cisco VPN"
> exit
> set policy id 13 from "Untrust" to "DMZ" "Any" "Cisco VPN" "ANY"
> permit log
> set policy id 13
> exit
> set policy id 12 from "Trust" to "DMZ" "Any" "OWA" "ANY" permit log
> set policy id 12
> exit
> set policy id 10 from "DMZ" to "Trust" "OWA" "Any" "ANY" permit log
> set policy id 10
> exit
> set policy id 8 from "Untrust" to "DMZ" "Any" "OWA" "HTTPS"
> permit log
> set policy id 8
> exit
> set policy id 3 from "Trust" to "Untrust" "Any" "Any" "ANY" deny
> set policy id 3
> exit
> set policy id 4 from "Trust" to "DMZ" "Any" "Any" "ANY" permit log
> set policy id 4
> exit
> set policy id 5 from "Untrust" to "DMZ" "Any" "Any" "ANY" deny
> set policy id 5
> exit
> set policy id 7 from "DMZ" to "Trust" "Any" "Any" "ANY" permit log
> set policy id 7
> exit
> set policy id 16 from "DMZ" to "Untrust" "Guatemala VPN"
> "200.12.52.113/32 <http://200.12.52.113/32>" "IPSEC" permit
> set policy id 16
> set service "TELNET"
> exit
> set policy id 20 from "DMZ" to "Untrust" "Guatemala VPN"
> "216.184.126.113" "IPSEC" permit
> set policy id 20
> exit
> set policy id 17 from "DMZ" to "Untrust" "Any" "Any" "ANY" deny
> set policy id 17
> exit
> set policy id 21 from "Trust" to "Global" "Any" "Any" "TCP-82" permit
> set policy id 21
> exit
> set policy id 24 from "Trust" to "Global" "Any" "Any" "TCP-264"
> permit
> set policy id 24
> set service "UDP-2746"
> set service "UDP-500"
> exit
> set policy id 81 name "To_Mexico" from "Untrust" to "Trust"
> "Mexico_internal" "192.168.180.0/24 <http://192.168.180.0/24>"
> "rbza_Requirements" tunnel vpn "To_Mexico" id 50 pair-policy 83 log
> set policy id 81
> exit
> set policy id 82 from "Untrust" to "Trust" "Any" "Any" "ANY" deny
> set policy id 82
> exit
> set policy id 89 from "Untrust" to "Trust" "192.168.0.0/24
> <http://192.168.0.0/24>" "192.168.0.0/16 <http://192.168.0.0/16>"
> "ANY" tunnel vpn "Gateway for LA" id 57 pair-policy 88 log
> set policy id 89
> exit
> set policy id 91 from "Untrust" to "Trust" "192.168.186.0/24
> <http://192.168.186.0/24>" "192.168.0.0/16
> <http://192.168.0.0/16>" "ANY" tunnel vpn "To_Torreon" id 59
> pair-policy 90 log
> set policy id 91
> exit
> set syslog config "205.234.155.251"
> set syslog config "205.234.155.251" facilities local0 local0
> set syslog src-interface ethernet0/2
> set syslog enable
> set nsmgmt bulkcli reboot-timeout 60
> set ssh version v2
> set ssh enable
> set scp enable
> set config lock timeout 5
> unset license-key auto-update
> set ntp server "1.pool.ntp.org <http://1.pool.ntp.org>"
> set ntp server src-interface "ethernet0/2"
> set ntp server backup1 "2.pool.ntp.org <http://2.pool.ntp.org>"
> set ntp server backup1 src-interface "ethernet0/2"
> set ntp server backup2 "0.pool.ntp.org <http://0.pool.ntp.org>"
> set ntp server backup2 src-interface "ethernet0/2"
> set ntp max-adjustment 60
> set snmp community "rkOnmssp" Read-Write Trap-on traffic version v2c
> set snmp community "rkOnm$$p" Read-Write Trap-on traffic version v2c
> set snmp host "rkOnm$$p" XXXXXX 255.255.255.0
> set snmp host "rkOnmssp" XXXXXXX 255.255.255.255 src-interface
> ethernet0/2 trap v2
> set snmp location "Chicago HQ"
> set snmp contact "support at rkon.com <mailto:support at rkon.com>"
> set snmp name "QST-Chi-Firewall"
> set snmp port listen 161
> set snmp port trap 162
> set vrouter "untrust-vr"
> set route 192.168.1.0/24 <http://192.168.1.0/24> interface
> tunnel.1 preference 10
> exit
> set vrouter "trust-vr"
> unset add-default-route
> set route 0.0.0.0/0 <http://0.0.0.0/0> interface ethernet0/2
> gateway 12.63.231.145 preference 20
> set route 192.168.181.0/24 <http://192.168.181.0/24> interface
> ethernet0/0 gateway 192.168.180.19 preference 10
> set route 192.168.184.0/24 <http://192.168.184.0/24> interface
> ethernet0/0 gateway 192.168.180.19 preference 10 permanent
> set route 192.168.185.0/24 <http://192.168.185.0/24> interface
> ethernet0/0 gateway 192.168.180.19 preference 10
> set route 192.168.187.0/24 <http://192.168.187.0/24> interface
> ethernet0/0 gateway 192.168.180.19 preference 10
> set route 10.1.1.0/24 <http://10.1.1.0/24> interface ethernet0/0
> gateway 192.168.180.231 preference 10 permanent
> set route 192.168.1.0/24 <http://192.168.1.0/24> interface
> tunnel.1 preference 10
> set route 192.168.20.0/24 <http://192.168.20.0/24> interface
> tunnel.3 preference 20 permanent
> set route 12.63.231.150/32 <http://12.63.231.150/32> interface
> ethernet0/0 preference 20
> exit
> set vrouter "untrust-vr"
> exit
> set vrouter "trust-vr"
> exit
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> <mailto:juniper-nsp at puck.nether.net>
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
> ------------------------------------------------------------------------
>
>
> No virus found in this incoming message.
> Checked by AVG - www.avg.com
> Version: 8.0.237 / Virus Database: 270.11.10/1995 - Release Date: 03/11/09 08:28:00
>
>
I di see the WAn interface is showing 100/half and the upstream device
is locked at 100/full....
That will be the first thing I change tomorrow AM......
--chris
More information about the juniper-nsp
mailing list