version 12.1X47-D15.4;
system {
host-name WLNR0001;
domain-name ewepl.local;
time-zone Europe/Warsaw;
root-authentication {
encrypted-password "$1$YKfgipIs$NVv3/Hcc8ewXLlqvfc7Iv/";
}
name-server {
172.22.41.142;
172.22.41.143;
}
login {
class config-view {
permissions [ access admin firewall interface routing security snmp system view view-configuration ];
allow-commands "(view)";
}
user bcc {
uid 2000;
class super-user;
authentication {
encrypted-password "$1$vFRZaYyw$qaez6GlJxXpUwkI2EpEra1";
}
}
user ewe {
uid 2001;
class config-view;
authentication {
encrypted-password "$1$GoB8y6lK$2IOtWdAmDlz6TRk6Hol4a.";
}
}
}
services {
ssh;
xnm-clear-text;
dns {
dns-proxy {
interface {
ae0.10;
ae0.11;
ae0.20;
ae0.30;
}
}
}
web-management {
https {
system-generated-certificate;
interface [ fe-0/0/2.0 ae1.0 ];
}
}
dhcp {
inactive: traceoptions {
file dhcp.dbg size 100000;
level all;
flag all;
}
pool 172.22.40.192/27 {
address-range low 172.22.40.194 high 172.22.40.222;
default-lease-time 28800;
domain-name ewepl.local;
name-server {
172.22.41.142;
172.22.41.143;
}
router {
172.22.40.193;
}
boot-file "SMSboot\x86\wdsnbp.com";
boot-server tftp://172.22.41.133;
next-server 172.22.41.133;
}
pool 172.22.43.192/27 {
address-range low 172.22.43.194 high 172.22.43.222;
default-lease-time 28800;
domain-name ewepl.local;
name-server {
172.22.41.142;
172.22.41.143;
}
router {
172.22.43.193;
}
boot-file "SMSboot\x86\wdsnbp.com";
boot-server tftp://172.22.41.133;
next-server 172.22.41.133;
}
pool 192.168.13.0/24 {
address-range low 192.168.13.11 high 192.168.13.250;
default-lease-time 36000;
name-server {
8.8.8.8;
8.8.4.4;
1.1.1.1;
}
router {
192.168.13.1;
}
}
pool 192.168.14.128/26 {
address-range low 192.168.14.130 high 192.168.14.189;
default-lease-time 1814400;
name-server {
8.8.8.8;
8.8.4.4;
1.1.1.1;
}
router {
192.168.14.129;
}
}
pool 172.22.42.240/28 {
address-range low 172.22.42.242 high 172.22.42.254;
default-lease-time 604800;
name-server {
8.8.8.8;
}
router {
172.22.42.241;
}
}
static-binding 00:c0:3d:09:64:0a {
fixed-address {
172.22.40.221;
}
}
static-binding 6c:1c:71:36:a2:3e {
fixed-address {
172.22.40.222;
}
}
static-binding 00:04:f2:ff:cd:2b {
fixed-address {
172.22.40.219;
}
}
static-binding 64:16:7f:2e:13:ce {
fixed-address {
172.22.40.220;
}
}
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
file traffic {
any any;
match RT_FLOW_SESSION;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
archival {
configuration {
transfer-on-commit;
archive-sites {
"scp://archive@10.95.68.68/home/archive/ewe-wlnr0001" password "$9$UQiH.5TF/9t24Q39CB1lKM8xdgoGkqf";
}
}
}
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp {
server 172.22.41.142;
server 172.22.41.143;
}
}
chassis {
aggregated-devices {
ethernet {
device-count 2;
}
}
}
interfaces {
fe-0/0/0 {
fastether-options {
802.3ad ae1;
}
}
fe-0/0/1 {
fastether-options {
802.3ad ae1;
}
}
fe-0/0/2 {
unit 0 {
family inet {
address 80.54.10.242/30;
}
}
}
fe-0/0/4 {
fastether-options {
802.3ad ae0;
}
}
fe-0/0/5 {
fastether-options {
802.3ad ae0;
}
}
fe-0/0/6 {
disable;
}
fe-0/0/7 {
disable;
}
ae0 {
vlan-tagging;
aggregated-ether-options {
minimum-links 1;
lacp {
active;
}
}
unit 10 {
description Brama_v10_Wielun_LAN;
vlan-id 10;
family inet {
address 172.22.40.193/27;
}
}
unit 11 {
description Brama_v11_Wielun_unauthorized_LAN;
vlan-id 11;
family inet {
address 172.22.43.193/27;
}
}
unit 12 {
description Brama_v12_WLAN_SSID_EWE;
vlan-id 12;
family inet {
filter {
input PBR-for_WLANs;
}
address 192.168.14.129/26;
}
}
unit 13 {
description Brama_v13_WLAN_SSID_EWE_guest;
vlan-id 13;
family inet {
filter {
input PBR-for_WLANs;
}
address 192.168.13.1/24;
}
}
unit 20 {
description Brama_v20_Wielun_Printers;
vlan-id 20;
family inet {
address 172.22.41.41/29;
}
}
unit 30 {
description Brama_v30_Wielun_MGMT;
vlan-id 30;
family inet {
address 172.22.41.217/29;
}
}
unit 31 {
description Brama_v31_Wielun_WLAN_MGMT;
vlan-id 31;
family inet {
address 172.22.42.241/28;
}
}
}
ae1 {
description "*** WAN ISP Netia v90u ***";
aggregated-ether-options {
minimum-links 1;
lacp {
active;
}
}
unit 0 {
family inet {
address 172.22.42.138/30;
}
}
}
st0 {
unit 0 {
family inet {
address 172.22.42.71/32;
}
}
unit 1 {
family inet {
address 172.22.42.73/30;
}
}
}
vlan {
disable;
}
}
snmp {
community su46qm20wb64jt81 {
authorization read-only;
clients {
10.95.68.68/32;
172.22.42.137/32;
10.95.227.227/32;
10.95.227.63/32;
10.95.227.60/32;
}
}
}
routing-options {
interface-routes {
rib-group inet Local-Internet-routing-instance;
}
static {
route 172.22.42.70/32 next-hop st0.0;
route 172.22.42.72/32 next-hop st0.1;
route 194.50.37.255/32 next-hop 80.54.10.241;
route 91.206.38.66/32 next-hop 80.54.10.241;
route 91.206.38.77/32 next-hop 80.54.10.241;
route 185.51.96.225/32 next-hop 80.54.10.241;
route 62.108.187.80/32 next-hop 80.54.10.241;
}
rib-groups {
Local-Internet-routing-instance {
import-rib [ inet.0 Local-Internet-routing-instance.inet.0 ];
}
}
}
protocols {
rip {
inactive: traceoptions {
file rip.log size 10k files 2 world-readable;
flag route;
flag update;
flag error;
flag all;
}
group EWE-RIP {
export advertise-routes-through-rip;
bfd-liveness-detection {
version 1;
minimum-interval 1000;
multiplier 5;
}
neighbor ae1.0 {
metric-in 1;
}
neighbor st0.1 {
metric-in 8;
}
}
}
rstp;
}
policy-options {
prefix-list DSL_WLN_pubIP {
80.54.10.240/30;
}
prefix-list BCC_LAN {
10.95.64.0/18;
}
prefix-list WLANs-prefix-list {
192.168.13.0/24;
192.168.14.128/26;
}
prefix-list WLAN_GUEST {
192.168.13.0/24;
}
policy-statement advertise-routes-through-rip {
term 0 {
from {
prefix-list DSL_WLN_pubIP;
prefix-list BCC_LAN;
prefix-list WLANs-prefix-list;
}
then reject;
}
term 1 {
from protocol [ direct rip ];
then accept;
}
}
}
security {
ssh-known-hosts {
host 10.95.68.68 {
rsa-key AAAAB3NzaC1yc2EAAAABIwAAAIEAwlUzWSZvQfbbhh+MZMYL3Xox4k0fkEL1kOBvX13yxbzHCu1lpkL7xExeQg8M9SPx5CLGqYIIFo/wls512XU4ydV+2S1QIyFuC4M350RqHTVnIpPDVNKb0qzkSnZVpw/RrTeEe9J6RHFkd7/CFZdpDbPiLNdqgMQaZyRkFwDRdQE=;
}
}
ike {
inactive: traceoptions {
file vpn.tr size 1m files 3 world-readable;
flag ike;
flag general;
}
proposal p1-pre-g2-aes256-sha {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-256-cbc;
}
policy p1-EWE-policy {
mode main;
proposals p1-pre-g2-aes256-sha;
}
gateway DC_EWE_BCC_gw {
ike-policy p1-EWE-policy;
address 172.22.42.137;
external-interface ae1.0;
}
gateway DC_EWE_WLN_gw {
ike-policy p1-EWE-policy;
address 185.51.96.225;
external-interface fe-0/0/2.0;
}
}
ipsec {
inactive: traceoptions {
flag security-associations;
flag packet-drops;
flag packet-processing;
}
proposal p2-esp-aes256-sha {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-256-cbc;
}
proposal p2-esp-3des-sha {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm 3des-cbc;
}
policy p2-policy-g2 {
perfect-forward-secrecy {
keys group2;
}
proposals [ p2-esp-3des-sha p2-esp-aes256-sha ];
}
vpn DC_EWE_BCC_vpn {
bind-interface st0.0;
vpn-monitor {
source-interface st0.0;
destination-ip 172.22.42.70;
}
ike {
gateway DC_EWE_BCC_gw;
proxy-identity {
local 0.0.0.0/0;
remote 0.0.0.0/0;
service any;
}
ipsec-policy p2-policy-g2;
}
}
vpn DC_EWE_WLN_vpn {
bind-interface st0.1;
vpn-monitor {
source-interface st0.1;
destination-ip 172.22.42.72;
}
ike {
gateway DC_EWE_WLN_gw;
proxy-identity {
local 0.0.0.0/0;
remote 0.0.0.0/0;
service any;
}
ipsec-policy p2-policy-g2;
}
}
}
address-book {
trust-book {
address EWE_Test_LAN 10.255.255.0/24;
address GBCC_LAN 10.95.64.0/18;
address DC_EWE_LAN 172.22.41.128/27;
address DC_EWE_EDDINGTON 172.22.41.130/32;
address EWE_Wielun_LAN 172.22.40.192/27;
address DC_EWE_LAN_OLD 10.206.41.64/28;
address GBCC_LAN_RAVON {
description "serwer logow oraz do backupu configuracji";
10.95.68.68/32;
}
address EWE_Poznan_LAN 172.22.40.128/26;
address EWE_Zachod_LAN 172.22.40.0/25;
address BCC-Aurora 10.95.220.24/32;
address EWE_SSLVPN_FG 172.22.46.0/25;
address DC_EWE_AZURE_EWE011 172.22.41.164/32;
address DC_Observium 10.95.227.227/32;
address DC_EWE_AZURE_CSAT 172.22.41.165/32;
address MGMT.A_A41_ZBX_DEV_SNP2082 10.95.227.60/32;
address MGMT.A_A41_ZBX_DEV_SNP2077 10.95.227.63/32;
address-set DC_EWE_LAN_ALL {
address DC_EWE_LAN;
address DC_EWE_LAN_OLD;
}
address-set MGMT.A_A41_ZBX_SRV {
address MGMT.A_A41_ZBX_DEV_SNP2082;
address MGMT.A_A41_ZBX_DEV_SNP2077;
}
attach {
zone trust;
}
}
unauthorized-book {
address EWE_Wielun_unauthorized_LAN 172.22.43.192/27;
attach {
zone unauthorized;
}
}
printers-book {
address EWE_Wielun_Printers 172.22.41.40/29;
attach {
zone printers;
}
}
mgmt-book {
address EWE_Wielun_MGMT 172.22.41.216/29;
address EWE_MGMT_WLNC0001 172.22.41.218/32;
address EWE_Wielun_WLAN_MGMT 172.22.42.240/28;
attach {
zone mgmt;
}
}
wlan-book {
address WLAN_SSID_EWE 192.168.14.128/26;
address WLAN_SSID_EWE_guest 192.168.13.0/24;
attach {
zone wlan;
}
}
}
flow {
tcp-mss {
ipsec-vpn {
mss 1350;
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set wlan-to-untrust {
from zone wlan;
to zone untrust;
rule WLAN_SSID_EWE-to-Internet {
match {
source-address 192.168.14.128/26;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
rule WLAN_SSID_EWE_guest-to-Internet {
match {
source-address 192.168.13.0/24;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone trust {
policy EWE_BCC-to-EWE_Wielun_LAN {
match {
source-address [ GBCC_LAN DC_EWE_LAN_ALL EWE_Poznan_LAN EWE_Zachod_LAN EWE_SSLVPN_FG DC_EWE_AZURE_EWE011 DC_EWE_AZURE_CSAT ];
destination-address EWE_Wielun_LAN;
application any;
}
then {
permit;
log {
session-init;
session-close;
}
}
}
policy EWE_Wielun_LAN-to-Internet {
match {
source-address EWE_Wielun_LAN;
destination-address any;
application any;
}
then {
permit;
log {
session-init;
session-close;
}
}
}
}
from-zone trust to-zone mgmt {
policy EWE_BCC-to-EWE_Wielun_mgmt {
match {
source-address [ GBCC_LAN DC_EWE_LAN_ALL EWE_Poznan_LAN BCC-Aurora EWE_SSLVPN_FG DC_Observium MGMT.A_A41_ZBX_SRV ];
destination-address EWE_Wielun_MGMT;
application any;
}
then {
permit;
log {
session-init;
session-close;
}
}
}
}
from-zone trust to-zone unauthorized {
policy EWE_BCC-to-EWE_Wielun_unauthorized {
match {
source-address [ GBCC_LAN DC_EWE_LAN_ALL ];
destination-address EWE_Wielun_unauthorized_LAN;
application any;
}
then {
permit;
log {
session-init;
session-close;
}
}
}
}
from-zone trust to-zone printers {
policy EWE_BCC-to-EWE_Wielun_printers {
match {
source-address [ GBCC_LAN DC_EWE_LAN_ALL DC_EWE_AZURE_EWE011 ];
destination-address EWE_Wielun_Printers;
application any;
}
then {
permit;
log {
session-init;
session-close;
}
}
}
policy EWE_Wielun_LAN-to-EWE_Wielun_printers {
match {
source-address [ EWE_Wielun_LAN EWE_Poznan_LAN ];
destination-address EWE_Wielun_Printers;
application [ junos-ping junos-http junos-https ];
}
then {
permit;
log {
session-init;
session-close;
}
}
}
}
from-zone mgmt to-zone trust {
policy WLNC0001-to-radius {
match {
source-address EWE_Wielun_MGMT;
destination-address [ DC_EWE_LAN_ALL GBCC_LAN_RAVON ];
application any;
}
then {
permit;
log {
session-init;
session-close;
}
}
}
policy EWE_Wielun_MGMT-to-Internet {
match {
source-address EWE_Wielun_MGMT;
destination-address any;
application [ junos-ping junos-ntp junos-http junos-https junos-dns-tcp junos-dns-udp ];
}
then {
permit;
log {
session-close;
}
}
}
policy EWE_Wielun_WLAN_MGMT-to-DC_EWE_EWE011 {
match {
source-address EWE_Wielun_WLAN_MGMT;
destination-address DC_EWE_AZURE_EWE011;
application any;
}
then {
permit;
log {
session-close;
}
}
}
policy EWE_Wielun_WLAN_MGMT-to-Internet {
match {
source-address EWE_Wielun_WLAN_MGMT;
destination-address any;
application any;
}
then {
permit;
log {
session-close;
}
}
}
}
from-zone unauthorized to-zone trust {
policy unauthorized-to-Internet {
match {
source-address EWE_Wielun_unauthorized_LAN;
destination-address any;
application any;
}
then {
permit;
log {
session-init;
session-close;
}
}
}
}
from-zone printers to-zone trust {
policy printers-to-Internet {
match {
source-address EWE_Wielun_Printers;
destination-address any;
application any;
}
then {
permit;
log {
session-init;
session-close;
}
}
}
}
from-zone wlan to-zone untrust {
policy WLAN_SSID_EWE_guest-to-Internet {
match {
source-address WLAN_SSID_EWE_guest;
destination-address any;
application any;
}
then {
permit;
log {
session-close;
}
}
}
policy WLAN_SSID_EWE-to-Internet {
match {
source-address WLAN_SSID_EWE;
destination-address any;
application any;
}
then {
permit;
log {
session-init;
session-close;
}
}
}
}
global {
policy DENY_ALL_LOG {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
log {
session-init;
session-close;
}
}
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ae0.10;
st0.0;
st0.1;
ae1.0;
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
fe-0/0/2.0 {
host-inbound-traffic {
system-services {
ssh;
ping;
ike;
https;
}
}
}
}
}
security-zone printers {
interfaces {
ae0.20 {
host-inbound-traffic {
system-services {
ping;
ntp;
dns;
}
}
}
}
}
security-zone mgmt {
interfaces {
ae0.30 {
host-inbound-traffic {
system-services {
ping;
ntp;
dns;
}
}
}
ae0.31 {
host-inbound-traffic {
system-services {
ping;
ntp;
dns;
dhcp;
}
}
}
}
}
security-zone unauthorized {
interfaces {
ae0.11 {
host-inbound-traffic {
system-services {
ping;
ntp;
dns;
dhcp;
}
}
}
}
}
security-zone wlan {
interfaces {
ae0.13 {
host-inbound-traffic {
system-services {
ping;
ntp;
dns;
dhcp;
}
}
}
ae0.12 {
host-inbound-traffic {
system-services {
ping;
ntp;
dns;
dhcp;
}
}
}
}
}
}
}
firewall {
family inet {
filter bandwidth-limit {
term 0 {
from {
source-address {
213.186.79.128/26;
}
}
then {
policer policer-50mb;
count vidyo_counter_from_Vidyo;
accept;
}
}
term 1 {
from {
destination-address {
213.186.79.128/26;
}
}
then {
policer policer-50mb;
count vidyo_counter_to_Vidyo;
accept;
}
}
inactive: term 2 {
from {
address {
213.186.79.133/32;
}
}
then {
policer policer-50mb;
count vidyo_counter;
accept;
}
}
term 10 {
from {
source-address {
0.0.0.0/0;
}
}
then {
policer policer-20mb;
count non-vidyo_counter;
accept;
}
}
}
filter PBR-for_WLANs {
term 1 {
from {
source-prefix-list {
WLANs-prefix-list;
}
}
then {
routing-instance Local-Internet-routing-instance;
}
}
term 2 {
from {
source-address {
192.168.13.0/24;
}
}
then {
routing-instance Local-Internet-routing-instance;
}
}
term 3 {
then accept;
}
}
}
policer policer-20mb {
if-exceeding {
bandwidth-limit 20m;
burst-size-limit 1m;
}
then discard;
}
policer policer-50mb {
if-exceeding {
bandwidth-limit 50m;
burst-size-limit 2m;
}
then discard;
}
filter GoToMeeting_QoS {
term GoToMeeting_Audio {
from {
protocol [ tcp udp ];
port 8200;
}
then forwarding-class assured-forwarding;
}
term GoToMeeting_Video {
from {
protocol [ udp tcp ];
port 1853;
}
then forwarding-class expedited-forwarding;
}
term WWW_smal_packets {
from {
packet-length 0-512;
protocol tcp;
port [ http https ];
}
then forwarding-class expedited-forwarding;
}
term accept_rest {
then accept;
}
}
}
routing-instances {
Local-Internet-routing-instance {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop 80.54.10.241;
}
}
}
}
inactive: services {
rpm {
probe DC_EWE_BCC_vpn {
test BCC_st0.4_address {
target address 172.22.42.70;
probe-count 5;
probe-interval 2;
test-interval 5;
thresholds {
successive-loss 5;
total-loss 5;
}
}
}
}
ip-monitoring {
policy DC_EWE_BCC_vpn_down {
match {
rpm-probe DC_EWE_BCC_vpn;
}
}
}
}
applications {
application RDP_TCP_DST_3389 {
protocol tcp;
destination-port 3389;
}
}